From d10e36322ee2bf076e9b5c4810dc9190c59b36f9 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Apr 27 2021 07:55:25 +0000
Subject: import scap-security-guide-0.1.54-3.el7_9


---

diff --git a/.gitignore b/.gitignore
index 903f9c1..8ecb471 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-SOURCES/scap-security-guide-0.1.52.tar.bz2
+SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
+SOURCES/scap-security-guide-0.1.54.tar.bz2
diff --git a/.scap-security-guide.metadata b/.scap-security-guide.metadata
index 1034028..517ac64 100644
--- a/.scap-security-guide.metadata
+++ b/.scap-security-guide.metadata
@@ -1 +1,2 @@
-d4088b4e38a789c4d56520c058cae303469bedde SOURCES/scap-security-guide-0.1.52.tar.bz2
+b22b45d29ad5a97020516230a6ef3140a91d050a SOURCES/scap-security-guide-0.1.52-2.el7_9-rhel6.tar.bz2
+9c53524d1f6741913b19394fad9216f25f3ae05d SOURCES/scap-security-guide-0.1.54.tar.bz2
diff --git a/SOURCES/centos-debranding.patch b/SOURCES/centos-debranding.patch
deleted file mode 100644
index 461afce..0000000
--- a/SOURCES/centos-debranding.patch
+++ /dev/null
@@ -1,241 +0,0 @@
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/anssi_nt28_minimal.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/anssi_nt28_minimal.profile	2020-04-02 00:12:34.138435758 +0000
-@@ -2,7 +2,8 @@ documentation_complete: true
- 
- title: 'DRAFT - ANSSI DAT-NT28 (minimal)'
- 
--description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
-+description: ' **Not applicable to CentOS Linux, included for reference only**
-+    Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
-     systèmes d''information. Based on https://www.ssi.gouv.fr/.'
- 
- selections:
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S-docker.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/C2S-docker.profile	2020-04-02 00:13:40.055578160 +0000
-@@ -3,6 +3,8 @@ documentation_complete: false
- title: 'DRAFT - C2S for Docker'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile demonstrates compliance against the
-     U.S. Government Commercial Cloud Services (C2S) baseline.
- 
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile scap-security-guide-0.1.46/rhel7/profiles/C2S.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/C2S.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/C2S.profile	2020-04-02 00:13:14.710523405 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'C2S for Red Hat Enterprise Linux 7'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile demonstrates compliance against the
-     U.S. Government Commercial Cloud Services (C2S) baseline.
- 
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile scap-security-guide-0.1.46/rhel7/profiles/cjis.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/cjis.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/cjis.profile	2020-04-02 00:14:09.815642451 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'Criminal Justice Information Services (CJIS) Security Policy'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile is derived from FBI's CJIS v5.4
-     Security Policy. A copy of this policy can be found at the CJIS Security
-     Policy Resource Center:
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile scap-security-guide-0.1.46/rhel7/profiles/cui.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/cui.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/cui.profile	2020-04-02 00:14:39.735707092 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     From NIST 800-171, Section 2.2:
-     Security requirements for protecting the confidentiality of CUI in non-federal
-     information systems and organizations have a well-defined structure that
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/docker-host.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/docker-host.profile	2020-04-02 00:15:08.697769654 +0000
-@@ -3,6 +3,8 @@ documentation_complete: false
- title: 'DRAFT - Standard Docker Host Security Profile'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile contains rules to ensure standard security
-     baseline of Red Hat Enterprise Linux 7 system running docker.
- 
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile scap-security-guide-0.1.46/rhel7/profiles/e8.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/e8.profile	2020-04-02 00:07:38.530797155 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/e8.profile	2020-04-02 00:15:34.521825440 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'Australian Cyber Security Centre (ACSC) Essential Eight'
- 
- description: |-
-+  **Not applicable to CentOS Linux, included for reference only**
-+
-   This profile contains configuration checks for Red Hat Enterprise Linux 7
-   that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
- 
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/hipaa.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/hipaa.profile	2020-04-02 00:16:12.605907713 +0000
-@@ -3,6 +3,8 @@ documentation_complete: True
- title: 'Health Insurance Portability and Accountability Act (HIPAA)'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     The HIPAA Security Rule establishes U.S. national standards to protect individuals’
-     electronic personal health information that is created, received, used, or
-     maintained by a covered entity. The Security Rule requires appropriate
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/http-stig.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/http-stig.profile	2020-04-02 00:16:43.191973788 +0000
-@@ -3,6 +3,8 @@ documentation_complete: false
- title: 'DRAFT - DISA STIG for Apache HTTP on Red Hat Enterprise Linux 7'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile contains configuration checks that align to the
-     DISA STIG for Apache HTTP web server.
- 
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/ipa-stig.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/ipa-stig.profile	2020-04-02 00:17:03.371017390 +0000
-@@ -3,6 +3,8 @@ documentation_complete: false
- title: 'DRAFT - DISA STIG for Red Hat IdM'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This is a *draft* profile for STIG. This profile is being
-     developed under the DoD consensus model to become a STIG in
-     coordination with DISA FSO.
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile scap-security-guide-0.1.46/rhel7/profiles/ncp.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/ncp.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/ncp.profile	2020-04-02 00:19:00.198269763 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'NIST National Checklist Program Security Guide'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This compliance profile reflects the core set of security
-     related configuration settings for deployment of Red Hat Enterprise
-     Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies.
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile scap-security-guide-0.1.46/rhel7/profiles/ospp.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/ospp.profile	2020-04-02 00:07:38.523797140 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/ospp.profile	2020-04-02 00:18:53.448255187 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'OSPP - Protection Profile for General Purpose Operating Systems v4.2.1'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile reflects mandatory configuration controls identified in the
-     NIAP Configuration Annex to the Protection Profile for General Purpose
-     Operating Systems (Protection Profile Version 4.2.1).
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/pci-dss.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/pci-dss.profile	2020-04-02 00:19:22.109317098 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     Ensures PCI-DSS v3.2.1 security configuration settings are applied.
- 
- selections:
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-stig.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-stig.profile	2020-04-02 00:20:04.168407959 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This *draft* profile contains configuration checks that align to the
-     DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH).
-     
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/rhelh-vpp.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/rhelh-vpp.profile	2020-04-02 00:18:01.448142852 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This compliance profile reflects the core set of security
-     related configuration settings for deployment of Red Hat Enterprise
-     Linux Hypervisor (RHELH) 7.x into U.S. Defense, Intelligence, and Civilian agencies.
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/rht-ccp.profile	2019-08-28 13:46:33.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/rht-ccp.profile	2020-04-02 00:20:25.205453406 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile contains the minimum security relevant
-     configuration settings recommended by Red Hat, Inc for
-     Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/satellite-stig.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/satellite-stig.profile	2020-04-02 00:20:44.967496099 +0000
-@@ -3,6 +3,8 @@ documentation_complete: false
- title: 'DRAFT - DISA STIG for Red Hat Satellite'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This is a *draft* profile for STIG. This profile is being
-     developed under the DoD consensus model to become a STIG in
-     coordination with DISA FSO.
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile scap-security-guide-0.1.46/rhel7/profiles/standard.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/standard.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/standard.profile	2020-04-02 00:21:05.637540751 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'Standard System Security Profile for Red Hat Enterprise Linux 7'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile contains rules to ensure standard security baseline
-     of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload
-     all of these checks should pass.
-diff -uNrp scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile
---- scap-security-guide-0.1.46.orig/rhel7/profiles/tower-stig.profile	2019-08-28 12:35:00.000000000 +0000
-+++ scap-security-guide-0.1.46/rhel7/profiles/tower-stig.profile	2020-04-02 00:21:44.885625545 +0000
-@@ -3,6 +3,8 @@ documentation_complete: false
- title: 'DRAFT - DISA STIG for Red Hat Ansible Tower'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This is a *draft* profile for STIG. This profile is being
-     developed under the DoD consensus model to become a STIG in
-     coordination with DISA FSO.
-diff -uNrp scap-security-guide-0.1.52.orig/rhel7/profiles/stig.profile scap-security-guide-0.1.52/rhel7/profiles/stig.profile
---- scap-security-guide-0.1.52.orig/rhel7/profiles/stig.profile	2020-12-15 14:39:39.178646273 +0000
-+++ scap-security-guide-0.1.52/rhel7/profiles/stig.profile	2020-12-15 14:42:59.316078633 +0000
-@@ -3,6 +3,8 @@ documentation_complete: true
- title: 'DISA STIG for Red Hat Enterprise Linux 7'
- 
- description: |-
-+    **Not applicable to CentOS Linux, included for reference only**
-+
-     This profile contains configuration checks that align to the
-     DISA STIG for Red Hat Enterprise Linux V3R1.
- 
diff --git a/SOURCES/disable-not-in-good-shape-profiles.patch b/SOURCES/disable-not-in-good-shape-profiles.patch
index 6a4b641..c56558c 100644
--- a/SOURCES/disable-not-in-good-shape-profiles.patch
+++ b/SOURCES/disable-not-in-good-shape-profiles.patch
@@ -1,23 +1,24 @@
-From ca6ddb178dd89fde3fc2d3e6dd6e6d30a0e1f023 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 9 Oct 2020 18:08:26 +0200
-Subject: [PATCH] Disable profiles that are not in good shape for RHEL8.
+From 48e959ebf2b892fefa642f19bc8cc1d2d639fb29 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 3 Dec 2020 14:35:47 +0100
+Subject: [PATCH] Disable profiles that are not in good shape for RHEL8
 
 ---
- rhel8/CMakeLists.txt              | 1 -
- rhel8/profiles/cjis.profile       | 2 +-
- rhel8/profiles/ism_o.profile      | 2 +-
- rhel8/profiles/rhelh-stig.profile | 2 +-
- rhel8/profiles/rhelh-vpp.profile  | 2 +-
- rhel8/profiles/rht-ccp.profile    | 2 +-
- rhel8/profiles/standard.profile   | 2 +-
- 7 files changed, 6 insertions(+), 7 deletions(-)
+ rhel8/CMakeLists.txt                           | 6 ------
+ rhel8/profiles/anssi_bp28_high.profile         | 2 +-
+ rhel8/profiles/cjis.profile                    | 2 +-
+ rhel8/profiles/ism_o.profile                   | 2 +-
+ rhel8/profiles/rhelh-stig.profile              | 2 +-
+ rhel8/profiles/rhelh-vpp.profile               | 2 +-
+ rhel8/profiles/rht-ccp.profile                 | 2 +-
+ rhel8/profiles/standard.profile                | 2 +-
+ 11 files changed, 10 insertions(+), 16 deletions(-)
 
 diff --git a/rhel8/CMakeLists.txt b/rhel8/CMakeLists.txt
-index 40f2b2b..bbdecba 100644
+index d61689c97..5e444a101 100644
 --- a/rhel8/CMakeLists.txt
 +++ b/rhel8/CMakeLists.txt
-@@ -14,7 +14,6 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
+@@ -14,15 +14,13 @@ ssg_build_html_table_by_ref(${PRODUCT} "cis")
  ssg_build_html_table_by_ref(${PRODUCT} "pcidss")
  ssg_build_html_table_by_ref(${PRODUCT} "anssi")
  
@@ -25,28 +26,46 @@ index 40f2b2b..bbdecba 100644
  ssg_build_html_nistrefs_table(${PRODUCT} "ospp")
  ssg_build_html_nistrefs_table(${PRODUCT} "stig")
  
+ ssg_build_html_anssirefs_table(${PRODUCT} "bp28_minimal")
+ ssg_build_html_anssirefs_table(${PRODUCT} "bp28_intermediary")
+ ssg_build_html_anssirefs_table(${PRODUCT} "bp28_enhanced")
+-ssg_build_html_anssirefs_table(${PRODUCT} "bp28_high")
+ 
+ ssg_build_html_cce_table(${PRODUCT})
+ 
+ ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index ccad93d67..6a854378c 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -1,4 +1,4 @@
+-documentation_complete: true
++documentation_complete: false
+ 
+ title: 'ANSSI BP-028 (high)'
+ 
 diff --git a/rhel8/profiles/cjis.profile b/rhel8/profiles/cjis.profile
-index 05ea9cd..9c55ac5 100644
+index 035d2705b..c6475f33e 100644
 --- a/rhel8/profiles/cjis.profile
 +++ b/rhel8/profiles/cjis.profile
 @@ -1,4 +1,4 @@
 -documentation_complete: true
 +documentation_complete: false
  
- title: 'Criminal Justice Information Services (CJIS) Security Policy'
- 
+ metadata:
+     version: 5.4
 diff --git a/rhel8/profiles/ism_o.profile b/rhel8/profiles/ism_o.profile
-index d044376..10b0eae 100644
+index a3c427c01..4605dea3b 100644
 --- a/rhel8/profiles/ism_o.profile
 +++ b/rhel8/profiles/ism_o.profile
 @@ -1,4 +1,4 @@
 -documentation_complete: true
 +documentation_complete: false
  
- title: 'Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Official'
- 
+ metadata:
+     SMEs:
 diff --git a/rhel8/profiles/rhelh-stig.profile b/rhel8/profiles/rhelh-stig.profile
-index 1efca5f..c3d0b09 100644
+index 1efca5f44..c3d0b0964 100644
 --- a/rhel8/profiles/rhelh-stig.profile
 +++ b/rhel8/profiles/rhelh-stig.profile
 @@ -1,4 +1,4 @@
@@ -56,7 +75,7 @@ index 1efca5f..c3d0b09 100644
  title: '[DRAFT] DISA STIG for Red Hat Enterprise Linux Virtualization Host (RHELH)'
  
 diff --git a/rhel8/profiles/rhelh-vpp.profile b/rhel8/profiles/rhelh-vpp.profile
-index 2baee6d..8592d7a 100644
+index 2baee6d66..8592d7aaf 100644
 --- a/rhel8/profiles/rhelh-vpp.profile
 +++ b/rhel8/profiles/rhelh-vpp.profile
 @@ -1,4 +1,4 @@
@@ -66,7 +85,7 @@ index 2baee6d..8592d7a 100644
  title: 'VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Enterprise Linux Hypervisor (RHELH)'
  
 diff --git a/rhel8/profiles/rht-ccp.profile b/rhel8/profiles/rht-ccp.profile
-index c845795..164ec98 100644
+index c84579592..164ec98c4 100644
 --- a/rhel8/profiles/rht-ccp.profile
 +++ b/rhel8/profiles/rht-ccp.profile
 @@ -1,4 +1,4 @@
@@ -76,7 +95,7 @@ index c845795..164ec98 100644
  title: 'Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)'
  
 diff --git a/rhel8/profiles/standard.profile b/rhel8/profiles/standard.profile
-index a63ae2c..da669bb 100644
+index a63ae2cf3..da669bb84 100644
 --- a/rhel8/profiles/standard.profile
 +++ b/rhel8/profiles/standard.profile
 @@ -1,4 +1,4 @@
diff --git a/SOURCES/profile-stability-rebase-0.1.54.patch b/SOURCES/profile-stability-rebase-0.1.54.patch
new file mode 100644
index 0000000..b50bb7f
--- /dev/null
+++ b/SOURCES/profile-stability-rebase-0.1.54.patch
@@ -0,0 +1,52 @@
+From c41e6d8c1da766c86dbd3c188c5069f4842d7818 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 4 Feb 2021 23:50:04 +0100
+Subject: [PATCH] Select/deselect rules in RHEL7 profiles
+
+e8, select sshd_use_priv_separation
+hipaa, select sshd_use_priv_separation
+---
+ rhel7/profiles/e8.profile                     | 1 +
+ rhel7/profiles/hipaa.profile                  | 1 +
+ tests/data/profile_stability/rhel7/e8.profile | 1 +
+ 4 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/rhel7/profiles/e8.profile b/rhel7/profiles/e8.profile
+index 8dfb392d4..bc14fc633 100644
+--- a/rhel7/profiles/e8.profile
++++ b/rhel7/profiles/e8.profile
+@@ -127,6 +127,7 @@ selections:
+   - sshd_disable_gssapi_auth
+   - sshd_use_strong_ciphers
+   - sshd_print_last_log
++  - sshd_use_priv_separation
+   - sshd_do_not_permit_user_env
+   - sshd_disable_rhosts_rsa
+   - sshd_disable_rhosts
+diff --git a/rhel7/profiles/hipaa.profile b/rhel7/profiles/hipaa.profile
+index d60682cbb..76c2ad9ea 100644
+--- a/rhel7/profiles/hipaa.profile
++++ b/rhel7/profiles/hipaa.profile
+@@ -71,6 +71,7 @@ selections:
+     - sshd_enable_strictmodes
+     - sshd_enable_warning_banner
+     - sshd_set_keepalive
++    - sshd_use_priv_separation
+     - encrypt_partitions
+     - sshd_use_approved_ciphers
+     - sshd_use_approved_macs
+diff --git a/tests/data/profile_stability/rhel7/e8.profile b/tests/data/profile_stability/rhel7/e8.profile
+index af1bcd0f9..23d226eab 100644
+--- a/tests/data/profile_stability/rhel7/e8.profile
++++ b/tests/data/profile_stability/rhel7/e8.profile
+@@ -95,6 +95,7 @@ selections:
+ - sshd_enable_strictmodes
+ - sshd_print_last_log
+ - sshd_set_loglevel_info
++- sshd_use_priv_separation
+ - sshd_use_strong_ciphers
+ - sshd_use_strong_macs
+ - sudo_remove_no_authenticate
+-- 
+2.26.2
+
diff --git a/SOURCES/remove-ANSSI-high-ks.patch b/SOURCES/remove-ANSSI-high-ks.patch
new file mode 100644
index 0000000..5298c70
--- /dev/null
+++ b/SOURCES/remove-ANSSI-high-ks.patch
@@ -0,0 +1,187 @@
+From 8e43a6a6432a8cbeb5742771ddbd0856669a7878 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 17 Feb 2021 15:36:59 +0100
+Subject: [PATCH] Remove kickstart for profile not shipped
+
+RHEL-8 ANSSI high is not shipped at the momment
+---
+ .../ssg-rhel8-anssi_bp28_high-ks.cfg          | 167 ------------------
+ 1 file changed, 167 deletions(-)
+ delete mode 100644 rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+deleted file mode 100644
+index b5c09253a..000000000
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
++++ /dev/null
+@@ -1,167 +0,0 @@
+-# SCAP Security Guide ANSSI BP-028 (high) profile kickstart for Red Hat Enterprise Linux 8
+-# Version: 0.0.1
+-# Date: 2020-12-10
+-#
+-# Based on:
+-# https://pykickstart.readthedocs.io/en/latest/
+-# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+-
+-# Specify installation method to use for installation
+-# To use a different one comment out the 'url' one below, update
+-# the selected choice with proper options & un-comment it
+-#
+-# Install from an installation tree on a remote server via FTP or HTTP:
+-# --url		the URL to install from
+-#
+-# Example:
+-#
+-# url --url=http://192.168.122.1/image
+-#
+-# Modify concrete URL in the above example appropriately to reflect the actual
+-# environment machine is to be installed in
+-#
+-# Other possible / supported installation methods:
+-# * install from the first CD-ROM/DVD drive on the system:
+-#
+-# cdrom
+-#
+-# * install from a directory of ISO images on a local drive:
+-#
+-# harddrive --partition=hdb2 --dir=/tmp/install-tree
+-#
+-# * install from provided NFS server:
+-#
+-# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+-#
+-# Set language to use during installation and the default language to use on the installed system (required)
+-lang en_US.UTF-8
+-
+-# Set system keyboard type / layout (required)
+-keyboard us
+-
+-# Configure network information for target system and activate network devices in the installer environment (optional)
+-# --onboot	enable device at a boot time
+-# --device	device to be activated and / or configured with the network command
+-# --bootproto	method to obtain networking configuration for device (default dhcp)
+-# --noipv6	disable IPv6 on this device
+-#
+-# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+-#       "--bootproto=static" must be used. For example:
+-# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+-#
+-network --onboot yes --bootproto dhcp --noipv6
+-
+-# Set the system's root password (required)
+-# Plaintext password is: server
+-# Refer to e.g.
+-#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+-# to see how to create encrypted password form for different plaintext password
+-rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+-
+-# The selected profile will restrict root login
+-# Add a user that can login and escalate privileges
+-# Plaintext password is: admin123
+-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+-
+-# Configure firewall settings for the system (optional)
+-# --enabled	reject incoming connections that are not in response to outbound requests
+-# --ssh		allow sshd service through the firewall
+-firewall --enabled --ssh
+-
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+-# Set the system time zone (required)
+-timezone --utc America/New_York
+-
+-# Specify how the bootloader should be installed (required)
+-# Plaintext password is: password
+-# Refer to e.g.
+-#   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+-# to see how to create encrypted password form for different plaintext password
+-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+-
+-# Initialize (format) all disks (optional)
+-zerombr
+-
+-# The following partition layout scheme assumes disk of size 20GB or larger
+-# Modify size of partitions appropriately to reflect actual machine's hardware
+-# 
+-# Remove Linux partitions from the system prior to creating new ones (optional)
+-# --linux	erase all Linux partitions
+-# --initlabel	initialize the disk label to the default based on the underlying architecture
+-clearpart --linux --initlabel
+-
+-# Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+-part pv.01 --grow --size=1
+-
+-# Create a Logical Volume Management (LVM) group (optional)
+-volgroup VolGroup --pesize=4096 pv.01
+-
+-# Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+-# Ensure /usr Located On Separate Partition
+-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+-# Ensure /opt Located On Separate Partition
+-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /srv Located On Separate Partition
+-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /home Located On Separate Partition
+-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+-# Ensure /tmp Located On Separate Partition
+-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var/tmp Located On Separate Partition
+-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+-# Ensure /var/log Located On Separate Partition
+-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var/log/audit Located On Separate Partition
+-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+-logvol swap --name=swap --vgname=VolGroup --size=2016
+-
+-# The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+-# content - security policies - on the installed system.This add-on has been enabled by default
+-# since Red Hat Enterprise Linux 7.2. When enabled, the packages necessary to provide this 
+-# functionality will automatically be installed. However, by default, no policies are enforced,
+-# meaning that no checks are performed during or after installation unless specifically configured.
+-#  
+-#  Important
+-#   Applying a security policy is not necessary on all systems. This screen should only be used
+-#   when a specific policy is mandated by your organization rules or government regulations.
+-#   Unlike most other commands, this add-on does not accept regular options, but uses key-value
+-#   pairs in the body of the %addon definition instead. These pairs are whitespace-agnostic.
+-#   Values can be optionally enclosed in single quotes (') or double quotes (").
+-#   
+-#  The following keys are recognized by the add-on:
+-#    content-type - Type of the security content. Possible values are datastream, archive, rpm, and scap-security-guide.
+-#      - If the content-type is scap-security-guide, the add-on will use content provided by the
+-#        scap-security-guide package, which is present on the boot media. This means that all other keys except profile will have no effect.
+-#    content-url - Location of the security content. The content must be accessible using HTTP, HTTPS, or FTP; local storage is currently not supported. A network connection must be available to reach content definitions in a remote location.
+-#    datastream-id - ID of the data stream referenced in the content-url value. Used only if content-type is datastream.
+-#    xccdf-id - ID of the benchmark you want to use.
+-#    xccdf-path - Path to the XCCDF file which should be used; given as a relative path in the archive.
+-#    profile - ID of the profile to be applied. Use default to apply the default profile.
+-#    fingerprint - A MD5, SHA1 or SHA2 checksum of the content referenced by content-url.
+-#    tailoring-path - Path to a tailoring file which should be used, given as a relative path in the archive.
+-#
+-#  The following is an example %addon org_fedora_oscap section which uses content from the
+-#  scap-security-guide on the installation media: 
+-%addon org_fedora_oscap
+-	content-type = scap-security-guide
+-	profile = xccdf_org.ssgproject.content_profile_anssi_bp28_high
+-%end
+-
+-# Packages selection (%packages section is required)
+-%packages
+-
+-# Require @Base
+-@Base
+-
+-%end # End of %packages section
+-
+-# Reboot after the installation is complete (optional)
+-# --eject	attempt to eject CD or DVD media before rebooting
+-reboot --eject
+-- 
+2.26.2
+
diff --git a/SOURCES/scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch b/SOURCES/scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch
deleted file mode 100644
index 3b9e02a..0000000
--- a/SOURCES/scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From b38f6629ee59b6531d8c4be1cb31e83b5dfde54c Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 11 Sep 2020 15:51:24 +0200
-Subject: [PATCH 1/2] add ocil
-
----
- .../rsyslog_nolisten/rule.yml                       | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-index 6785ebcc86..6a3495f80e 100644
---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-@@ -41,3 +41,16 @@ references:
-     cis-csc: 1,11,12,13,14,15,16,18,3,4,5,6,8,9
-     stigid@rhel7: RHEL-07-031010
-     cis@rhel8: 4.2.1.6
-+
-+ocil_clause: "rsyslog accepts remote messages"
-+
-+ocil: |-
-+    Display the contents of the configuration file:
-+    <pre>cat /etc/rsyslog.conf</pre>
-+    Make sure that following lines are not present in the configuration:
-+    <pre>$ModLoad imtcp
-+    $InputTCPServerRun <i>port</i>
-+    $ModLoad imudp
-+    $UDPServerRun <i>port</i>
-+    $ModLoad imrelp
-+    $InputRELPServerRun <i>port</i></pre>
-
-From 6959ddb2dbc12d4fa2ff7f6ee9e71820d5dde0f8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matej.tyc@gmail.com>
-Date: Wed, 16 Sep 2020 11:58:21 +0200
-Subject: [PATCH 2/2] Fix text according to review feedback
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Jan Černý <jcerny@redhat.com>
----
- .../rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-index 6a3495f80e..f529cbca89 100644
---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/rule.yml
-@@ -47,7 +47,7 @@ ocil_clause: "rsyslog accepts remote messages"
- ocil: |-
-     Display the contents of the configuration file:
-     <pre>cat /etc/rsyslog.conf</pre>
--    Make sure that following lines are not present in the configuration:
-+    Make sure that the following lines are not present in the output:
-     <pre>$ModLoad imtcp
-     $InputTCPServerRun <i>port</i>
-     $ModLoad imudp
diff --git a/SOURCES/scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch b/SOURCES/scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch
deleted file mode 100644
index d3453aa..0000000
--- a/SOURCES/scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch
+++ /dev/null
@@ -1,276 +0,0 @@
-From a89f73985d5d92acc75229004bafdc931f5ed750 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 3 Sep 2020 18:09:53 +0200
-Subject: [PATCH 1/2] Introduce new rule sssd_ldap_configure_tls_reqcert.
-
----
- .../ansible/shared.yml                        |  6 +++
- .../bash/shared.sh                            |  6 +++
- .../oval/shared.xml                           | 24 ++++++++++++
- .../sssd_ldap_configure_tls_reqcert/rule.yml  | 39 +++++++++++++++++++
- ...rovider_and_reqcert_never.notapplicable.sh |  7 ++++
- .../tests/correct_value.pass.sh               |  5 +++
- .../id_provider_is_set_to_ad.notapplicable.sh |  6 +++
- ...ldap_id_provider_and_reqcert_never.fail.sh |  6 +++
- .../tests/ldap_tls_reqcert_not_there.fail.sh  |  6 +++
- rhel7/profiles/stig.profile                   |  1 +
- shared/references/cce-redhat-avail.txt        |  2 -
- tests/shared/sssd.conf                        |  1 +
- 12 files changed, 107 insertions(+), 2 deletions(-)
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
- create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
-
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
-new file mode 100644
-index 0000000000..891b3e2f97
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
-@@ -0,0 +1,6 @@
-+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
-+# reboot = false
-+# strategy = unknown
-+# complexity = low
-+# disruption = medium
-+{{{ ansible_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
-new file mode 100644
-index 0000000000..62c2febc46
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
-@@ -0,0 +1,6 @@
-+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol
-+
-+# Include source function library.
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+{{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
-new file mode 100644
-index 0000000000..9d3db0488f
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
-@@ -0,0 +1,24 @@
-+<def-group>
-+  <definition class="compliance" id="sssd_ldap_configure_tls_reqcert" version="1">
-+    <metadata>
-+      <title>Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server</title>
-+      {{{- oval_affected(products) }}}
-+      <description>Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.</description>
-+    </metadata>
-+    <criteria>
-+      <criterion test_ref="test_sssd_ldap_tls_reqcert" />
-+    </criteria>
-+  </definition>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="Ensures that LDAP TLS requires certificate is set"
-+  id="test_sssd_ldap_tls_reqcert" version="1">
-+    <ind:object object_ref="object_sssd_ldap_tls_reqcert" />
-+  </ind:textfilecontent54_test>
-+
-+  <ind:textfilecontent54_object id="object_sssd_ldap_tls_reqcert" version="1">
-+    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-+    <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$</ind:pattern>
-+    <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+</def-group>
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
-new file mode 100644
-index 0000000000..4dee11bcfb
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
-@@ -0,0 +1,39 @@
-+documentation_complete: true
-+
-+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
-+
-+title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server'
-+
-+description: |-
-+    Configure SSSD to demand a valid certificate from the server to
-+    protect the integrity of LDAP remote access sessions. By setting
-+    the <pre>ldap_tls_reqcert</pre> option in <pre>/etc/sssd/sssd.conf</pre>
-+    to <tt>demand</tt>.
-+
-+rationale: |-
-+    Without a valid certificate presented to the LDAP client backend, the identity of a
-+    server can be forged compromising LDAP remote access sessions.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel7: CCE-84061-1
-+    cce@rhel8: CCE-84062-9
-+
-+references:
-+    stigid@ol7: OL07-00-040190
-+    disa: CCI-001453
-+    nist: SC-12(3),CM-6(a)
-+    srg: SRG-OS-000250-GPOS-00093
-+    stigid@rhel7: RHEL-07-040190
-+
-+ocil_clause: 'the TLS reqcert is not set to demand'
-+
-+ocil: |-
-+    To verify the LDAP client backend demands a valid certificate from the server in
-+    remote ldap access sessions, run the following command:
-+    <pre>$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf</pre>
-+    The output should return the following:
-+    <pre>ldap_tls_reqcert = demand</pre>
-+
-+platform: sssd-ldap
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
-new file mode 100644
-index 0000000000..3b82743f8d
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf
-+sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..82bff74acf
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
-new file mode 100644
-index 0000000000..21f3af4c96
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
-new file mode 100644
-index 0000000000..0fe620475e
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
-new file mode 100644
-index 0000000000..0e01fafb6f
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index b820d30608..1b41b85857 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -236,6 +236,7 @@ selections:
-     - sssd_ldap_start_tls.severity=medium
-     - sssd_ldap_configure_tls_ca_dir
-     - sssd_ldap_configure_tls_ca
-+    - sssd_ldap_configure_tls_reqcert
-     - sysctl_kernel_randomize_va_space
-     - package_openssh-server_installed
-     - sshd_required=yes
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index 4609b82680..7ab5eb179e 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -650,8 +650,6 @@ CCE-84057-9
- CCE-84058-7
- CCE-84059-5
- CCE-84060-3
--CCE-84061-1
--CCE-84062-9
- CCE-84063-7
- CCE-84064-5
- CCE-84065-2
-diff --git a/tests/shared/sssd.conf b/tests/shared/sssd.conf
-index dc51456425..6903a25d37 100644
---- a/tests/shared/sssd.conf
-+++ b/tests/shared/sssd.conf
-@@ -9,6 +9,7 @@ ldap_search_base = dc=com
- ldap_tls_cacertdir = /etc/openldap/cacerts
- cache_credentials = True
- krb5_store_password_if_offline = True
-+ldap_tls_reqcert = demand
- 
- 
- [sssd]
-
-From daf742ec9dad984e17e8a99bd7793bc9f44a32c4 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 21 Sep 2020 17:24:08 +0200
-Subject: [PATCH 2/2] Use oval_metadata macro and update text of rule
- sssd_ldap_configure_tls_reqcert.
-
----
- .../sssd_ldap_configure_tls_reqcert/oval/shared.xml        | 7 ++-----
- .../sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml     | 4 ++--
- 2 files changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
-index 9d3db0488f..688cf17abb 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
-@@ -1,10 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sssd_ldap_configure_tls_reqcert" version="1">
--    <metadata>
--      <title>Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server</title>
--      {{{- oval_affected(products) }}}
--      <description>Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.",
-+        title="Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server") }}}
-     <criteria>
-       <criterion test_ref="test_sssd_ldap_tls_reqcert" />
-     </criteria>
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
-index 4dee11bcfb..731b7c0846 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
-@@ -6,7 +6,7 @@ title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from th
- 
- description: |-
-     Configure SSSD to demand a valid certificate from the server to
--    protect the integrity of LDAP remote access sessions. By setting
-+    protect the integrity of LDAP remote access sessions by setting
-     the <pre>ldap_tls_reqcert</pre> option in <pre>/etc/sssd/sssd.conf</pre>
-     to <tt>demand</tt>.
- 
-@@ -31,7 +31,7 @@ ocil_clause: 'the TLS reqcert is not set to demand'
- 
- ocil: |-
-     To verify the LDAP client backend demands a valid certificate from the server in
--    remote ldap access sessions, run the following command:
-+    remote LDAP access sessions, run the following command:
-     <pre>$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf</pre>
-     The output should return the following:
-     <pre>ldap_tls_reqcert = demand</pre>
diff --git a/SOURCES/scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch b/SOURCES/scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch
deleted file mode 100644
index 16d2f4e..0000000
--- a/SOURCES/scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch
+++ /dev/null
@@ -1,278 +0,0 @@
-From 844be904d8de624abe9bbe620d7a06417dfff842 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 27 Aug 2020 13:19:01 +0200
-Subject: [PATCH 1/5] Align Ansible task applicability with CPE platform
-
-Adds a when clause to Ansible snippets of rules with Package CPE platform.
-
-If the when clause is added, a fact_packages Task needs to added as
-well.
----
- ssg/build_remediations.py | 52 ++++++++++++++++++++++++++++++++++++---
- 1 file changed, 49 insertions(+), 3 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index a9ef3014ac..597aed5889 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -6,8 +6,7 @@
- import os.path
- import re
- import codecs
--from collections import defaultdict, namedtuple
--
-+from collections import defaultdict, namedtuple, OrderedDict
- 
- import ssg.yaml
- from . import build_yaml
-@@ -343,10 +342,46 @@ def _get_rule_reference(self, ref_class):
-         else:
-             return []
- 
-+    def inject_package_facts_task(self, parsed_snippet):
-+        """ Injects a package_facts task only if
-+            the snippet has a task with a when clause with ansible_facts.packages,
-+            and the snippet doesn't already have an package_facts task
-+        """
-+        has_package_facts_task = False
-+        has_ansible_facts_packages_clause = False
-+
-+        for p_task in parsed_snippet:
-+            # We are only interested in the OrderedDicts, which represent Ansible tasks
-+            if not isinstance(p_task, dict):
-+                continue
-+
-+            if "package_facts" in p_task:
-+                has_package_facts_task = True
-+
-+            if "ansible_facts.packages" in p_task.get("when", ""):
-+                has_ansible_facts_packages_clause = True
-+
-+        if has_ansible_facts_packages_clause and not has_package_facts_task:
-+            facts_task = OrderedDict({'name': 'Gather the package facts',
-+                                      'package_facts': {'manager': 'auto'}})
-+            parsed_snippet.insert(0, facts_task)
-+
-     def update_when_from_rule(self, to_update):
-         additional_when = ""
--        if self.associated_rule.platform == "machine":
-+        rule_platform = self.associated_rule.platform
-+        if rule_platform == "machine":
-             additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
-+        elif rule_platform is not None:
-+            # Assume any other platform is a Package CPE
-+
-+            # It doesn't make sense to add a conditional on the task that
-+            # gathers data for the conditional
-+            if "package_facts" in to_update:
-+                return
-+
-+            additional_when = '"' + rule_platform + '" in ansible_facts.packages'
-+            # After adding the conditional, we need to make sure package_facts are collected.
-+            # This is done via inject_package_facts_task()
-         to_update.setdefault("when", "")
-         new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
-         if not new_when:
-@@ -355,10 +390,21 @@ def update_when_from_rule(self, to_update):
-             to_update["when"] = new_when
- 
-     def update(self, parsed, config):
-+        # We split the remediation update in three steps
-+
-+        # 1. Update the when clause
-         for p in parsed:
-             if not isinstance(p, dict):
-                 continue
-             self.update_when_from_rule(p)
-+
-+        # 2. Inject any extra task necessary
-+        self.inject_package_facts_task(parsed)
-+
-+        # 3. Add tags to all tasks, including the ones we have injected
-+        for p in parsed:
-+            if not isinstance(p, dict):
-+                continue
-             self.update_tags_from_config(p, config)
-             self.update_tags_from_rule(p)
- 
-
-From 60e5723e0e35ec8d79bafdd113f04691e61738e7 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 27 Aug 2020 17:09:06 +0200
-Subject: [PATCH 2/5] Add inherited_platform to Rule
-
-This field is exported to the rule when it is resolved.
----
- ssg/build_yaml.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ssg/build_yaml.py b/ssg/build_yaml.py
-index 4ba114eee4..fe290ffc05 100644
---- a/ssg/build_yaml.py
-+++ b/ssg/build_yaml.py
-@@ -832,6 +832,7 @@ class Rule(object):
-         "conflicts": lambda: list(),
-         "requires": lambda: list(),
-         "platform": lambda: None,
-+        "inherited_platforms": lambda: list(),
-         "template": lambda: None,
-     }
- 
-@@ -851,6 +852,7 @@ def __init__(self, id_):
-         self.requires = []
-         self.conflicts = []
-         self.platform = None
-+        self.inherited_platforms = [] # platforms inherited from the group
-         self.template = None
- 
-     @classmethod
-@@ -1293,6 +1295,9 @@ def _process_rules(self):
-                 continue
-             self.all_rules.add(rule)
-             self.loaded_group.add_rule(rule)
-+
-+            rule.inherited_platforms.append(self.loaded_group.platform)
-+
-             if self.resolved_rules_dir:
-                 output_for_rule = os.path.join(
-                     self.resolved_rules_dir, "{id_}.yml".format(id_=rule.id_))
-
-From 3a0bb0d2981670e90a8eaca53b28e1a6f7cc29d6 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 27 Aug 2020 17:21:35 +0200
-Subject: [PATCH 3/5] Add when clauses for inherited platforms too
-
-Consider the Rule's Group platform while including 'when' clauses to
-Ansible snippets.
-
-Some rules have two platforms, a machine platform and a package
-platform. One of them is represented of the Rule, and the other is
-represented in the Rule's Group.
-
-The platforms are organized like this to due limiation in XCCDF,
-multiple platforms in a Rule are ORed, not ANDed.
----
- ssg/build_remediations.py | 44 ++++++++++++++++++++++++---------------
- 1 file changed, 27 insertions(+), 17 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 597aed5889..a2a996d0af 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -358,8 +358,13 @@ def inject_package_facts_task(self, parsed_snippet):
-             if "package_facts" in p_task:
-                 has_package_facts_task = True
- 
--            if "ansible_facts.packages" in p_task.get("when", ""):
--                has_ansible_facts_packages_clause = True
-+            # When clause of the task can be string or a list, lets normalize to list
-+            task_when = p_task.get("when", "")
-+            if type(task_when) is str:
-+                task_when = [ task_when ]
-+            for when in task_when:
-+                if "ansible_facts.packages" in when:
-+                    has_ansible_facts_packages_clause = True
- 
-         if has_ansible_facts_packages_clause and not has_package_facts_task:
-             facts_task = OrderedDict({'name': 'Gather the package facts',
-@@ -367,21 +372,26 @@ def inject_package_facts_task(self, parsed_snippet):
-             parsed_snippet.insert(0, facts_task)
- 
-     def update_when_from_rule(self, to_update):
--        additional_when = ""
--        rule_platform = self.associated_rule.platform
--        if rule_platform == "machine":
--            additional_when = 'ansible_virtualization_type not in ["docker", "lxc", "openvz"]'
--        elif rule_platform is not None:
--            # Assume any other platform is a Package CPE
--
--            # It doesn't make sense to add a conditional on the task that
--            # gathers data for the conditional
--            if "package_facts" in to_update:
--                return
--
--            additional_when = '"' + rule_platform + '" in ansible_facts.packages'
--            # After adding the conditional, we need to make sure package_facts are collected.
--            # This is done via inject_package_facts_task()
-+        additional_when = []
-+
-+        rule_platforms = set([self.associated_rule.platform] +
-+                              self.associated_rule.inherited_platforms)
-+
-+        for platform in rule_platforms:
-+            if platform == "machine":
-+                additional_when.append('ansible_virtualization_type not in ["docker", "lxc", "openvz"]')
-+            elif platform is not None:
-+                # Assume any other platform is a Package CPE
-+
-+                # It doesn't make sense to add a conditional on the task that
-+                # gathers data for the conditional
-+                if "package_facts" in to_update:
-+                    continue
-+
-+                additional_when.append('"' + platform + '" in ansible_facts.packages')
-+                # After adding the conditional, we need to make sure package_facts are collected.
-+                # This is done via inject_package_facts_task()
-+
-         to_update.setdefault("when", "")
-         new_when = ssg.yaml.update_yaml_list_or_string(to_update["when"], additional_when)
-         if not new_when:
-
-From 99c92e39bccc3fcfadca41096e66ca146137b207 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Mon, 31 Aug 2020 16:06:14 +0200
-Subject: [PATCH 4/5] Improve inherihted and rule's platforms handling
-
-Add a quick comment too.
----
- ssg/build_remediations.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index a2a996d0af..9e622ef740 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -374,8 +374,9 @@ def inject_package_facts_task(self, parsed_snippet):
-     def update_when_from_rule(self, to_update):
-         additional_when = []
- 
--        rule_platforms = set([self.associated_rule.platform] +
--                              self.associated_rule.inherited_platforms)
-+        # There can be repeated inherited platforms and rule platforms
-+        rule_platforms = set(self.associated_rule.inherited_platforms)
-+        rule_platforms.add(self.associated_rule.platform)
- 
-         for platform in rule_platforms:
-             if platform == "machine":
-
-From 596da9993edfbd244cbaa6d797abbd68b2e82185 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Mon, 31 Aug 2020 16:10:53 +0200
-Subject: [PATCH 5/5] Code style and grammar changes
-
----
- ssg/build_remediations.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 9e622ef740..866450dd8c 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -345,7 +345,7 @@ def _get_rule_reference(self, ref_class):
-     def inject_package_facts_task(self, parsed_snippet):
-         """ Injects a package_facts task only if
-             the snippet has a task with a when clause with ansible_facts.packages,
--            and the snippet doesn't already have an package_facts task
-+            and the snippet doesn't already have a package_facts task
-         """
-         has_package_facts_task = False
-         has_ansible_facts_packages_clause = False
-@@ -361,7 +361,7 @@ def inject_package_facts_task(self, parsed_snippet):
-             # When clause of the task can be string or a list, lets normalize to list
-             task_when = p_task.get("when", "")
-             if type(task_when) is str:
--                task_when = [ task_when ]
-+                task_when = [task_when]
-             for when in task_when:
-                 if "ansible_facts.packages" in when:
-                     has_ansible_facts_packages_clause = True
diff --git a/SOURCES/scap-security-guide-0.1.53-bash_platforms-PR_6061.patch b/SOURCES/scap-security-guide-0.1.53-bash_platforms-PR_6061.patch
deleted file mode 100644
index f1510d8..0000000
--- a/SOURCES/scap-security-guide-0.1.53-bash_platforms-PR_6061.patch
+++ /dev/null
@@ -1,241 +0,0 @@
-From c05cce1a4a5eb95be857b07948fda0c95cdaa106 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 8 Sep 2020 14:36:07 +0200
-Subject: [PATCH 1/5] Align Bash applicability with CPE platform
-
-Wraps the remediation of rules with Packager CPE Platform
-with an if condition that checks for the respective
-platforms's package.
----
- ssg/build_remediations.py | 45 +++++++++++++++++++++++++++++++++++++++
- 1 file changed, 45 insertions(+)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index ccbdf9fc1f..2d4a805e78 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -27,6 +27,13 @@
-     'kubernetes': '.yml'
- }
- 
-+PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
-+    'apt_get': 'dpkg-query -s {} &>/dev/null',
-+    'dnf': 'rpm --quiet -q {}',
-+    'yum': 'rpm --quiet -q {}',
-+    'zypper': 'rpm --quiet -q {}',
-+}
-+
- FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
- 
- REMEDIATION_CONFIG_KEYS = ['complexity', 'disruption', 'platform', 'reboot',
-@@ -262,6 +269,44 @@ class BashRemediation(Remediation):
-     def __init__(self, file_path):
-         super(BashRemediation, self).__init__(file_path, "bash")
- 
-+    def parse_from_file_with_jinja(self, env_yaml):
-+        self.local_env_yaml.update(env_yaml)
-+        result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
-+
-+        # There can be repeated inherited platforms and rule platforms
-+        rule_platforms = set(self.associated_rule.inherited_platforms)
-+        rule_platforms.add(self.associated_rule.platform)
-+
-+        platform_conditionals = []
-+        for platform in rule_platforms:
-+            if platform == "machine":
-+                # Based on check installed_env_is_a_container
-+                platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
-+            elif platform is not None:
-+                # Assume any other platform is a Package CPE
-+
-+                # Some package names are different from the platform names
-+                if platform in self.local_env_yaml["platform_package_overrides"]:
-+                    platform = self.local_env_yaml["platform_package_overrides"].get(platform)
-+
-+                # Adjust package check command according to the pkg_manager
-+                pkg_manager = self.local_env_yaml["pkg_manager"]
-+                pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
-+                platform_conditionals.append(pkg_check_command.format(platform))
-+
-+        if platform_conditionals:
-+            platform_fix_text = "# Remediation is applicable only in certain platforms\n"
-+
-+            cond = platform_conditionals.pop(0)
-+            platform_fix_text += "if {}".format(cond)
-+            for cond in platform_conditionals:
-+                platform_fix_text += " && {}".format(cond)
-+            platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
-+
-+            remediation = namedtuple('remediation', ['contents', 'config'])
-+            result = remediation(contents=platform_fix_text, config=result.config)
-+
-+        return result
- 
- class AnsibleRemediation(Remediation):
-     def __init__(self, file_path):
-
-From 19e0c3b709e091159655d37b8ce5d693750f0a81 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 8 Sep 2020 14:41:01 +0200
-Subject: [PATCH 2/5] Handle Bash platform wrapping in xccdf expansion
-
-Adjust expansion of subs and variables not to remove the whole beginning
-of the fix test. This was removing the package conditional wrapping.
----
- ssg/build_remediations.py | 21 ++++++++++++---------
- 1 file changed, 12 insertions(+), 9 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 2d4a805e78..49ec557000 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -736,14 +736,16 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
-         patcomp = re.compile(pattern, re.DOTALL)
-         fixparts = re.split(patcomp, fix.text)
-         if fixparts[0] is not None:
--            # Split the portion of fix.text from fix start to first call of
--            # remediation function, keeping only the third part:
--            # * tail        to hold part of the fix.text after inclusion,
--            #               but before first call of remediation function
-+            # Split the portion of fix.text at the string remediation_functions,
-+            # and remove preceeding comment whenever it is there.
-+            # * head        holds part of the fix.text before
-+            #               remediation_functions string
-+            # * tail        holds part of the fix.text after the
-+            #               remediation_functions string
-             try:
--                rfpattern = '(.*remediation_functions)(.*)'
--                rfpatcomp = re.compile(rfpattern, re.DOTALL)
--                _, _, tail, _ = re.split(rfpatcomp, fixparts[0], maxsplit=2)
-+                rfpattern = r'((?:# Include source function library\.\n)?.*remediation_functions)'
-+                rfpatcomp = re.compile(rfpattern)
-+                head, _, tail = re.split(rfpatcomp, fixparts[0], maxsplit=1)
-             except ValueError:
-                 sys.stderr.write("Processing fix.text for: %s rule\n"
-                                  % fix.get('rule'))
-@@ -751,9 +753,10 @@ def expand_xccdf_subs(fix, remediation_type, remediation_functions):
-                                  "after inclusion of remediation functions."
-                                  " Aborting..\n")
-                 sys.exit(1)
--            # If the 'tail' is not empty, make it new fix.text.
-+            # If the 'head' is not empty, make it new fix.text.
-             # Otherwise use ''
--            fix.text = tail if tail is not None else ''
-+            fix.text = head if head is not None else ''
-+            fix.text += tail if tail is not None else ''
-             # Drop the first element of 'fixparts' since it has been processed
-             fixparts.pop(0)
-             # Perform sanity check on new 'fixparts' list content (to continue
-
-From 1292b93dc35a9a308464f1effb7f10f8de6db457 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 8 Sep 2020 20:56:17 +0200
-Subject: [PATCH 3/5] Check if remediation has associated rule before use
-
----
- ssg/build_remediations.py | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 49ec557000..85f7139d8f 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -273,9 +273,11 @@ def parse_from_file_with_jinja(self, env_yaml):
-         self.local_env_yaml.update(env_yaml)
-         result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
- 
--        # There can be repeated inherited platforms and rule platforms
--        rule_platforms = set(self.associated_rule.inherited_platforms)
--        rule_platforms.add(self.associated_rule.platform)
-+        rule_platforms = set()
-+        if self.associated_rule:
-+            # There can be repeated inherited platforms and rule platforms
-+            rule_platforms.update(self.associated_rule.inherited_platforms)
-+            rule_platforms.add(self.associated_rule.platform)
- 
-         platform_conditionals = []
-         for platform in rule_platforms:
-
-From 7953a02e61bb56b501c56f46972247751292dcbb Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 10 Sep 2020 10:59:43 +0200
-Subject: [PATCH 4/5] Fix python2 compat and improve code readability
-
----
- ssg/build_remediations.py | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 85f7139d8f..673d6d0cc6 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -28,10 +28,10 @@
- }
- 
- PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND = {
--    'apt_get': 'dpkg-query -s {} &>/dev/null',
--    'dnf': 'rpm --quiet -q {}',
--    'yum': 'rpm --quiet -q {}',
--    'zypper': 'rpm --quiet -q {}',
-+    'apt_get': 'dpkg-query -s {0} &>/dev/null',
-+    'dnf': 'rpm --quiet -q {0}',
-+    'yum': 'rpm --quiet -q {0}',
-+    'zypper': 'rpm --quiet -q {0}',
- }
- 
- FILE_GENERATED_HASH_COMMENT = '# THIS FILE IS GENERATED'
-@@ -297,16 +297,23 @@ def parse_from_file_with_jinja(self, env_yaml):
-                 platform_conditionals.append(pkg_check_command.format(platform))
- 
-         if platform_conditionals:
--            platform_fix_text = "# Remediation is applicable only in certain platforms\n"
-+            wrapped_fix_text = ["# Remediation is applicable only in certain platforms"]
- 
--            cond = platform_conditionals.pop(0)
--            platform_fix_text += "if {}".format(cond)
--            for cond in platform_conditionals:
--                platform_fix_text += " && {}".format(cond)
--            platform_fix_text += '; then\n{}\nelse\necho "Remediation is not applicable, nothing was done"\nfi'.format(result.contents)
-+            all_conditions = " && ".join(platform_conditionals)
-+            wrapped_fix_text.append("if {0}; then".format(all_conditions))
-+
-+            # Avoid adding extra blank line
-+            if not result.contents.startswith("\n"):
-+                wrapped_fix_text.append("")
-+
-+            wrapped_fix_text.append("{0}".format(result.contents))
-+            wrapped_fix_text.append("")
-+            wrapped_fix_text.append("else")
-+            wrapped_fix_text.append("    >&2 echo 'Remediation is not applicable, nothing was done'")
-+            wrapped_fix_text.append("fi")
- 
-             remediation = namedtuple('remediation', ['contents', 'config'])
--            result = remediation(contents=platform_fix_text, config=result.config)
-+            result = remediation(contents="\n".join(wrapped_fix_text), config=result.config)
- 
-         return result
- 
-
-From 0bd3912651367c64789bb3d67b44c3b8848708c0 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 10 Sep 2020 17:25:27 +0200
-Subject: [PATCH 5/5] Document the perils of indenting wrapped Bash fixes
-
----
- ssg/build_remediations.py | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 673d6d0cc6..f269d4d2d6 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -306,6 +306,9 @@ def parse_from_file_with_jinja(self, env_yaml):
-             if not result.contents.startswith("\n"):
-                 wrapped_fix_text.append("")
- 
-+            # It is possible to indent the original body of the remediation with textwrap.indent(),
-+            # however, it is not supported by python2, and there is a risk of breaking remediations
-+            # For example, remediations with a here-doc block could be affected.
-             wrapped_fix_text.append("{0}".format(result.contents))
-             wrapped_fix_text.append("")
-             wrapped_fix_text.append("else")
diff --git a/SOURCES/scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch b/SOURCES/scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch
deleted file mode 100644
index 8ed22b3..0000000
--- a/SOURCES/scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch
+++ /dev/null
@@ -1,7131 +0,0 @@
-From 845ad1f66b3c92cf1293a421ec4b8d785077b29c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Thu, 3 Sep 2020 16:24:12 +0200
-Subject: [PATCH 1/6] Remove the OVAL boilerplate in favor of the oval_metadata
- macro.
-
----
- .../oval/shared.xml                           | 11 +-----
- .../apt_sources_list_official/oval/shared.xml |  8 +---
- .../oval/shared.xml                           | 10 +----
- .../ftp_log_transactions/oval/shared.xml      | 11 +-----
- .../ftp_present_banner/oval/shared.xml        | 12 +-----
- .../dir_perms_etc_httpd_conf/oval/shared.xml  |  8 +---
- .../dir_perms_var_log_httpd/oval/shared.xml   |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../dovecot_enable_ssl/oval/shared.xml        |  8 +---
- .../oval/shared.xml                           | 11 +-----
- .../enable_ldap_client/oval/shared.xml        | 10 +----
- .../ldap_client_start_tls/oval/shared.xml     |  9 +----
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  9 +----
- .../oval/shared.xml                           |  9 +----
- .../postfix_server_banner/oval/shared.xml     |  8 +---
- .../no_insecure_locks_exports/oval/shared.xml | 10 +----
- .../oval/shared.xml                           | 13 +------
- .../ntp/chronyd_client_only/oval/shared.xml   |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../ntp/ntpd_run_as_ntp_user/oval/shared.xml  |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../no_host_based_files/oval/shared.xml       | 12 +-----
- .../no_rsh_trust_files/oval/shared.xml        | 10 +----
- .../no_user_host_based_files/oval/shared.xml  | 12 +-----
- .../tftpd_uses_secure_mode/oval/shared.xml    | 11 +-----
- .../cups_disable_browsing/oval/shared.xml     | 10 +----
- .../cups_disable_printserver/oval/shared.xml  | 10 +----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           |  8 +---
- .../snmpd_use_newer_protocol/oval/shared.xml  |  8 +---
- .../firewalld_sshd_disabled/oval/shared.xml   | 11 +-----
- .../oval/shared.xml                           | 14 +------
- .../sshd_allow_only_protocol2/oval/shared.xml |  6 +--
- .../sshd_disable_compression/oval/shared.xml  |  6 +--
- .../sshd_disable_rhosts_rsa/oval/shared.xml   |  8 +---
- .../sshd_rekey_limit/oval/shared.xml          |  6 +--
- .../sshd_set_idle_timeout/oval/shared.xml     | 10 +----
- .../sshd_set_keepalive/oval/shared.xml        | 10 +----
- .../sshd_set_max_auth_tries/oval/shared.xml   | 10 +----
- .../sshd_set_max_sessions/oval/shared.xml     | 10 +----
- .../sshd_use_approved_ciphers/oval/shared.xml | 11 +-----
- .../sshd_use_approved_macs/oval/shared.xml    | 12 +-----
- .../sshd_use_priv_separation/oval/shared.xml  |  8 +---
- .../oval/shared.xml                           | 10 +----
- .../sssd_ldap_start_tls/oval/shared.xml       |  6 +--
- .../sssd_enable_pam_services/oval/shared.xml  |  8 +---
- .../sssd_enable_smartcards/oval/shared.xml    | 14 +------
- .../sssd_memcache_timeout/oval/shared.xml     | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../sssd_run_as_sssd_user/oval/shared.xml     |  6 +--
- .../oval/shared.xml                           | 10 +----
- .../usbguard_allow_hid/oval/shared.xml        | 10 +----
- .../oval/shared.xml                           |  6 +--
- .../usbguard_allow_hub/oval/shared.xml        | 10 +----
- .../xwindows_runlevel_setting/oval/shared.xml | 13 +------
- .../xwindows_runlevel_target/oval/shared.xml  |  6 +--
- .../banner_etc_issue/oval/shared.xml          |  6 +--
- .../banner_etc_motd/oval/shared.xml           | 12 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../display_login_attempts/oval/shared.xml    | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           | 15 +-------
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           |  8 +---
- .../disable_ctrlaltdel_reboot/oval/shared.xml |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           | 14 +------
- .../require_singleuser_auth/oval/shared.xml   |  8 +---
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../no_tmux_in_shells/oval/shared.xml         | 10 +----
- .../oval/shared.xml                           | 14 +------
- .../configure_opensc_nss_db/oval/shared.xml   | 10 +----
- .../force_opensc_card_drivers/oval/shared.xml | 14 +------
- .../oval/shared.xml                           |  9 +----
- .../smartcard_auth/oval/shared.xml            | 10 +----
- .../oval/shared.xml                           | 12 +-----
- .../account_unique_name/oval/shared.xml       |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../gid_passwd_group_same/oval/shared.xml     | 12 +-----
- .../no_empty_passwords/oval/shared.xml        |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../no_netrc_files/oval/shared.xml            |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../no_direct_root_logins/oval/shared.xml     |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           |  6 +--
- .../accounts_logon_fail_delay/oval/shared.xml | 10 +----
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           | 11 +-----
- .../root_path_no_dot/oval/shared.xml          | 13 +------
- .../accounts_umask_etc_bashrc/oval/shared.xml | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../audit_rules_login_events/oval/shared.xml  | 13 +------
- .../oval/shared.xml                           |  6 +--
- .../audit_rules_immutable/oval/shared.xml     |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 14 +------
- .../audit_rules_time_adjtimex/oval/shared.xml |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../audit_rules_time_stime/oval/shared.xml    |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../audit_rules_for_ospp/oval/shared.xml      | 10 +----
- .../oval/shared.xml                           |  8 +---
- .../file_groupowner_grub2_cfg/oval/shared.xml |  8 +---
- .../file_owner_efi_grub2_cfg/oval/shared.xml  |  8 +---
- .../file_owner_grub2_cfg/oval/shared.xml      |  8 +---
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           |  8 +---
- .../grub2_admin_username/oval/shared.xml      |  6 +--
- .../grub2_enable_iommu_force/oval/shared.xml  |  8 +---
- .../grub2_password/oval/shared.xml            |  6 +--
- .../grub2_uefi_admin_username/oval/shared.xml |  6 +--
- .../grub2_uefi_password/oval/shared.xml       |  6 +--
- .../zipl_bls_entries_only/oval/shared.xml     |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../rsyslog_cron_logging/oval/shared.xml      | 12 +-----
- .../oval/shared.xml                           | 13 +------
- .../rsyslog_files_ownership/oval/shared.xml   | 13 +------
- .../rsyslog_files_permissions/oval/shared.xml | 13 +------
- .../oval/shared.xml                           | 10 +----
- .../rsyslog_nolisten/oval/shared.xml          | 12 +-----
- .../rsyslog_remote_loghost/oval/shared.xml    | 14 +------
- .../rsyslog_remote_tls/oval/shared.xml        | 10 +----
- .../rsyslog_remote_tls_cacert/oval/shared.xml | 10 +----
- .../configure_firewalld_ports/oval/shared.xml | 14 +------
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           |  9 +----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           |  9 +----
- .../oval/shared.xml                           |  8 +---
- .../network_ipv6_disable_rpc/oval/shared.xml  |  9 +----
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           | 14 +------
- .../oval/shared.xml                           | 11 +-----
- .../network_disable_zeroconf/oval/shared.xml  | 10 +----
- .../network_nmcli_permissions/oval/shared.xml |  6 +--
- .../network_sniffer_disabled/oval/shared.xml  | 11 +-----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../no_files_unowned_by_user/oval/shared.xml  | 11 +-----
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 10 +----
- .../mount_option_var_tmp_bind/oval/shared.xml | 10 +----
- .../disable_users_coredumps/oval/shared.xml   |  6 +--
- .../umask_for_daemons/oval/shared.xml         |  8 +---
- .../sysctl_kernel_exec_shield/oval/shared.xml | 10 +----
- .../oval/shared.xml                           | 12 +-----
- .../grub2_enable_selinux/oval/shared.xml      |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../selinux_policytype/oval/shared.xml        |  6 +--
- .../selinux/selinux_state/oval/shared.xml     |  6 +--
- .../gnome/dconf_db_up_to_date/oval/shared.xml | 11 +-----
- .../enable_dconf_user_profile/oval/shared.xml | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../dconf_gnome_login_retries/oval/shared.xml | 11 +-----
- .../oval/shared.xml                           | 14 +------
- .../oval/shared.xml                           | 14 +------
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  6 +--
- .../configure_crypto_policy/oval/shared.xml   |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../ssh_client_rekey_limit/oval/shared.xml    |  6 +--
- .../integrity/disable_prelink/oval/shared.xml |  8 +---
- .../install_antivirus/oval/shared.xml         |  8 +---
- .../install_hids/oval/shared.xml              | 10 +----
- .../install_mcafee_antivirus/oval/shared.xml  |  8 +---
- .../install_mcafee_cma_rt/oval/shared.xml     |  8 +---
- .../oval/shared.xml                           |  8 +---
- .../install_mcafee_hbss_accm/oval/shared.xml  |  8 +---
- .../install_mcafee_hbss_hips/oval/shared.xml  | 10 +----
- .../install_mcafee_hbss_pa/oval/shared.xml    |  8 +---
- .../enable_dracut_fips_module/oval/shared.xml |  6 +--
- .../fips/enable_fips_mode/oval/shared.xml     |  6 +--
- .../etc_system_fips_exists/oval/shared.xml    |  6 +--
- .../grub2_enable_fips_mode/oval/shared.xml    |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../oval/shared.xml                           |  6 +--
- .../aide/aide_build_database/oval/shared.xml  | 11 +-----
- .../oval/shared.xml                           | 14 +------
- .../aide_scan_notification/oval/shared.xml    | 13 +------
- .../aide/aide_use_fips_hashes/oval/shared.xml | 12 +-----
- .../aide/aide_verify_acls/oval/shared.xml     | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../rpm_verify_hashes/oval/shared.xml         | 12 +-----
- .../rpm_verify_ownership/oval/shared.xml      | 13 +------
- .../rpm_verify_permissions/oval/shared.xml    | 14 +------
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 14 +------
- .../sudo/sudo_remove_nopasswd/oval/shared.xml | 14 +------
- .../oval/shared.xml                           | 13 +------
- .../sudo/sudo_vdsm_nopasswd/oval/shared.xml   | 10 +----
- .../oval/shared.xml                           | 13 +------
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           | 10 +----
- .../oval/shared.xml                           | 15 +-------
- .../oval/shared.xml                           | 11 +-----
- .../oval/shared.xml                           | 12 +-----
- .../oval/shared.xml                           |  8 +---
- .../oval/shared.xml                           |  9 +----
- .../templates/template_OVAL_accounts_password |  6 +--
- ...template_OVAL_audit_rules_dac_modification |  6 +--
- ...late_OVAL_audit_rules_file_deletion_events |  6 +--
- .../template_OVAL_audit_rules_login_events    |  6 +--
- .../template_OVAL_audit_rules_path_syscall    |  6 +--
- ...plate_OVAL_audit_rules_privileged_commands |  6 +--
- ...audit_rules_unsuccessful_file_modification |  6 +--
- ...les_unsuccessful_file_modification_o_creat |  6 +--
- ...successful_file_modification_o_trunc_write |  6 +--
- ..._unsuccessful_file_modification_rule_order |  7 +---
- ...te_OVAL_audit_rules_usergroup_modification |  6 +--
- .../template_OVAL_bls_entries_option          |  6 +--
- .../templates/template_OVAL_file_groupowner   |  6 +--
- shared/templates/template_OVAL_file_owner     |  6 +--
- .../templates/template_OVAL_file_permissions  |  8 +---
- .../template_OVAL_grub2_bootloader_argument   |  6 +--
- .../template_OVAL_kernel_module_disabled      |  6 +--
- shared/templates/template_OVAL_mount          |  8 +---
- shared/templates/template_OVAL_mount_option   |  6 +--
- ...plate_OVAL_mount_option_remote_filesystems |  6 +--
- ...ate_OVAL_mount_option_removable_partitions |  6 +--
- .../templates/template_OVAL_package_installed |  8 +---
- .../templates/template_OVAL_package_removed   |  8 +---
- shared/templates/template_OVAL_permissions    |  6 +--
- shared/templates/template_OVAL_sebool         |  6 +--
- .../templates/template_OVAL_service_disabled  | 32 ++--------------
- .../templates/template_OVAL_service_enabled   | 16 +-------
- shared/templates/template_OVAL_sysctl         | 38 ++-----------------
- shared/templates/template_OVAL_timer_enabled  | 14 +------
- shared/templates/template_OVAL_yamlfile_value |  9 +----
- .../template_OVAL_zipl_bls_entries_option     |  6 +--
- 332 files changed, 419 insertions(+), 2659 deletions(-)
-
-diff --git a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml
-index 75cebc26f6..f106cf36e7 100644
---- a/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml
-+++ b/linux_os/guide/services/apt/apt_conf_disallow_unauthenticated/oval/shared.xml
-@@ -1,14 +1,7 @@
- <def-group>
-   <definition class="compliance" id="apt_conf_disallow_unauthenticated" version="1">
--    <metadata>
--      <title>Check that no unauthenticated repository is authorized by configuration</title>
--      <affected family="unix">
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_ubuntu</platform>
--      </affected>
--      <description>Accessing a repository should be
--      allowed only when the repository is authenticated.</description>
--    </metadata>
-+    {{{ oval_metadata("Accessing a repository should be
-+      allowed only when the repository is authenticated.") }}}
-     <criteria comment="Detect any usage of allow-unauthenticated option"
-       operator="OR">      
-       <criterion comment="Check /etc/apt/apt.conf file"
-diff --git a/linux_os/guide/services/apt/apt_sources_list_official/oval/shared.xml b/linux_os/guide/services/apt/apt_sources_list_official/oval/shared.xml
-index 3d77251313..89e72e0594 100644
---- a/linux_os/guide/services/apt/apt_sources_list_official/oval/shared.xml
-+++ b/linux_os/guide/services/apt/apt_sources_list_official/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="apt_sources_list_official" version="1">
--    <metadata>
--      <title>Only official, up-to-date distribution repositories should be used</title>
--      <affected family="unix">
--        <platform>multi_platform_debian</platform>
--      </affected>
--      <description>Official distribution repositories contain up-to-date distribution security and functional patches.</description>
--    </metadata>
-+    {{{ oval_metadata("Official distribution repositories contain up-to-date distribution security and functional patches.") }}}
-     <criteria comment="Match sources.list distribution repositories usage" operator="AND">      
-       <criterion comment="Check /etc/apt/sources(.d/.+).list file for base" test_ref="test_apt_sources_list_base_official" />
-       <criterion comment="Check /etc/apt/sources(.d/.+).list file for security" test_ref="test_apt_sources_list_security_official" />
-diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml b/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml
-index 0f0b0dafb0..0aa1c552b6 100644
---- a/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml
-+++ b/linux_os/guide/services/dhcp/disabling_dhcp_client/sysconfig_networking_bootproto_ifcfg/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="sysconfig_networking_bootproto_ifcfg"
-   version="2">
--    <metadata>
--      <title>Disable DHCP Client</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>DHCP configuration should be static for all
--      interfaces.</description>
--    </metadata>
-+    {{{ oval_metadata("DHCP configuration should be static for all
-+      interfaces.") }}}
-     <criteria comment="Test for BOOTPROTO=(static|none) across all interfaces">
-       <criterion test_ref="test_sysconfig_networking_bootproto_ifcfg" />
-     </criteria>
-diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml
-index 2d0e17526c..f4e6dcf41c 100644
---- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml
-+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_log_transactions/oval/shared.xml
-@@ -1,16 +1,9 @@
- <def-group>
-   <definition class="compliance" id="ftp_log_transactions" version="1">
--    <metadata>
--      <title>Banner for FTP Users</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>To trace malicious activity facilitated by the FTP 
-+    {{{ oval_metadata("To trace malicious activity facilitated by the FTP 
-       service, it must be configured to ensure that all commands sent to 
-       the FTP server are logged using the verbose vsftpd log format.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria comment="FTP is not being used or the conditions are met" operator="OR">
-       <extend_definition comment="vsftp package is not installed" definition_ref="package_vsftpd_installed" negate="true" />
-       <criteria comment="FTP configuration conditions are not set or are met" operator="AND">
-diff --git a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml
-index bf03738752..8fff18e6c8 100644
---- a/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml
-+++ b/linux_os/guide/services/ftp/ftp_configure_vsftpd/ftp_present_banner/oval/shared.xml
-@@ -1,15 +1,7 @@
- <def-group>
-   <definition class="compliance" id="ftp_present_banner" version="1">
--    <metadata>
--      <title>Banner for FTP Users</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_sle</platform>
--      </affected>
--      <description>This setting will cause the system greeting banner to be 
--      used for FTP connections as well.</description>
--    </metadata>
-+    {{{ oval_metadata("This setting will cause the system greeting banner to be 
-+      used for FTP connections as well.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="vsftpd package is not installed" definition_ref="package_vsftpd_removed" />
-       <criterion comment="Banner for FTP Users" test_ref="test_ftp_present_banner" />
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml
-index 81b4f1e8fe..a9c6dd196e 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_etc_httpd_conf/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dir_perms_etc_httpd_conf" version="2">
--    <metadata>
--      <title>Directory /etc/httpd/conf/ Permissions</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition comment="httpd not present or in use"
-       definition_ref="package_httpd_removed" />
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml
-index db638c6ba4..898aabfe88 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/dir_perms_var_log_httpd/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dir_perms_var_log_httpd" version="2">
--    <metadata>
--      <title>Directory /var/log/httpd/ Permissions</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Directory permissions for /var/log/httpd should be set to 0700 (or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("Directory permissions for /var/log/httpd should be set to 0700 (or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition comment="httpd not present or in use"
-       definition_ref="package_httpd_removed" />
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml
-index f6fa344b55..96c028daf0 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_d_files/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="file_permissions_httpd_server_conf_d_files" version="2">
--    <metadata>
--      <title>Verify Permissions On Apache Web Server Configuration Files</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("The /etc/httpd/conf.d/* files should have the appropriate permissions (0640 or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition comment="httpd not present or in use"
-       definition_ref="package_httpd_removed" />
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml
-index a549c187f1..577ae42def 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_conf_files/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="file_permissions_httpd_server_conf_files" version="2">
--    <metadata>
--      <title>Verify Permissions On Apache Web Server Configuration Files</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition comment="httpd not present or in use"
-       definition_ref="package_httpd_removed" />
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml
-index c72889b14b..a2854f3bea 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_os_protect_web_server/httpd_restrict_file_dir_access/file_permissions_httpd_server_modules_files/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="file_permissions_httpd_server_modules_files" version="2">
--    <metadata>
--      <title>Verify Permissions On Apache Web Server Configuration Files</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("The /etc/httpd/conf.modules.d/* files should have the appropriate permissions (0640 or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition comment="httpd not present or in use"
-       definition_ref="package_httpd_removed" />
-diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml
-index 2bae115d3e..030b4de700 100644
---- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml
-+++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_disable_plaintext_auth/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="dovecot_disable_plaintext_auth"
-   version="1">
--    <metadata>
--      <title>Disable Plaintext Authentication in Dovecot</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Plaintext authentication of mail clients should be disabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Plaintext authentication of mail clients should be disabled.") }}}
-     <criteria comment="Disable Plaintext Authentication in Dovecot" operator="OR">
-       <extend_definition comment="dovecot service is disabled" definition_ref="service_dovecot_disabled" />
-       <criterion test_ref="test_dovecot_disable_plaintext_auth" />
-diff --git a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml
-index 7d8e89758c..b4af606d62 100644
---- a/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml
-+++ b/linux_os/guide/services/imap/configure_dovecot/dovecot_enabling_ssl/dovecot_enable_ssl/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="dovecot_enable_ssl" version="1">
--    <metadata>
--      <title>Enable SSL in Dovecot</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>SSL capabilities should be enabled for the mail server.</description>
--    </metadata>
-+    {{{ oval_metadata("SSL capabilities should be enabled for the mail server.") }}}
-     <criteria comment="Enable SSL in Dovecot" operator="OR">
-       <extend_definition comment="dovecot service is disabled" definition_ref="service_dovecot_disabled" />
-       <criterion test_ref="test_dovecot_enable_ssl" />
-diff --git a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml
-index f0634c2cf2..eeef72b1f4 100644
---- a/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml
-+++ b/linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="kerberos_disable_no_keytab" version="1">
--    <metadata>
--      <title>Restrict Kerberos operation by removing keytab files</title>
--      <affected family="unix">
--        <platform>Oracle Linux 8</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>Check that there is no Kerberos keytab file present in /etc</description>
--    </metadata>
-+    {{{ oval_metadata("Check that there is no Kerberos keytab file present in /etc") }}}
-     <criteria>
-       <criterion test_ref="test_kerberos_disable_no_keytab"
-         comment="Restrict Kerberos operation by removing keytab files" />
-diff --git a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml
-index bb78b92d1a..50cae9f066 100644
---- a/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml
-+++ b/linux_os/guide/services/ldap/openldap_client/enable_ldap_client/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="enable_ldap_client" version="1">
--    <metadata>
--      <title>Enable the LDAP Client For Use in Authconfig</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_rhv</platform>
--      </affected>
--      <description>Enable LDAP in authconfig.</description>
--    </metadata>
-+    {{{ oval_metadata("Enable LDAP in authconfig.") }}}
-     <criteria>
-       <criterion comment="LDAP client is enabled"
-       test_ref="test_enable_ldap_client" />
-diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml
-index ea8f6087bb..169c3e6b48 100644
---- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml
-+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml
-@@ -1,13 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ldap_client_start_tls" version="1">
--    <metadata>
--      <title>Configure LDAP to Use TLS for All Transactions</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Require the use of TLS for ldap clients.</description>
--    </metadata>
-+    {{{ oval_metadata("Require the use of TLS for ldap clients.") }}}
-     {{%- if product == "rhel6" -%}}
-     <criteria comment="package pam_ldap is not present" operator="OR">
-       <extend_definition comment="pam_ldap not present or not in use"
-diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml
-index 5569a0e168..1d500c7c7b 100644
---- a/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml
-+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ldap_client_tls_cacertpath" version="1">
--    <metadata>
--      <title>Configure LDAP CA Certificate Path</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Require the use of TLS for ldap clients.</description>
--    </metadata>
-+    {{{ oval_metadata("Require the use of TLS for ldap clients.") }}}
-     {{%- if product == "rhel6" -%}}
-     <criteria comment="package pam_ldap is not present" operator="OR">
-       <extend_definition comment="pam_ldap not present or in use"
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/oval/shared.xml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/oval/shared.xml
-index ad9e37069f..77e0e1717c 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/oval/shared.xml
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/oval/shared.xml
-@@ -1,13 +1,6 @@
- <def-group>
-   <definition class="compliance" id="postfix_client_configure_mail_alias" version="1">
--    <metadata>
--      <title>Ensure root has a mail alias</title>
--      <affected family="unix">
--          <platform>Red Hat Virtualization 4</platform>
--          <platform>multi_platform_sle</platform>
--      </affected>
--      <description>Check if root has the correct mail alias.</description>
--    </metadata>
-+    {{{ oval_metadata("Check if root has the correct mail alias.") }}}
-     <criteria comment="Check if root has the correct mail alias.">
-       <criterion comment="Check if root has the correct mail alias." test_ref="test_postfix_client_configure_mail_alias"/>
-     </criteria>
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml
-index d61285a21b..d9d5a58e29 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/oval/shared.xml
-@@ -1,13 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="postfix_network_listening_disabled" version="2">
--    <metadata>
--      <title>Postfix network listening should be disabled</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>Postfix network listening should be disabled</description>
--    </metadata>
-+    {{{ oval_metadata("Postfix network listening should be disabled") }}}
-     <criteria operator="OR">
-       <!-- postfix package not installed or postfix service not configured to start -->
-       <extend_definition comment="Postfix installed and configured to start" negate="true" definition_ref="service_postfix_enabled" />
-diff --git a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml
-index a2ffff2e7f..57fd0b4918 100644
---- a/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml
-+++ b/linux_os/guide/services/mail/postfix_harden_os/postfix_server_cfg/postfix_server_banner/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="postfix_server_banner" version="1">
--    <metadata>
--      <title>Configure Postfix Against Unnecessary Release of Information</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Protect against unnecessary release of information.</description>
--    </metadata>
-+    {{{ oval_metadata("Protect against unnecessary release of information.") }}}
-     <criteria operator="AND">
-       <criterion comment="Limit release of information" test_ref="test_postfix_server_banner" />
-     </criteria>
-diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml
-index d50d5d2529..f5d5946983 100644
---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml
-+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/no_insecure_locks_exports/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="no_insecure_locks_exports" version="1">
--    <metadata>
--      <title>Ensure insecure_locks is disabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Allowing insecure file locking could allow for sensitive 
--      data to be viewed or edited by an unauthorized user.</description>
--    </metadata>
-+    {{{ oval_metadata("Allowing insecure file locking could allow for sensitive 
-+      data to be viewed or edited by an unauthorized user.") }}}
-     <criteria>
-       <criterion comment="Check for insecure NFS locks in /etc/exports"
-       test_ref="test_no_insecure_locks_exports" />
-diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml
-index 5a83a5d778..21e1ea9db7 100644
---- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml
-+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_servers/use_kerberos_security_all_exports/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance" id="use_kerberos_security_all_exports" version="3">
--    <metadata>
--      <title>Use Kerberos Security on All Exports</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Using Kerberos Security allows to cryptography authenticate a
--      valid user to an NFS share.</description>
--    </metadata>
-+    {{{ oval_metadata("Using Kerberos Security allows to cryptography authenticate a
-+      valid user to an NFS share.") }}}
-     <criteria operator="OR">
-       <criterion comment="Check for Kerberos settings in /etc/exports"
-       test_ref="test_use_kerberos_security_all_exports" />
-diff --git a/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml
-index 809472f2a9..edac2e92d8 100644
---- a/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/chronyd_client_only/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="chronyd_client_only" version="1">
--    <metadata>
--      <title>Disable chrony daemon from acting as server</title>
--      {{{- oval_affected(products) }}}
--      <description>Configure the port setting in /etc/chrony.conf to disable
--      server operation.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the port setting in /etc/chrony.conf to disable
-+      server operation.") }}}
-     <criteria operator="AND">
-       <extend_definition definition_ref="service_chronyd_enabled" comment="service chronyd enabled" />
-       <criterion test_ref="test_chronyd_client_only" comment="check if port is 0 in /etc/chrony.conf" />
-diff --git a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml
-index dcf8d0e952..f5101c4734 100644
---- a/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/chronyd_no_chronyc_network/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="chronyd_no_chronyc_network" version="1">
--    <metadata>
--      <title>Disable network management of chrony daemon</title>
--      {{{- oval_affected(products) }}}
--      <description>Configure the cmdport setting in /etc/chrony.conf to disable
--      chronyc management connections over network.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the cmdport setting in /etc/chrony.conf to disable
-+      chronyc management connections over network.") }}}
-     <criteria operator="AND">
-       <extend_definition definition_ref="service_chronyd_enabled" comment="service chronyd enabled" />
-       <criterion test_ref="test_chronyd_no_chronyc_network" comment="check if cmdport is 0 in /etc/chrony.conf" />
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
-index 303624a538..aa292392ac 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="chronyd_or_ntpd_set_maxpoll" version="1">
--    <metadata>
--      <title>Configure Time Service Maxpoll Interval</title>
--      {{{- oval_affected(products) }}}
--      <description>Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
--      to continuously poll the time source servers.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
-+      to continuously poll the time source servers.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND">
-         <extend_definition comment="service ntpd enabled" definition_ref="service_ntpd_enabled" />
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml
-index 0c9d589c5e..13de3f2bd5 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="chronyd_or_ntpd_specify_multiple_servers" version="1">
--    <metadata>
--      <title>Specify Multiple Remote chronyd Or ntpd NTP Servers for Time Data</title>
--      {{{- oval_affected(products) }}}
--      <description>Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met)</description>
--    </metadata>
-+    {{{ oval_metadata("Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met)") }}}
- 
-     <criteria operator="OR">
-       <criteria comment="chronyd enabled and multiple remote servers specified" operator="AND">
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml
-index 8eb5bb8c11..d8aebe036c 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="chronyd_or_ntpd_specify_remote_server" version="1">
--    <metadata>
--      <title>Specify Remote NTP chronyd Or ntpd Server for Time Data</title>
--      {{{- oval_affected(products) }}}
--      <description>A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met)</description>
--    </metadata>
-+    {{{ oval_metadata("A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met)") }}}
- 
-     <criteria operator="OR">
-       <criteria comment="chronyd enabled and remote server specified" operator="AND">
-diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
-index 31cde36bc9..b243755bd5 100644
---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="chronyd_specify_remote_server" version="1">
--    <metadata>
--      <title>Specify a Remote NTP Server for Time Data</title>
--      {{{- oval_affected(products) }}}
--      <description>A remote NTP Server for time synchronization should be
--      specified (and dependencies are met)</description>
--    </metadata>
-+    {{{ oval_metadata("A remote NTP Server for time synchronization should be
-+      specified (and dependencies are met)") }}}
-     <criteria comment="chrony.conf conditions are met">
-       <criterion test_ref="test_chronyd_remote_server" />
-     </criteria>
-diff --git a/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml
-index 1c8bf51a25..d381f36bf2 100644
---- a/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/ntpd_configure_restrictions/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ntpd_configure_restrictions" version="2">
--    <metadata>
--      <title>Specify server restrictions for ntpd</title>
--      {{{- oval_affected(products) }}}
--      <description>Certain restrictions are imposed on ntp servers configured to be used by ntpd</description>
--    </metadata>
-+    {{{ oval_metadata("Certain restrictions are imposed on ntp servers configured to be used by ntpd") }}}
-     <criteria operator="AND">
-       <criterion comment="test ipv6 configuration" test_ref="test_ntpd_configure_restrictions_ipv6" />
-       <criterion comment="test ipv4 configuration" test_ref="test_ntpd_configure_restrictions_ipv4" />
-diff --git a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml
-index 9a232f5b93..b9506264fd 100644
---- a/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/ntpd_run_as_ntp_user/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ntpd_run_as_ntp_user" version="1">
--    <metadata>
--      <title>Configure ntpd To Run As ntp User</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure ntpd is configured to run correctly under the ntp user.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure ntpd is configured to run correctly under the ntp user.") }}}
-     <criteria operator="OR">
-       <criterion comment="check /etc/sysconfig/ntpd is configured correctly" test_ref="test_ntpd_run_as_ntp_user_etc_sysconfig_ntpd" />
-       <criterion comment="check /usr/lib/systemd/system/ntpd.service is configured correctly" test_ref="test_ntpd_run_as_ntp_user_systemd" />
-diff --git a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml
-index 57bc1b51c7..44b33d0e63 100644
---- a/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/ntpd_specify_multiple_servers/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ntpd_specify_multiple_servers" version="2">
--    <metadata>
--      <title>Specify Multiple Remote ntpd NTP Server for Time Data</title>
--      {{{- oval_affected(products) }}}
--      <description>Multiple ntpd NTP Servers for time synchronization should be specified.</description>
--    </metadata>
-+    {{{ oval_metadata("Multiple ntpd NTP Servers for time synchronization should be specified.") }}}
-     <criteria comment="ntp.conf conditions are met">
-       <criterion test_ref="test_ntpd_multiple_servers" />
-     </criteria>
-diff --git a/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml b/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml
-index 1b2826a530..74c63f17f9 100644
---- a/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/ntpd_specify_remote_server/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="ntpd_specify_remote_server" version="2">
--    <metadata>
--      <title>Specify a Remote ntpd NTP Server for Time Data</title>
--      {{{- oval_affected(products) }}}
--      <description>A remote ntpd NTP Server for time synchronization should be
--      specified (and dependencies are met)</description>
--    </metadata>
-+    {{{ oval_metadata("A remote ntpd NTP Server for time synchronization should be
-+      specified (and dependencies are met)") }}}
-     <criteria comment="ntp.conf conditions are met">
-       <criterion test_ref="test_ntp_remote_server" />
-     </criteria>
-diff --git a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml
-index 6ee887c924..b7929a547c 100644
---- a/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml
-+++ b/linux_os/guide/services/ntp/service_chronyd_or_ntpd_enabled/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="service_chronyd_or_ntpd_enabled" version="1">
--    <metadata>
--      <title>Service chronyd Or Service ntpd Enabled</title>
--      {{{- oval_affected(products) }}}
--      <description>At least one of the chronyd or ntpd services should be enabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("At least one of the chronyd or ntpd services should be enabled if possible.") }}}
- 
-     <criteria comment="chronyd or ntpd service enabled" operator="OR">
-       <extend_definition comment="service chronyd enabled" definition_ref="service_chronyd_enabled" />
-diff --git a/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml b/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml
-index 8628848e01..0a4ba2387f 100644
---- a/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/r_services/no_host_based_files/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="no_host_based_files" version="1">
--    <metadata>
--      <title>No shosts.equiv file deployed on the system</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_sle</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>There should not be any shosts.equiv files on the system.</description>
--    </metadata>
-+    {{{ oval_metadata("There should not be any shosts.equiv files on the system.") }}}
-     <criteria>
-       <criterion test_ref="test_no_shosts_equiv"/>
-     </criteria>
-diff --git a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml
-index 4c6fdf78ba..eb809631ec 100644
---- a/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/r_services/no_rsh_trust_files/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_rsh_trust_files" version="1">
--    <metadata>
--      <title>No Legacy .rhosts Or hosts.equiv Files</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>There should not be any .rhosts or hosts.equiv files on the system.</description>
--    </metadata>
-+    {{{ oval_metadata("There should not be any .rhosts or hosts.equiv files on the system.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_no_rsh_trust_files_root" negate="true" />
-       <criterion test_ref="test_no_rsh_trust_files_home" negate="true" />
-diff --git a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml
-index 652f898d7f..4c2bf7ea40 100644
---- a/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/r_services/no_user_host_based_files/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="no_user_host_based_files" version="1">
--    <metadata>
--      <title>No .shosts file deployed on the system</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_sle</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>There should not be any .shosts files on the system.</description>
--    </metadata>
-+    {{{ oval_metadata("There should not be any .shosts files on the system.") }}}
-     <criteria>
-       <criterion test_ref="test_no_shosts" />
-     </criteria>
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-index 2268a49467..af7e511cd9 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="tftpd_uses_secure_mode" version="1">
--    <metadata>
--      <title>TFTP Daemon Uses Secure Mode</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The TFTP daemon should use secure mode.</description>
--    </metadata>
-+    {{{ oval_metadata("The TFTP daemon should use secure mode.") }}}
-     <criteria comment="package tftp-server removed or /etc/xinetd.d/tftp configured correctly" operator="OR">
-       <extend_definition comment="rpm package tftp-server removed" definition_ref="package_tftp-server_removed" />
-       <criterion comment="tftpd secure mode" test_ref="test_tftpd_uses_secure_mode" />
-diff --git a/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml b/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml
-index 0756b3ae09..de2057aa62 100644
---- a/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml
-+++ b/linux_os/guide/services/printing/configure_printing/cups_disable_browsing/oval/shared.xml
-@@ -1,17 +1,11 @@
- <def-group>
-   <definition class="compliance" id="cups_disable_browsing" version="1">
--    <metadata>
--      <title>Disable Printer Browsing Entirely if Possible</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The CUPS print service can be configured to broadcast a list
-+    {{{ oval_metadata("The CUPS print service can be configured to broadcast a list
-       of available printers to the network. Other machines on the network, also
-       running the CUPS print service, can be configured to listen to these
-       broadcasts and add and configure these printers for immediate use. By
-       disabling this browsing capability, the machine will no longer generate
--      or receive such broadcasts.</description>
--    </metadata>
-+      or receive such broadcasts.") }}}
-     <criteria operator="AND">
-       <criterion comment="Ensure remote printer browsing is off"
-       test_ref="test_cups_disable_browsing_browsing_off" />
-diff --git a/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml b/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml
-index cd4573070b..f2ecdda6ba 100644
---- a/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml
-+++ b/linux_os/guide/services/printing/configure_printing/cups_disable_printserver/oval/shared.xml
-@@ -1,18 +1,12 @@
- <def-group>
-   <definition class="compliance" id="cups_disable_printserver" version="1">
--    <metadata>
--      <title>Disable Printer Server if Possible</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>By default, locally configured printers will not be shared
-+    {{{ oval_metadata("By default, locally configured printers will not be shared
-       over the network, but if this functionality has somehow been enabled,
-       these recommendations will disable it again. Be sure to disable outgoing
-       printer list broadcasts, or remote users will still be able to see the
-       locally configured printers, even if they cannot actually print to them.
-       To limit print serving to a particular set of users, use the Policy
--      directive.</description>
--    </metadata>
-+      directive.") }}}
-     <criteria operator="AND">
-       <criterion comment="Don't use port directive" test_ref="test_cups_disable_printserver_disable_port" />
-       <criterion comment="Do use the listen directive" test_ref="test_cups_disable_printserver_use_listen" />
-diff --git a/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml b/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml
-index dd4450b67f..390997b2b6 100644
---- a/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml
-+++ b/linux_os/guide/services/smb/configuring_samba/mount_option_smb_client_signing/oval/shared.xml
-@@ -1,18 +1,11 @@
- <def-group>
-   <definition class="compliance"
-   id="mount_option_smb_client_signing" version="1">
--    <metadata>
--      <title>Require Client SMB Packet Signing, if using
--      mount.cifs</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Require packet signing of clients who mount
-+    {{{ oval_metadata("Require packet signing of clients who mount
-       Samba shares using the mount.cifs program (e.g., those who
-       specify shares in /etc/fstab). To do so, ensure that signing
-       options (either sec=krb5i or sec=ntlmv2i) are
--      used.</description>
--    </metadata>
-+      used.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND">
-         <extend_definition comment="samba-common installed" definition_ref="package_samba-common_installed" />
-diff --git a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml
-index dd5864187d..f3c1446c69 100644
---- a/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml
-+++ b/linux_os/guide/services/smb/configuring_samba/require_smb_client_signing/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="require_smb_client_signing" version="1">
--    <metadata>
--      <title>Require Client SMB Packet Signing in smb.conf</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Require samba clients which use smb.conf, such as smbclient,
-+    {{{ oval_metadata("Require samba clients which use smb.conf, such as smbclient,
-       to use packet signing. A Samba client should only communicate with
--      servers who can support SMB packet signing.</description>
--    </metadata>
-+      servers who can support SMB packet signing.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="package samba-common is not installed"
-       definition_ref="package_samba-common_removed" />
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-index b617c7339d..370640e313 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="snmpd_not_default_password" version="2">
--    <metadata>
--      <title>SNMP default communities disabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>SNMP default communities must be removed.</description>
--    </metadata>
-+    {{{ oval_metadata("SNMP default communities must be removed.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="SMNP installed" definition_ref="package_net-snmp_removed" />
-       <criterion comment="SNMP communities" test_ref="test_snmp_default_communities" />
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml
-index 7fa6b27548..e3b6f83528 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="snmpd_use_newer_protocol" version="2">
--    <metadata>
--      <title>SNMP use newer protocols</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>SNMP version 1 and 2c must not be enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("SNMP version 1 and 2c must not be enabled.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="SMNP installed" definition_ref="package_net-snmp_removed"/>
-       <criterion comment="SNMP protocols" test_ref="test_snmp_versions" />
-diff --git a/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml b/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml
-index 7c415c9997..a66bb7ffee 100644
---- a/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/firewalld_sshd_disabled/oval/shared.xml
-@@ -1,14 +1,7 @@
- <def-group>
-   <definition class="compliance" id="firewalld_sshd_disabled" version="1">
--    <metadata>
--      <title>Disallow inbound firewall access to the SSH Server port</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--      </affected>
--      <description>If inbound SSH access is not needed, the firewall should disallow or reject access to
--      the SSH port (22).</description>
--    </metadata>
-+    {{{ oval_metadata("If inbound SSH access is not needed, the firewall should disallow or reject access to
-+      the SSH port (22).") }}}
-     <criteria operator="AND">
-       <criterion comment="ssh service is not enabled in services" test_ref="test_firewalld_service_sshd" />
-       <criterion comment="ssh port is not enabled in services" test_ref="test_firewalld_service_sshd_port" />
-diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
-index 25f1d1e449..f5d46088cf 100644
---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="firewalld_sshd_port_enabled" version="1">
--    <metadata>
--      <title>Allow inbound firewall access to the SSH Server port</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>If inbound SSH access is needed, the firewall should allow access to
--      the SSH port (22).</description>
--    </metadata>
-+    {{{ oval_metadata("If inbound SSH access is needed, the firewall should allow access to
-+      the SSH port (22).") }}}
-     <criteria operator="OR">
-       <criterion comment="ssh service is enabled in services" test_ref="test_firewalld_service_sshd_enabled" />
-       <criterion comment="ssh port is enabled in services" test_ref="test_firewalld_service_sshd_port_enabled" />
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
-index e1a4ee4448..c118581718 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_allow_only_protocol2/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sshd_allow_only_protocol2" version="1">
--    <metadata>
--      <title>Ensure Only Protocol 2 Connections Allowed</title>
--      {{{- oval_affected(products) }}}
--      <description>The OpenSSH daemon should be running protocol 2.</description>
--    </metadata>
-+    {{{ oval_metadata("The OpenSSH daemon should be running protocol 2.") }}}
-     <criteria comment="SSH is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml
-index f0875a91aa..e4bb15b5e4 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sshd_disable_compression" version="1">
--    <metadata>
--      <title>Disable Compression Or Set Compression to delayed</title>
--      {{{- oval_affected(products) }}}
--      <description>SSH should either have compression disabled or set to delayed.</description>
--    </metadata>
-+    {{{ oval_metadata("SSH should either have compression disabled or set to delayed.") }}}
-     <criteria comment="SSH is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml
-index fa028e6bdd..3dc50bdb3e 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_rhosts_rsa/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sshd_disable_rhosts_rsa" version="1">
--    <metadata>
--      <title>Disable SSH Support for Rhosts RSA Authentication</title>
--      {{{- oval_affected(products) }}}
--      <description>SSH can allow authentication through the obsolete rsh command
--      through the use of the authenticating user's SSH keys. This should be disabled.</description>
--    </metadata>
-+    {{{ oval_metadata("SSH can allow authentication through the obsolete rsh command
-+      through the use of the authenticating user's SSH keys. This should be disabled.") }}}
-     <criteria comment="SSH is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-index 47796e5332..f49d9ab527 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/oval/shared.xml
-@@ -3,11 +3,7 @@
- 
- <def-group>
-   <definition class="compliance" id="{{{ rule_id }}}" version="1">
--    <metadata>
--      <title>{{{ rule_title }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure 'RekeyLimit' is configured with the correct value in '{{{ filepath }}}'</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in '" + filepath + "'") }}}
-     <criteria comment="sshd is configured correctly or is not installed" operator="OR">
-         {{{- application_not_required_or_requirement_unset() }}}
-         {{{- application_required_or_requirement_unset() }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
-index 25b28e4e7b..6ee3e2fb36 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sshd_set_idle_timeout" version="1">
--    <metadata>
--      <title>Set OpenSSH Idle Timeout Interval</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The SSH idle timeout interval should be set to an
--      appropriate value.</description>
--    </metadata>
-+    {{{ oval_metadata("The SSH idle timeout interval should be set to an
-+      appropriate value.") }}}
-     <criteria comment="SSH is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
-index 26e8c4f1a5..15c4fd7ee2 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sshd_set_keepalive" version="1">
--    <metadata>
--      <title>Set ClientAliveCountMax for User Logins</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The SSH ClientAliveCountMax should be set to an appropriate
--      value (and dependencies are met)</description>
--    </metadata>
-+    {{{ oval_metadata("The SSH ClientAliveCountMax should be set to an appropriate
-+      value (and dependencies are met)") }}}
-     <criteria comment="SSH is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
-index a8eaabd87b..3eec8552e7 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sshd_set_max_auth_tries" version="1">
--    <metadata>
--      <title>Set OpenSSH authentication attempt limit (MaxAuthTries)</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The SSH MaxAuthTries should be set to an
--      appropriate value.</description>
--    </metadata>
-+    {{{ oval_metadata("The SSH MaxAuthTries should be set to an
-+      appropriate value.") }}}
-     <criteria comment="SSH is not being used or conditions are met" operator="OR">
-       <extend_definition comment="sshd service is disabled"
-       definition_ref="service_sshd_disabled" />
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
-index 3b2ae7c4b4..14b7a99523 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sshd_set_max_sessions" version="1">
--    <metadata>
--      <title>Set OpenSSH MaxSessions</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The SSH number of max sessions should be set to an
--      appropriate value.</description>
--    </metadata>
-+    {{{ oval_metadata("The SSH number of max sessions should be set to an
-+      appropriate value.") }}}
-     <criteria comment="SSH is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
-index c3a6c7d1aa..33b492fdd3 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sshd_use_approved_ciphers" version="1">
--    <metadata>
--      <title>Use Only Approved Ciphers</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>Red Hat Enterprise Linux 6</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Oracle Linux 7</platform>
--      </affected>
--      <description>Limit the ciphers to those which are FIPS-approved.</description>
--    </metadata>
-+    {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
-       <criteria comment="SSH is configured correctly or is not installed"
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
-index c2470f5102..542c886b16 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sshd_use_approved_macs" version="1">
--    <metadata>
--      <title>Use Only FIPS MACs</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>Red Hat Enterprise Linux 6</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>multi_platform_sle12</platform>
--        <platform>Oracle Linux 7</platform>
--      </affected>
--      <description>Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.</description>
--    </metadata>
-+    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
-       <criteria comment="SSH is configured correctly or is not installed"
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml
-index 287eb72ab9..5296e0c520 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sshd_use_priv_separation" version="1">
--    <metadata>
--      <title>Rule title of sshd_use_priv_separation</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config'</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config'") }}}
-     <criteria comment="sshd is configured correctly or is not installed"
-     operator="OR">
-       <criteria comment="sshd is not installed" operator="AND">
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml
-index 0cb88868a3..4d29beab91 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sssd_ldap_configure_tls_ca_dir" version="1">
--    <metadata>
--      <title>Configure SSSD LDAP Backend Client CA Certificate Location</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions.") }}}
-     <criteria>
-       <criterion test_ref="test_sssd_ldap_tls_ca_dir" />
-     </criteria>
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
-index ed502062e4..abd61fc01f 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sssd_ldap_start_tls" version="1">
--    <metadata>
--      <title>Configure SSSD LDAP Backend to Use TLS For All Transactions</title>
--      {{{- oval_affected(products) }}}
--      <description>LDAP should be used for authentication and use STARTTLS</description>
--    </metadata>
-+    {{{ oval_metadata("LDAP should be used for authentication and use STARTTLS") }}}
-     <criteria>
-       <criterion comment="LDAP uses STARTTLS set within /etc/sssd/sssd.conf" test_ref="test_use_starttls" />
-     </criteria>
-diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml
-index 7af72709f2..79e73aa1b9 100644
---- a/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="sssd_enable_pam_services" version="1">
--    <metadata>
--      <title>Configure PAM in SSSD Services</title>
--      {{{- oval_affected(products) }}}
--      <description>SSSD should be configured to run SSSD PAM services.
--      </description>
--    </metadata>
-+    {{{ oval_metadata("SSSD should be configured to run SSSD PAM services.
-+      ") }}}
-     <criteria>
-         <criterion comment="check if pam is configured in the services setting of the sssd section"
-         test_ref="test_sssd_enable_pam_services" />
-diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml
-index ed56989551..0484c805b9 100644
---- a/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="sssd_enable_smartcards" version="1">
--    <metadata>
--      <title>Enable Smartcards in SSSD</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>SSSD should be configured to authenticate access to the system
--    using smart cards.</description>
--    </metadata>
-+    {{{ oval_metadata("SSSD should be configured to authenticate access to the system
-+    using smart cards.") }}}
-     <criteria operator="OR">
-       <criteria operator="OR">
-         <extend_definition comment="Check if sssd service is disabled" definition_ref="service_sssd_disabled" />
-diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml b/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml
-index 16fa2e6121..30b13f2f14 100644
---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="sssd_memcache_timeout" version="1">
--    <metadata>
--      <title>Configure SSSD's Memory Cache to Expire</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>SSSD's memory cache should be configured to set to expire records after 1 day.</description>
--    </metadata>
-+    {{{ oval_metadata("SSSD's memory cache should be configured to set to expire records after 1 day.") }}}
-     <criteria operator="OR">
-       <criteria operator="OR">
-         <extend_definition comment="Check if sssd service is disabled" definition_ref="service_sssd_disabled" />
-diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
-index 7aee37a031..e47ffff59d 100644
---- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="sssd_offline_cred_expiration" version="1">
--    <metadata>
--      <title>Configure SSSD to Expire Offline Credentials</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>SSSD should be configured to expire offline credentials after 1 day.</description>
--    </metadata>
-+    {{{ oval_metadata("SSSD should be configured to expire offline credentials after 1 day.") }}}
-     <criteria operator="OR">
-       <criteria operator="OR">
-         <extend_definition comment="Check if sssd service is disabled" definition_ref="service_sssd_disabled" />
-diff --git a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml
-index 9b2b825c8f..2fb5937393 100644
---- a/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd_run_as_sssd_user/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="sssd_run_as_sssd_user" version="1">
--    <metadata>
--      <title>Configure SSSD to run as user sssd</title>
--      {{{- oval_affected(products) }}}
--      <description>SSSD processes should be configured to run as user sssd, not root.</description>
--    </metadata>
-+    {{{ oval_metadata("SSSD processes should be configured to run as user sssd, not root.") }}}
-     <criteria>
-       <criterion comment="Check user setting in SSSD configuration" test_ref="test_sssd_run_as_sssd_user" />
-     </criteria>
-diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml
-index c7d6abbc18..fd24dfef0d 100644
---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="sssd_ssh_known_hosts_timeout" version="1">
--    <metadata>
--      <title>Configure SSSD to Expire SSH Known Hosts</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>SSSD should be configured to expire keys from known SSH hosts after 1 day.</description>
--    </metadata>
-+    {{{ oval_metadata("SSSD should be configured to expire keys from known SSH hosts after 1 day.") }}}
-     <criteria operator="OR">
-       <criteria operator="OR">
-         <extend_definition comment="Check if sssd service is disabled" definition_ref="service_sssd_disabled" />
-diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml
-index 53026a6cab..b805071180 100644
---- a/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml
-+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="usbguard_allow_hid" version="1">
--    <metadata>
--      <title>Check that USB Human Interface Devices are allowed by USBGuard rules</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check that /etc/usbguard/rules.conf contains at least one non white space character empty and exists.</description>
--    </metadata>
-+    {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non white space character empty and exists.") }}}
-     <criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-       <extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="usbguard_rules_not_empty_not_missing" />
-     </criteria>
-diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml
-index dc159491c2..a3af17c3ae 100644
---- a/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml
-+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid_and_hub/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="usbguard_allow_hid_and_hub" version="1">
--    <metadata>
--      <title>Check that USB human interface devices and hubs are allowed by USBGuard rules</title>
--      {{{- oval_affected(products) }}}
--      <description>Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.</description>
--    </metadata>
-+    {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.") }}}
-     <criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-       <extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="usbguard_rules_not_empty_not_missing" />
-     </criteria>
-diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml
-index d251fdf1e9..fd0553a612 100644
---- a/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml
-+++ b/linux_os/guide/services/usbguard/usbguard_allow_hub/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="usbguard_allow_hub" version="1">
--    <metadata>
--      <title>Check that USB hubs are allowed by USBGuard rules</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.</description>
--    </metadata>
-+    {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.") }}}
-     <criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-       <extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="usbguard_rules_not_empty_not_missing" />
-     </criteria>
-diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml
-index e905e0f358..7bebeba664 100644
---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml
-+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_setting/oval/shared.xml
-@@ -3,18 +3,7 @@
- {{%- else -%}}
- <def-group>
-   <definition class="compliance" id="xwindows_runlevel_setting" version="1">
--    <metadata>
--      <title>Disable X Windows Startup By Setting Default SystemD Target</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      {{%- if init_system == "systemd" %}}
--      <description>Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target.</description>
--      {{%- else %}}
--      <description>Checks /etc/inittab to ensure that default runlevel is set to 3.</description>
--      {{%- endif %}}
--    </metadata>
-+    {{{ oval_metadata("Checks /etc/inittab to ensure that default runlevel is set to 3.") }}}
-     {{%- if init_system == "systemd" %}}
-     <criteria>
-       <criterion comment="default.target systemd softlink exists" test_ref="test_disable_xwindows_runlevel" />
-diff --git a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
-index 97f51c3140..3b7ae2e0d3 100644
---- a/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
-+++ b/linux_os/guide/services/xwindows/disabling_xwindows/xwindows_runlevel_target/oval/shared.xml
-@@ -3,11 +3,7 @@
- {{%- else -%}}
- <def-group>
-   <definition class="compliance" id="xwindows_runlevel_target" version="1">
--    <metadata>
--      <title>Disable X Windows Startup By Setting Default SystemD Target</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure that the default runlevel target is set to multi-user.target.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure that the default runlevel target is set to multi-user.target.") }}}
-     <criteria>
-       <criterion comment="default.target systemd softlink exists" test_ref="test_disable_xwindows_runlevel_target" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
-index 032c65b340..1c4bb5178e 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="banner_etc_issue" version="2">
--    <metadata>
--      <title>System Login Banner Compliance</title>
--      {{{- oval_affected(products) }}}
--      <description>The system login banner text should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The system login banner text should be set correctly.") }}}
-     <criteria>
-       <criterion comment="/etc/issue is set appropriately" test_ref="test_banner_etc_issue" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
-index 9b20ee032a..e86aa2471a 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="banner_etc_motd" version="2">
--    <metadata>
--      <title>System Login Banner Compliance</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The system login banner text should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The system login banner text should be set correctly.") }}}
-     <criteria>
-       <criterion comment="/etc/motd is set appropriately" test_ref="test_banner_etc_motd" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/oval/shared.xml
-index c49984740a..35f28ee1f8 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_banner_enabled" version="1">
--    <metadata>
--      <title>Enable GNOME3 Login Warning Banner</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Enable the GNOME3 Login warning banner.</description>
--    </metadata>
-+    {{{ oval_metadata("Enable the GNOME3 Login warning banner.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml
-index a235d232b6..58480321ca 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group oval_version="5.11"> 
-   <definition class="compliance" id="dconf_gnome_login_banner_text" version="1">
--    <metadata>
--      <title>Enable GUI Warning Banner</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Enable the GUI warning banner.</description>
--    </metadata>
-+    {{{ oval_metadata("Enable the GUI warning banner.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/oval/shared.xml
-index 268edd86a5..9d03badc72 100644
---- a/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="display_login_attempts" version="1">
--    <metadata>
--      <title>Set Last Login/Access Notification</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>Configure the system to notify users of last login/access using pam_lastlog.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the system to notify users of last login/access using pam_lastlog.") }}}
-     <criteria>
-       <criterion comment="Conditions for pam_lastlog are satisfied" test_ref="test_display_login_attempts" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
-index 28eecc822a..ce6e6d073b 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_password_pam_unix_remember" version="2">
--    <metadata>
--      <title>Limit Password Reuse</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The passwords to remember should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The passwords to remember should be set correctly.") }}}
-     <criteria comment="remember parameter of pam_unix.so or pam_pwhistory.so is set correctly" operator="OR">
-       <criterion comment="remember parameter of pam_unix.so is set correctly" test_ref="test_accounts_password_pam_unix_remember" />
-       <criterion comment="remember parameter of pam_pwhistory.so is set correctly" test_ref="test_accounts_password_pam_pwhistory_remember" />
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
-index 8fdd7fb3d3..aa33a5be57 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_passwords_pam_faillock_deny" version="4">
--    <metadata>
--      <title>Lock out account after failed login attempts</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The number of allowed failed logins should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The number of allowed failed logins should be set correctly.") }}}
-     <criteria operator="AND" comment="Checks common to both scenarios">
-       <criterion test_ref="test_accounts_passwords_pam_faillock_preauth_silent_system-auth"
-       comment="pam_faillock.so preauth silent set in system-auth" />
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
-index 402feabe8c..caf3685fb0 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/oval/shared.xml
-@@ -1,18 +1,7 @@
- <def-group>
-   <definition class="compliance" id="accounts_passwords_pam_faillock_deny_root" version="4">
--    <metadata>
--      <title>Lock out the root account after failed login attempts</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The root account should be configured to deny access after the number of defined
--      failed attempts has been reached.</description>
--    </metadata>
-+    {{{ oval_metadata("The root account should be configured to deny access after the number of defined
-+      failed attempts has been reached.") }}}
-     <criteria>
-       <criterion test_ref="test_pam_faillock_preauth_silent_system-auth"
-       comment="pam_faillock.so preauth silent set in system-auth" />
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
-index d22e07d9ad..64edf8e3e2 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_passwords_pam_faillock_interval" version="2">
--    <metadata>
--      <title>Lock out account after failed login attempts</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The number of allowed failed logins should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The number of allowed failed logins should be set correctly.") }}}
-     <criteria>
-       <criterion comment="preauth default is set to 900" test_ref="test_accounts_passwords_pam_faillock_fail_interval_system-auth" />
-       <criterion comment="authfail default is set to 900" test_ref="test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth" />
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
-index a6ef6117b7..df026538c0 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_passwords_pam_faillock_unlock_time" version="2">
--    <metadata>
--      <title>Lock out account after failed login attempts</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The unlock time after number of failed logins should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The unlock time after number of failed logins should be set correctly.") }}}
-     <criteria operator="OR">
-         <!-- We divide the checking domain space in two,
-         1. when the ext var unlock_time is zero, we are only looking for zero or never in the config files,
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
-index d888d78d09..1a29db148c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_password_pam_retry" version="1">
--    <metadata>
--      <title>Set Password retry Requirements</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>The password retry should meet minimum requirements</description>
--    </metadata>
-+    {{{ oval_metadata("The password retry should meet minimum requirements") }}}
-     <criteria operator="AND" comment="Conditions for retry are satisfied">
-       <criterion comment="pam_pwquality" test_ref="test_password_pam_pwquality_retry" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml
-index 5eb6752299..b09f9eed60 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_libuserconf/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="set_password_hashing_algorithm_libuserconf" version="1">
--    <metadata>
--      <title>Set SHA512 Password Hashing Algorithm in /etc/libuser.conf</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The password hashing algorithm should be set correctly in /etc/libuser.conf.</description>
--    </metadata>
-+    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/libuser.conf.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_etc_libuser_conf_cryptstyle" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
-index 5ca1bd4383..7b18f640a7 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_logindefs/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="set_password_hashing_algorithm_logindefs" version="2">
--    <metadata>
--      <title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The password hashing algorithm should be set correctly in /etc/login.defs.</description>
--    </metadata>
-+    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/login.defs.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_etc_login_defs_encrypt_method" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
-index 3770a641b3..cc001b18a2 100644
---- a/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/set_password_hashing_algorithm/set_password_hashing_algorithm_systemauth/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="set_password_hashing_algorithm_systemauth" version="1">
--    <metadata>
--      <title>Set Password Hashing Algorithm in /etc/pam.d/system-auth</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.</description>
--    </metadata>
-+    {{{ oval_metadata("The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_pam_unix_sha512" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/oval/shared.xml
-index 8a0f8b2ae1..22a499999f 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_burstaction/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="disable_ctrlaltdel_burstaction" version="1">
--    <metadata>
--      <title>Disable Ctrl-Alt-Del Burst Action</title>
--      {{{- oval_affected(products) }}}
--      <description>Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf
--      to none to prevent a reboot if Ctrl-Alt-Delete is pressed more than 7 times in 2 seconds.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf
-+      to none to prevent a reboot if Ctrl-Alt-Delete is pressed more than 7 times in 2 seconds.") }}}
-     <criteria>
-       <criterion comment="check CtrlAltDelBurstAction is set to none"
-       test_ref="test_disable_ctrlaltdel_burstaction" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/oval/shared.xml
-index dcd30eca2c..3d8ba90c61 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/oval/shared.xml
-@@ -3,12 +3,8 @@
- {{%- else -%}}
- <def-group>
-   <definition class="compliance" id="disable_ctrlaltdel_reboot" version="1">
--    <metadata>
--      <title>Disable Ctrl-Alt-Del Reboot Activation</title>
--      {{{- oval_affected(products) }}}
--      <description>By default, the system will reboot when the
--      Ctrl-Alt-Del key sequence is pressed.</description>
--    </metadata>
-+    {{{ oval_metadata("By default, the system will reboot when the
-+      Ctrl-Alt-Del key sequence is pressed.") }}}
-     {{%- if init_system == "systemd" -%}}
-     <criteria>
-       <criterion comment="Disable Ctrl-Alt-Del systemd softlink exists" test_ref="test_disable_ctrlaltdel_exists" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
-index b114710391..837fc03730 100644
---- a/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/grub2_disable_interactive_boot/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="grub2_disable_interactive_boot" version="4">
--    <metadata>
--      <title>Verify that Interactive Boot is Disabled</title>
--      {{{- oval_affected(products) }}}
--      <description>The ability for users to perform interactive startups should
--      be disabled.</description>
--    </metadata>
-+    {{{ oval_metadata("The ability for users to perform interactive startups should
-+      be disabled.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_grub2_disable_interactive_boot_grub_cmdline_linux"
-       comment="Check systemd.confirm_spawn=(1|yes|true|on) not in GRUB_CMDLINE_LINUX" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
-index 99b9fb0222..51de85f672 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_emergency_target_auth/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="require_emergency_target_auth" version="1">
--    <metadata>
--      <title>Require Authentication for Emergency Mode</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The requirement for a password to boot into emergency mode
--      should be configured correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The requirement for a password to boot into emergency mode
-+      should be configured correctly.") }}}
-     <criteria operator="AND">
-       <criterion comment="Conditions are satisfied"
-       test_ref="test_require_emergency_service" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
-index 7aaaca7c7a..a560a3fcee 100644
---- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="require_singleuser_auth" version="1">
--    <metadata>
--      <title>Require Authentication for Single-User Mode</title>
--      {{{- oval_affected(products) }}}
--      <description>The requirement for a password to boot into single-user mode
--      should be configured correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("The requirement for a password to boot into single-user mode
-+      should be configured correctly.") }}}
-     {{%- if init_system == "systemd" -%}}
-     <criteria operator="AND">
-       <criterion comment="Conditions are satisfied"
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
-index e649add677..00ac349e29 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_bashrc_exec_tmux/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_bashrc_exec_tmux" version="1">
--    <metadata>
--      <title>Check exec tmux configured at the end of bashrc</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check if tmux is configured to exec at the end of bashrc.</description>
--    </metadata>
-+    {{{ oval_metadata("Check if tmux is configured to exec at the end of bashrc.") }}}
-     <criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
-       <criterion comment="check tmux is configured to exec on the last line of /etc/bashrc"
-         test_ref="test_configure_bashrc_exec_tmux" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/oval/shared.xml
-index 61ab02e6c5..442c0507fb 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_after_time/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_tmux_lock_after_time" version="1">
--    <metadata>
--      <title>Configure tmux to lock session after inactivity</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check if tmux is configured to lock sessions after period of inactivity.</description>
--    </metadata>
-+    {{{ oval_metadata("Check if tmux is configured to lock sessions after period of inactivity.") }}}
-     <criteria comment="Configure tmux to lock session after inactivity" operator="AND">
-       <criterion comment="check lock-after-time is set to 900 in /etc/tmux.conf"
-         test_ref="test_configure_tmux_lock_after_time" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/oval/shared.xml
-index 548ebc2788..e569459e4b 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/configure_tmux_lock_command/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_tmux_lock_command" version="1">
--    <metadata>
--      <title>Configure the tmux Lock Command</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check if the vlock command is configured to be used as a locking mechanism in tmux.</description>
--    </metadata>
-+    {{{ oval_metadata("Check if the vlock command is configured to be used as a locking mechanism in tmux.") }}}
-     <criteria comment="Configure the tmux Lock Command" operator="AND">
-       <criterion comment="check lock-command is set to vlock in /etc/tmux.conf"
-         test_ref="test_configure_tmux_lock_command" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/oval/shared.xml
-index a6dd27ea53..4103225d3b 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/console_screen_locking/no_tmux_in_shells/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_tmux_in_shells" version="1">
--    <metadata>
--      <title>Check that tmux is not listed in /etc/shells</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check that tmux is not listed in /etc/shells</description>
--    </metadata>
-+    {{{ oval_metadata("Check that tmux is not listed in /etc/shells") }}}
-     <criteria comment="Check that tmux is not listed in /etc/shells" operator="AND">
-       <criterion comment="check that tmux is not listed in /etc/shells" test_ref="test_no_tmux_in_shells" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/oval/shared.xml
-index e58d185cb3..420cc25a29 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="configure_opensc_card_drivers" version="1">
--    <metadata>
--      <title>Configure opensc Smart Card Drivers</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Configure the organization's smart card driver so that only
--      the smart card in use by the organization will be recognized by the system.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the organization's smart card driver so that only
-+      the smart card in use by the organization will be recognized by the system.") }}}
-     <criteria>
-       <criterion test_ref="test_configure_opensc_card_drivers"
-       comment="Check that card_drivers is configured for opensc" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml
-index da61320316..dd8f0dbf41 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_nss_db/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_opensc_nss_db" version="1">
--    <metadata>
--      <title>Check that NSS DB is set to use opensc</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>Oracle Linux 7</platform>
--      </affected>
--      <description>The NSS DB should be set to use opensc library.</description>
--    </metadata>
-+    {{{ oval_metadata("The NSS DB should be set to use opensc library.") }}}
-     <criteria>
-       <criterion test_ref="test_configure_opensc_nss_db"
-       comment="Check opensc library is configured in /etc/pki/nssdb/pkcs11.txt" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/oval/shared.xml
-index d81f4a444d..b9956600e6 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="force_opensc_card_drivers" version="1">
--    <metadata>
--      <title>Force opensc To Use Defined Smart Card Driver</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Force opensc to use the organization's smart card driver so that only
--      the smart card in use by the organization will be recognized by the system.</description>
--    </metadata>
-+    {{{ oval_metadata("Force opensc to use the organization's smart card driver so that only
-+      the smart card in use by the organization will be recognized by the system.") }}}
-     <criteria>
-       <criterion test_ref="test_force_opensc_card_drivers"
-       comment="Check that force_card_driver is configured for opensc" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml
-index 7b10d48fbf..fa837b5d30 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml
-@@ -1,13 +1,6 @@
- <def-group>
-   <definition class="compliance" id="install_smartcard_packages" version="1">
--    <metadata>
--      <title>Install needed packages for smartcard use.</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Oracle Linux 7</platform>
--      </affected>
--      <description>The RPM packages esc and pam_pkcs11 must be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The RPM packages esc and pam_pkcs11 must be installed.") }}}
-       <criteria comment="packages for smartcard use are installed">
-       <extend_definition comment="pam_pkcs11 package is installed" definition_ref="package_pam_pkcs11_installed" />
-       <extend_definition comment="esc package is installed" definition_ref="package_esc_installed" />
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
-index ba0b6d19f0..f1b620056f 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="smartcard_auth" version="3">
--    <metadata>
--      <title>Enable Smart Card Login</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 6</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Oracle Linux 7</platform>
--      </affected>
--      <description>Enable Smart Card logins</description>
--    </metadata>
-+    {{{ oval_metadata("Enable Smart Card logins") }}}
-     <criteria comment="smart card authentication is configured" operator="AND">
-       <extend_definition comment="pam_pkcs11 package is installed" definition_ref="package_pam_pkcs11_installed" />
-       <extend_definition comment="pcscd service is enabled" definition_ref="service_pcscd_enabled" />
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/oval/shared.xml
-index 588ecd7042..ddff42cc03 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="account_disable_post_pw_expiration" version="2">
--    <metadata>
--      <title>Set Accounts to Expire Following Password Expiration</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The accounts should be configured to expire automatically following password expiration.</description>
--    </metadata>
-+    {{{ oval_metadata("The accounts should be configured to expire automatically following password expiration.") }}}
-     <criteria comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd">
-       <criterion test_ref="test_etc_default_useradd_inactive" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/oval/shared.xml
-index f1261bc133..ab931a4536 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_unique_name/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="account_unique_name" version="1">
--    <metadata>
--      <title>Set All Accounts To Have Unique Names</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>All accounts on the system should have unique names for proper accountability.</description>
--    </metadata>
-+    {{{ oval_metadata("All accounts on the system should have unique names for proper accountability.") }}}
- 
-       <criteria comment="There should not exist duplicate user name entries in /etc/passwd">
-         <criterion test_ref="test_etc_passwd_no_duplicate_user_names" />
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
-index 27649723ac..a70dc63776 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_maximum_age_login_defs" version="3">
--    <metadata>
--      <title>Set Password Expiration Parameters</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The maximum password age policy should meet minimum requirements.</description>
--    </metadata>
-+    {{{ oval_metadata("The maximum password age policy should meet minimum requirements.") }}}
-     <criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
-       <criterion test_ref="test_pass_max_days" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/oval/shared.xml
-index fc25c7dc1f..e1c7643ae7 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_minimum_age_login_defs" version="3">
--    <metadata>
--      <title>Set Password Expiration Parameters</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The minimum password age policy should be set appropriately.</description>
--    </metadata>
-+    {{{ oval_metadata("The minimum password age policy should be set appropriately.") }}}
-     <criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
-       <criterion test_ref="test_pass_min_days" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/oval/shared.xml
-index e96170d77a..665bc80042 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
- 
-   <definition class="compliance" id="accounts_password_minlen_login_defs" version="3">
--    <metadata>
--      <title>Set Password Expiration Parameters</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The password minimum length should be set appropriately.</description>
--    </metadata>
-+    {{{ oval_metadata("The password minimum length should be set appropriately.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_pass_min_len" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/oval/shared.xml
-index 5e566f139d..75a09f3d69 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_password_warn_age_login_defs" version="3">
--    <metadata>
--      <title>Set Password Expiration Parameters</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The password expiration warning age should be set appropriately.</description>
--    </metadata>
-+    {{{ oval_metadata("The password expiration warning age should be set appropriately.") }}}
-     <criteria>
-       <criterion test_ref="test_pass_warn_age" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/oval/shared.xml
-index caa85777f7..4facb8291d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/accounts_password_all_shadowed/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_password_all_shadowed" version="1">
--    <metadata>
--      <title>All Password Hashes Shadowed</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>All password hashes should be shadowed.</description>
--    </metadata>
-+    {{{ oval_metadata("All password hashes should be shadowed.") }}}
-     <criteria>
-       <criterion comment="password hashes are shadowed" test_ref="test_accounts_password_all_shadowed" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
-index 34d605b694..0c7d48a709 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/gid_passwd_group_same/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="gid_passwd_group_same" version="2">
--    <metadata>
--      <title>All GIDs Are Present In /etc/group</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>All GIDs referenced in /etc/passwd must be defined in /etc/group.</description>
--    </metadata>
-+    {{{ oval_metadata("All GIDs referenced in /etc/passwd must be defined in /etc/group.") }}}
-     <criteria>
-       <criterion test_ref="test_gid_passwd_group_same" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
-index 492cbfcd00..24635ef33e 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_empty_passwords" version="1">
--    <metadata>
--      <title>No nullok Option in /etc/pam.d/system-auth</title>
--      {{{- oval_affected(products) }}}
--      <description>The file /etc/pam.d/system-auth should not contain the nullok option</description>
--    </metadata>
-+    {{{ oval_metadata("The file /etc/pam.d/system-auth should not contain the nullok option") }}}
-     <criteria>
-       <criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="test_no_empty_passwords" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
-index 01ddaa1250..afdc33cf09 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_legacy_plus_entries_etc_group" version="1">
--    <metadata>
--      <title>Ensure there are no legacy + NIS entries in /etc/group</title>
--      {{{- oval_affected(products) }}}
--      <description>No lines starting with + are in /etc/group</description>
--    </metadata>
-+    {{{ oval_metadata("No lines starting with + are in /etc/group") }}}
-     <criteria comment="no lines starting with + are in /etc/group">
-       <criterion test_ref="test_no_legacy_plus_entries_etc_group" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
-index 210437adbd..fdfb275534 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_legacy_plus_entries_etc_passwd" version="1">
--    <metadata>
--      <title>Ensure there are no legacy + NIS entries in /etc/passwd</title>
--      {{{- oval_affected(products) }}}
--      <description>No lines starting with + are in /etc/passwd</description>
--    </metadata>
-+    {{{ oval_metadata("No lines starting with + are in /etc/passwd") }}}
-     <criteria comment="no lines starting with + are in /etc/passwd">
-       <criterion test_ref="test_no_legacy_plus_entries_etc_passwd" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
-index 8fad2c3841..493144629d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_legacy_plus_entries_etc_shadow" version="1">
--    <metadata>
--      <title>Ensure there are no legacy + NIS entries in /etc/shadow</title>
--      {{{- oval_affected(products) }}}
--      <description>No lines starting with + are in /etc/shadow</description>
--    </metadata>
-+    {{{ oval_metadata("No lines starting with + are in /etc/shadow") }}}
-     <criteria comment="no lines starting with + are in /etc/shadow">
-       <criterion test_ref="test_no_legacy_plus_entries_etc_shadow" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/oval/shared.xml
-index cd09067233..766c0030a9 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_netrc_files/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_netrc_files" version="1">
--    <metadata>
--      <title>Verify No netrc Files Exist</title>
--      {{{- oval_affected(products) }}}
--      <description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</description>
--    </metadata>
-+    {{{ oval_metadata("The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.") }}}
-     <criteria>
-       <criterion test_ref="test_no_netrc_files_home" negate="true" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml
-index a095086235..0dc56bd6d8 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_no_uid_except_zero" version="1">
--    <metadata>
--      <title>UID 0 Belongs Only To Root</title>
--      {{{- oval_affected(products) }}}
--      <description>Only the root account should be assigned a user id of 0.</description>
--    </metadata>
-+    {{{ oval_metadata("Only the root account should be assigned a user id of 0.") }}}
-     <criteria>
-       <criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="test_accounts_no_uid_except_root" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/oval/shared.xml
-index 27800c34a5..43ab0dcec2 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="no_direct_root_logins" version="1">
--    <metadata>
--      <title>Direct root Logins Not Allowed</title>
--      {{{- oval_affected(products) }}}
--      <description>Preventing direct root logins help ensure accountability for actions
--      taken on the system using the root account.</description>
--    </metadata>
-+    {{{ oval_metadata("Preventing direct root logins help ensure accountability for actions
-+      taken on the system using the root account.") }}}
-     <criteria operator="AND">
-       <criterion comment="serial ports /etc/securetty" test_ref="test_no_direct_root_logins" />
-       <criterion comment="serial ports /etc/securetty" test_ref="test_etc_securetty_exists" />
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
-index d0e836515b..26eedefa2d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_shelllogin_for_systemaccounts/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="no_shelllogin_for_systemaccounts" version="2">
--    <metadata>
--      <title>System Accounts Do Not Run a Shell</title>
--      {{{- oval_affected(products) }}}
--      <description>The root account is the only system account that should have
--      a login shell.</description>
--    </metadata>
-+    {{{ oval_metadata("The root account is the only system account that should have
-+      a login shell.") }}}
-     <criteria operator="OR">
-       <!-- If SYS_UID_MIN and SYS_UID_MAX is not defined in /etc/login.defs
-            perform the check that all /etc/passwd entries having shell defined
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/oval/shared.xml
-index db90a3d39d..8188f60c76 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/restrict_serial_port_logins/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="restrict_serial_port_logins" version="1">
--    <metadata>
--      <title>Restrict Serial Port Root Logins</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Preventing direct root login to serial port interfaces helps
-+    {{{ oval_metadata("Preventing direct root login to serial port interfaces helps
-       ensure accountability for actions taken on the system using the root
--      account.</description>
--    </metadata>
-+      account.") }}}
-     <criteria>
-       <criterion comment="serial ports /etc/securetty" test_ref="test_serial_ports_etc_securetty" negate="true" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/oval/shared.xml
-index f6472c135c..914035c9cd 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/securetty_root_login_console_only/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="securetty_root_login_console_only" version="1">
--    <metadata>
--      <title>Restrict Virtual Console Root Logins</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Preventing direct root login to virtual console devices
-+    {{{ oval_metadata("Preventing direct root login to virtual console devices
-       helps ensure accountability for actions taken on the system using the
--      root account.</description>
--    </metadata>
-+      root account.") }}}
-     <criteria>
-       <criterion comment="virtual consoles /etc/securetty" test_ref="test_virtual_consoles_etc_securetty" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/oval/shared.xml
-index 94bef6fb74..abfb980c47 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_have_homedir_login_defs/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_have_homedir_login_defs" version="1">
--    <metadata>
--      <title>Ensure new users receive home directories</title>
--      {{{- oval_affected(products) }}}
--      <description>CREATE_HOME should be enabled</description>
--    </metadata>
-+    {{{ oval_metadata("CREATE_HOME should be enabled") }}}
-     <criteria operator="AND">
-       <criterion comment="Check CREATE_HOME in /etc/login.defs" test_ref="test_accounts_have_homedir_login_defs" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/oval/shared.xml
-index 08833e086f..fcb0c5cc45 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="accounts_logon_fail_delay" version="1">
--    <metadata>
--      <title>Ensure that FAIL_DELAY is Configured in /etc/login.defs</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The delay between failed authentication attempts should be
--      set for all users specified in /etc/login.defs</description>
--    </metadata>
-+    {{{ oval_metadata("The delay between failed authentication attempts should be
-+      set for all users specified in /etc/login.defs") }}}
-     <criteria>
-       <criterion test_ref="test_accounts_logon_fail_delay" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/oval/shared.xml
-index fb649f770f..d1c0ace78d 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance" id="accounts_max_concurrent_login_sessions" version="1">
--    <metadata>
--      <title>Set Maximum Number of Concurrent Login Sessions Per User</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>The maximum number of concurrent login sessions per user should meet
--      minimum requirements.</description>
--    </metadata>
-+    {{{ oval_metadata("The maximum number of concurrent login sessions per user should meet
-+      minimum requirements.") }}}
-     <criteria operator="OR">
-       <criterion comment="the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf" test_ref="test_limitsd_maxlogins" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/oval/shared.xml
-index 375b6d82d7..7ce300c482 100644
---- a/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/file_permissions_home_dirs/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_home_dirs" version="1">
--    <metadata>
--      <title>Proper Permissions User Home Directories</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>File permissions should be set correctly for the home directories for all user accounts.</description>
--    </metadata>
-+    {{{ oval_metadata("File permissions should be set correctly for the home directories for all user accounts.") }}}
-     <criteria >
-       <criterion comment="home directories" test_ref="test_file_permissions_home_dirs" negate="true" />
-     </criteria>
-diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/oval/shared.xml
-index 3cb782886a..e41823d53d 100644
---- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/oval/shared.xml
-@@ -1,14 +1,7 @@
- <def-group>
-   <definition class="compliance" id="accounts_root_path_dirs_no_write" version="2">
--    <metadata>
--      <title>Write permissions are disabled for group and other in all
--      directories in Root's Path</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Check each directory in root's path and make use it does
--      not grant write permission to group and other</description>
--    </metadata>
-+    {{{ oval_metadata("Check each directory in root's path and make use it does
-+      not grant write permission to group and other") }}}
-     <criteria comment="Check that write permission to group and other in root's path is denied">
-       <criterion comment="Check for write permission to group and other in root's path"
-       test_ref="test_accounts_root_path_dirs_no_group_other_write" />
-diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/oval/shared.xml
-index f87a69efcb..b5637cadaf 100644
---- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance" id="root_path_no_dot" version="2">
--    <metadata>
--      <title>Ensure that No Dangerous Directories Exist in Root's Path</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>The environment variable PATH should be set correctly for
--      the root user.</description>
--    </metadata>
-+    {{{ oval_metadata("The environment variable PATH should be set correctly for
-+      the root user.") }}}
-     <criteria comment="environment variable PATH contains dangerous path" operator="AND">
-       <criterion comment="environment variable PATH starts with : or ." test_ref="test_env_var_begins" />
-       <criterion comment="environment variable PATH contains : twice in a row" test_ref="test_env_var_contains_doublecolon" />
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
-index 73e457d728..49ba1cf1f7 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_umask_etc_bashrc" version="2">
--    <metadata>
--      <title>Ensure that Users Have Sensible Umask Values set for bash</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The default umask for users of the bash shell</description>
--    </metadata>
-+    {{{ oval_metadata("The default umask for users of the bash shell") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Get value of var_accounts_user_umask variable as octal number"
-       definition_ref="var_accounts_user_umask_as_number" />
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/oval/shared.xml
-index 68de57231a..5756360984 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_umask_etc_csh_cshrc" version="2">
--    <metadata>
--      <title>Ensure that Users Have Sensible Umask Values set for csh</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The default umask for users of the csh shell</description>
--    </metadata>
-+    {{{ oval_metadata("The default umask for users of the csh shell") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Get value of var_accounts_user_umask variable as octal number"
-       definition_ref="var_accounts_user_umask_as_number" />
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/oval/shared.xml
-index fd9e477873..f249f92450 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_umask_etc_login_defs" version="2">
--    <metadata>
--      <title>Ensure that Users Have Sensible Umask Values in /etc/login.defs</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The default umask for all users specified in /etc/login.defs</description>
--    </metadata>
-+    {{{ oval_metadata("The default umask for all users specified in /etc/login.defs") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Get value of var_accounts_user_umask variable as octal number"
-       definition_ref="var_accounts_user_umask_as_number" />
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/oval/shared.xml
-index d13b56bb16..6708dc6f70 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_umask_etc_profile" version="2">
--    <metadata>
--      <title>Ensure that Users Have Sensible Umask Values in /etc/profile</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The default umask for all users should be set correctly</description>
--    </metadata>
-+    {{{ oval_metadata("The default umask for all users should be set correctly") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Get value of var_accounts_user_umask variable as octal number"
-       definition_ref="var_accounts_user_umask_as_number" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml
-index 5040a7a558..bb36912aee 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_file_deletion_events" version="1">
--    <metadata>
--      <title>Audit File Deletion Events</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Audit files deletion events.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit files deletion events.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="audit rmdir" definition_ref="audit_rules_file_deletion_events_rmdir" />
-       <extend_definition comment="audit unlink" definition_ref="audit_rules_file_deletion_events_unlink" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/oval/shared.xml
-index 318276e9d7..ae5573a19e 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_modification/audit_rules_unsuccessful_file_modification/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_unsuccessful_file_modification" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.") }}}
- 
-     <criteria operator="AND">
-       <extend_definition comment="audit creat" definition_ref="audit_rules_unsuccessful_file_modification_creat" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml
-index 46f4f39b8c..180be6c0e9 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_kernel_module_loading" version="1">
--    <metadata>
--      <title>Audit Kernel Module Loading and Unloading</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_sle</platform>
--        <platform>multi_platform_rhcos</platform>
--      </affected>
--      <description>The audit rules should be configured to log information about kernel module loading and unloading.</description>
--    </metadata>
-+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="audit init_module" definition_ref="audit_rules_kernel_module_loading_init" />
-       <extend_definition comment="audit delete_module" definition_ref="audit_rules_kernel_module_loading_delete" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml
-index 25ba7b6b6d..55693d40be 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_delete/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_kernel_module_loading_delete" version="1">
--    <metadata>
--      <title>Audit Kernel Module Loading and Unloading - delete_module</title>
--      {{{- oval_affected(products) }}}
--      <description>The audit rules should be configured to log information about kernel module loading and unloading.</description>
--    </metadata>
-+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml
-index 524b69424c..f27650d0f8 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_finit/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_kernel_module_loading_finit" version="1">
--    <metadata>
--      <title>Audit Kernel Module Loading and Unloading - finit_module</title>
--      {{{- oval_affected(products) }}}
--      <description>The audit rules should be configured to log information about kernel module loading and unloading.</description>
--    </metadata>
-+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml
-index f93caa5edc..29503cb9f2 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_kernel_module_loading/audit_rules_kernel_module_loading_init/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_kernel_module_loading_init" version="1">
--    <metadata>
--      <title>Audit Kernel Module Loading and Unloading - init_module</title>
--      {{{- oval_affected(products) }}}
--      <description>The audit rules should be configured to log information about kernel module loading and unloading.</description>
--    </metadata>
-+    {{{ oval_metadata("The audit rules should be configured to log information about kernel module loading and unloading.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml
-index 9217b7b2c8..b90d8d165b 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_login_events" version="2">
--    <metadata>
--      <title>Record Attempts to Alter Login and Logout Events</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ocp</platform>
--        <platform>multi_platform_rhcos</platform>
--      </affected>
--      <description>Audit rules should be configured to log successful and unsuccessful login and logout events.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules should be configured to log successful and unsuccessful login and logout events.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="audit tallylog" definition_ref="audit_rules_login_events_tallylog" />
-       <extend_definition comment="audit faillock" definition_ref="audit_rules_login_events_faillock" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-index e00a1a6562..798cffa42d 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_privileged_commands" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Information on the Use of Privileged Commands</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the information on the use of privileged commands are enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the information on the use of privileged commands are enabled.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/oval/shared.xml
-index 43a81be325..85cbcd46e6 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_immutable/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_immutable" version="1">
--    <metadata>
--      <title>Make Audit Configuration Immutable</title>
--      {{{- oval_affected(products) }}}
--      <description>Force a reboot to change audit rules is enabled</description>
--    </metadata>
-+    {{{ oval_metadata("Force a reboot to change audit rules is enabled") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml
-index f02f22bc8b..657190656a 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_mac_modification/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_mac_modification" version="1">
--    <metadata>
--      <title>Record Events that Modify the System's Mandatory Access Controls</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
-index 05a5723152..efae3ad5f0 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_networkconfig_modification/oval/shared.xml
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_networkconfig_modification" version="1">
--    <metadata>
--      <title>Record Events that Modify the System's Network Environment</title>
--      {{{- oval_affected(products) }}}
--      <description>The network environment should not be modified by anything other than
--      administrator action. Any change to network parameters should be audited.</description>
--    </metadata>
-+    {{{ oval_metadata("The network environment should not be modified by anything other than
-+      administrator action. Any change to network parameters should be audited.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/oval/shared.xml
-index 87d5623aef..2db229e196 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_session_events" version="1">
--    <metadata>
--      <title>Record Attempts to Alter Process and Session Initiation Information</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules should capture information about session initiation.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules should capture information about session initiation.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
-index 136630e695..b081bf5535 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_sysadmin_actions/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_sysadmin_actions" version="1">
--    <metadata>
--      <title>Audit System Administrator Actions</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit actions taken by system administrators on the system.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit actions taken by system administrators on the system.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND">
-         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/oval/shared.xml
-index 7b61de6021..b14b85eae5 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_system_shutdown/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_system_shutdown" version="1">
--    <metadata>
--      <title>Shutdown System When Auditing Failures Occur</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The system will shutdown when auditing fails.</description>
--    </metadata>
-+    {{{ oval_metadata("The system will shutdown when auditing fails.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/oval/shared.xml
-index a05ae268b2..d38e6888b6 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_usergroup_modification/oval/shared.xml
-@@ -1,18 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_usergroup_modification" version="1">
--    <metadata>
--      <title>Audit User/Group Modification</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ocp</platform>
--        <platform>multi_platform_rhcos</platform>
--      </affected>
--      <description>Audit rules should detect modification to system files that hold information about users and groups.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules should detect modification to system files that hold information about users and groups.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND">
-         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/oval/shared.xml
-index 2f00d370ef..71a62b8747 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_adjtimex/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_time_adjtimex" version="1">
--    <metadata>
--      <title>Record Attempts to Alter Time Through Adjtimex</title>
--      {{{- oval_affected(products) }}}
--      <description>Record attempts to alter time through adjtimex.</description>
--    </metadata>
-+    {{{ oval_metadata("Record attempts to alter time through adjtimex.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml
-index 9cf46d40dd..3d7aeb0ea6 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_clock_settime/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_time_clock_settime" version="2">
--    <metadata>
--      <title>Record Attempts to Alter Time Through Clock_settime</title>
--      {{{- oval_affected(products) }}}
--      <description>Record attempts to alter time through clock_settime.</description>
--    </metadata>
-+    {{{ oval_metadata("Record attempts to alter time through clock_settime.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/oval/shared.xml
-index f6baf994ad..9a5e9ef091 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_settimeofday/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_time_settimeofday" version="1">
--    <metadata>
--      <title>Record Attempts to Alter Time Through Settimeofday</title>
--      {{{- oval_affected(products) }}}
--      <description>Record attempts to alter time through settimeofday.</description>
--    </metadata>
-+    {{{ oval_metadata("Record attempts to alter time through settimeofday.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/oval/shared.xml
-index 8ccd8af234..96d6b453f0 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_stime/oval/shared.xml
-@@ -1,12 +1,8 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_time_stime" version="1">
--    <metadata>
--      <title>Record Attempts to Alter Time Through Stime</title>
--      {{{- oval_affected(products) }}}
--      <description>Record attempts to alter time through stime. Note that on
-+    {{{ oval_metadata("Record attempts to alter time through stime. Note that on
-       64-bit architectures the stime system call is not defined in the audit
--      system calls lookup table.</description>
--    </metadata>
-+      system calls lookup table.") }}}
- 
-     <criteria operator="AND">
-       <!-- System is 32-bit or 64-bit -->
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/oval/shared.xml
-index ae4fe0935c..2904d9a164 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_time_rules/audit_rules_time_watch_localtime/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_time_watch_localtime" version="1">
--    <metadata>
--      <title>Record Attempts to Alter Time Through the Localtime File</title>
--      {{{- oval_affected(products) }}}
--      <description>Record attempts to alter time through /etc/localtime.</description>
--    </metadata>
-+    {{{ oval_metadata("Record attempts to alter time through /etc/localtime.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
-index b5956e89a3..799b79ec08 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_access_var_log_audit/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="directory_access_var_log_audit" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Information Read Access to /var/log/audit</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the read events to /var/log/audit</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the read events to /var/log/audit") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/oval/shared.xml
-index 7852d25167..eb12b28928 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/directory_permissions_var_log_audit/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="directory_permissions_var_log_audit" version="1">
--    <metadata>
--      <title>Verify /var/log/audit Directory Permissions</title>
--      {{{- oval_affected(products) }}}
--      <description>Checks for correct permissions for /var/log/audit.</description>
--    </metadata>
-+    {{{ oval_metadata("Checks for correct permissions for /var/log/audit.") }}}
-     <criteria operator="OR">
-       <criterion test_ref="test_dir_permissions_var_log_audit" negate="true" />
-       <criteria operator="AND" comment="log_group in auditd.conf is not root">
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/oval/shared.xml
-index 281ef91284..7e4bfc3ef2 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_ownership_var_log_audit" version="3">
--    <metadata>
--      <title>Verify /var/log/audit Ownership</title>
--      {{{- oval_affected(products) }}}
--      <description>Checks that all /var/log/audit files and directories are owned by the root user and group.</description>
--    </metadata>
-+    {{{ oval_metadata("Checks that all /var/log/audit files and directories are owned by the root user and group.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND" comment="directories are root owned">
-         <criterion test_ref="test_ownership_var_log_audit_files" />
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
-index b421f4ff29..5941ea660f 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_var_log_audit" version="2">
--    <metadata>
--      <title>Verify /var/log/audit Permissions</title>
--      {{{- oval_affected(products) }}}
--      <description>Checks for correct permissions for all log files in /var/log/audit.</description>
--    </metadata>
-+    {{{ oval_metadata("Checks for correct permissions for all log files in /var/log/audit.") }}}
-     <criteria operator="OR">
-       <criterion test_ref="test_file_permissions_var_log_audit" negate="true" />
-       <criteria operator="AND" comment="log_group in auditd.conf is not root">
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml
-index 86c3451bed..8fa7704705 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/oval/shared.xml
-@@ -5,11 +5,7 @@
- {{% endif %}}
- <def-group>
-   <definition class="compliance" id="auditd_audispd_configure_remote_server" version="1">
--    <metadata>
--      <title>Configure audispd Plugin Remote Server IP address or Hostname</title>
--      {{{- oval_affected(products) }}}
--      <description>remote_server setting in {{{ audisp_config_file_path }}} is set to a certain IP address or hostname</description>
--    </metadata>
-+    {{{ oval_metadata("remote_server setting in " + audisp_config_file_path + " is set to a certain IP address or hostname") }}}
-     <criteria>
-         <criterion comment="remote_server setting in audisp-remote.conf" test_ref="test_auditd_audispd_configure_remote_server" />
-     </criteria>
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
-index 6d82377bd5..768adf66bd 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_audispd_encrypt_sent_records" version="1">
--    <metadata>
--      <title>Kerberos 5 Authentication and Encryption in Audit Event Multiplexor (audispd) Is Activated</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
--      <description>transport setting in /etc/audit/audisp-remote.conf is set to 'KRB5'</description>
--{{% else %}}
--      <description>enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes'</description>
--{{% endif %}}
--    </metadata>
-+    {{{ oval_metadata("enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes'") }}}
- 
-     <criteria>
-       <criterion comment="setting in audisp-remote.conf" test_ref="test_auditd_audispd_encrypt_sent_records" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
-index 5f1c548b74..cb035ca81d 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_audispd_syslog_plugin_activated" version="1">
--    <metadata>
--      <title>The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activated</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--{{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
--      <description>active setting in /etc/audit/plugins.d/syslog.conf is set to 'yes'</description>
--{{% else %}}
--      <description>active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes'</description>
--{{% endif %}}
--    </metadata>
-+    {{{ oval_metadata("active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes'") }}}
- 
-     <criteria>
-         <criterion comment="active setting in syslog.conf" test_ref="test_auditd_audispd_syslog_plugin_activated" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml
-index dce9b83be7..5bd9e34b1a 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_disk_error_action" version="1">
--    <metadata>
--      <title>Auditd Action to Take When Disk Errors</title>
--      {{{- oval_affected(products) }}}
--      <description>disk_error_action setting in /etc/audit/auditd.conf is set to a certain action</description>
--    </metadata>
-+    {{{ oval_metadata("disk_error_action setting in /etc/audit/auditd.conf is set to a certain action") }}}
- 
-     <criteria>
-         <criterion comment="disk_error_action setting in auditd.conf" test_ref="test_auditd_data_disk_error_action" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml
-index 775c354500..e5ecddfb23 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_disk_full_action" version="1">
--    <metadata>
--      <title>Auditd Action to Take When Disk Is Full</title>
--      {{{- oval_affected(products) }}}
--      <description>disk_full_action setting in /etc/audit/auditd.conf is set to a certain action</description>
--    </metadata>
-+    {{{ oval_metadata("disk_full_action setting in /etc/audit/auditd.conf is set to a certain action") }}}
- 
-     <criteria>
-         <criterion comment="disk_full_action setting in auditd.conf" test_ref="test_auditd_data_disk_full_action" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/oval/shared.xml
-index 175e5fa453..70e255d1a5 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_action_mail_acct" version="2">
--    <metadata>
--      <title>Auditd Email Account to Notify Upon Action</title>
--      {{{- oval_affected(products) }}}
--      <description>action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account</description>
--    </metadata>
-+    {{{ oval_metadata("action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account") }}}
-     <criteria>
-         <criterion comment="action_mail_acct setting in auditd.conf" test_ref="test_auditd_data_retention_action_mail_acct" />
-     </criteria>
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml
-index ce56d0e9e5..a91ca9400d 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_admin_space_left_action" version="2">
--    <metadata>
--      <title>Auditd Action to Take When Disk is Low on Space</title>
--      {{{- oval_affected(products) }}}
--      <description>admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action</description>
--    </metadata>
-+    {{{ oval_metadata("admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action") }}}
- 
-     <criteria>
-        <criterion comment="admin_space_left_action setting in auditd.conf" test_ref="test_auditd_data_retention_admin_space_left_action" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/oval/shared.xml
-index cf95dd7787..aeb2a061cb 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_flush" version="1">
--    <metadata>
--      <title>Auditd priority for flushing data to disk</title>
--      {{{- oval_affected(products) }}}
--      <description>The setting for flush in /etc/audit/auditd.conf</description>
--    </metadata>
-+    {{{ oval_metadata("The setting for flush in /etc/audit/auditd.conf") }}}
- 
-     <criteria>
-         <criterion comment="flush setting in auditd.conf" test_ref="test_auditd_data_retention_flush" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/oval/shared.xml
-index 1aa572f681..962df13f97 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_max_log_file" version="2">
--    <metadata>
--      <title>Auditd Maximum Log File Size</title>
--      {{{- oval_affected(products) }}}
--      <description>max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value</description>
--    </metadata>
-+    {{{ oval_metadata("max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value") }}}
- 
-     <criteria>
-         <criterion comment="max_log_file setting in auditd.conf" test_ref="test_auditd_data_retention_max_log_file" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/oval/shared.xml
-index 5a134f4c65..f1f1a81c1a 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_max_log_file_action" version="2">
--    <metadata>
--      <title>Auditd Action to Take When Maximum Log Size Reached</title>
--      {{{- oval_affected(products) }}}
--      <description>max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action</description>
--    </metadata>
-+    {{{ oval_metadata("max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action") }}}
- 
-     <criteria>
-         <criterion comment="max_log_file_action setting in auditd.conf" test_ref="test_auditd_data_retention_max_log_file_action" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/oval/shared.xml
-index ce51d2451f..9feee77a3a 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_num_logs" version="2">
--    <metadata>
--      <title>Auditd Maximum Number of Logs to Retain</title>
--      {{{- oval_affected(products) }}}
--      <description>num_logs setting in /etc/audit/auditd.conf is set to at least a certain value</description>
--    </metadata>
-+    {{{ oval_metadata("num_logs setting in /etc/audit/auditd.conf is set to at least a certain value") }}}
- 
-     <criteria>
-         <criterion comment="num_logs setting in auditd.conf" test_ref="test_auditd_data_retention_num_logs" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml
-index 294fdbd845..d83a2502b4 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_space_left" version="2">
--    <metadata>
--      <title>Configure auditd space_left on Low Disk Space</title>
--      {{{- oval_affected(products) }}}
--      <description>space_left setting in /etc/audit/auditd.conf is set to at least a certain value</description>
--    </metadata>
-+    {{{ oval_metadata("space_left setting in /etc/audit/auditd.conf is set to at least a certain value") }}}
- 
-     <criteria>
-         <criterion comment="space_left setting in auditd.conf" test_ref="test_auditd_data_retention_space_left" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml
-index 50735c1696..9cfafeaef6 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_data_retention_space_left_action" version="3">
--    <metadata>
--      <title>Auditd Action to Take When Disk Starting to Run Low on Space</title>
--      {{{- oval_affected(products) }}}
--      <description>space_left_action setting in /etc/audit/auditd.conf is set to a certain action</description>
--    </metadata>
-+    {{{ oval_metadata("space_left_action setting in /etc/audit/auditd.conf is set to a certain action") }}}
- 
-     <criteria>
-         <criterion comment="space_left_action setting in auditd.conf" test_ref="test_auditd_data_retention_space_left_action" />
-diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
-index 0417f37941..748f0d4fb4 100644
---- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
-@@ -32,15 +32,7 @@
- 
- <def-group>
-   <definition class="compliance" id="audit_rules_for_ospp" version="1">
--    <metadata>
--      <title>Check audit rules for OSPP</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Compare configure audit rules againd the recommended pre-configured files</description>
--    </metadata>
-+    {{{ oval_metadata("Compare configure audit rules againd the recommended pre-configured files") }}}
- 
-     <criteria operator="AND">
-       {{{- audit_file_compare_criterion("10-base-config") -}}}
-diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/oval/shared.xml
-index dc9f897a20..15f451bc8b 100644
---- a/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_efi_grub2_cfg/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_groupowner_efi_grub2_cfg" version="1">
--    <metadata>
--      <title>Verify the UEFI Boot Loader grub.cfg Group Owner</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Verify that UEFI Boot Loader grub.cfg is group owned by 0.</description>
--    </metadata>
-+    {{{ oval_metadata("Verify that UEFI Boot Loader grub.cfg is group owned by 0.") }}}
-     <criteria operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
-       <criterion comment="Check file group ownership of /boot/efi/EFI/redhat/grub.cfg" test_ref="test_file_groupowner_efi_grub2_cfg" />
-diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/oval/shared.xml
-index 89f2c5a2f5..69338c589f 100644
---- a/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_grub2_cfg/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_groupowner_grub2_cfg" version="1">
--    <metadata>
--      <title>Verify /boot/grub2/grub.cfg Group Owner</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Verify that /boot/grub2/grub.cfg is group owned by gid 0.</description>
--    </metadata>
-+    {{{ oval_metadata("Verify that /boot/grub2/grub.cfg is group owned by gid 0.") }}}
-     <criteria operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" comment="Pass if system boot mode is UEFI" />
-       <criterion comment="Check file group ownership of /boot/grub2/grub.cfg" test_ref="test_file_groupowner_grub2_cfg" />
-diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/oval/shared.xml
-index 3a1c8ac484..c52ffa5210 100644
---- a/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/file_owner_efi_grub2_cfg/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_owner_efi_grub2_cfg" version="1">
--    <metadata>
--      <title>Verify the UEFI Boot Loader grub.cfg Owner</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Verify that UEFI Boot Loader grub.cfg is owned by uid 0.</description>
--    </metadata>
-+    {{{ oval_metadata("Verify that UEFI Boot Loader grub.cfg is owned by uid 0.") }}}
-     <criteria operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
-       <criterion comment="Check file ownership of /boot/efi/EFI/redhat/grub.cfg" test_ref="test_file_owner_efi_grub2_cfg" />
-diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/oval/shared.xml
-index 2ad9400b63..35934a43ad 100644
---- a/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/file_owner_grub2_cfg/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_owner_grub2_cfg" version="1">
--    <metadata>
--      <title>Verify /boot/grub2/grub.cfg Owner</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Verify that /boot/grub2/grub.cfg is owned by uid 0.</description>
--    </metadata>
-+    {{{ oval_metadata("Verify that /boot/grub2/grub.cfg is owned by uid 0.") }}}
-     <criteria operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" comment="Pass if system boot mode is UEFI" />
-       <criterion comment="Check file ownership of /boot/grub2/grub.cfg" test_ref="test_file_owner_grub2_cfg" />
-diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg/oval/shared.xml
-index cd3f63940d..7c2259dbcd 100644
---- a/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/file_permissions_efi_grub2_cfg/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_efi_grub2_cfg" version="1">
--    <metadata>
--      <title>Verify the UEFI Boot Loader grub.cfg Permissions</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Verify that UEFI Boot Loader grub.cfg file permissions set to 0700 (or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("Verify that UEFI Boot Loader grub.cfg file permissions set to 0700 (or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
-       <criterion test_ref="test_file_permissions_efi_grub2_cfg" />
-diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/oval/shared.xml
-index 7968689769..b03704e700 100644
---- a/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/file_permissions_grub2_cfg/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_grub2_cfg" version="1">
--    <metadata>
--      <title>Verify /boot/grub2/grub.cfg Mode Permissions</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>File permissions for /boot/grub2/grub.cfg should be set to 0600 (or stronger).</description>
--    </metadata>
-+    {{{ oval_metadata("File permissions for /boot/grub2/grub.cfg should be set to 0600 (or stronger).") }}}
-     <criteria operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" comment="Pass if system boot mode is UEFI" />      
-       <criterion comment="Check file mode of /boot/grub2/grub.cfg" test_ref="test_file_permissions_grub2_cfg" />
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/oval/shared.xml
-index 7906fde4ac..c93ad9b888 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_admin_username/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_admin_username/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="grub2_admin_username" version="1">
--    <metadata>
--      <title>Set Boot Loader Superuser Username to Unique Value</title>
--      {{{- oval_affected(products) }}}
--      <description>The grub2 boot loader superuser should have a username that is hard to guess.</description>
--    </metadata>
-+    {{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
- 
-     <criteria operator="OR">
-       {{{ oval_file_absent_criterion("/boot/grub2/grub.cfg", rule_id + "_grub_cfg") }}}
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
-index 6757c79438..0552ef2a64 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_enable_iommu_force/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="grub2_enable_iommu_force" version="1">
--    <metadata>
--      <title>Force IOMMU usage in GRUB2</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Ensure iommu=force is configured in the kernel line in /etc/default/grub.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure iommu=force is configured in the kernel line in /etc/default/grub.") }}}
-     <criteria operator="AND">
-       <extend_definition definition_ref="grub2_default_exists" comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub" />
-       <criteria operator="OR">
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_password/oval/shared.xml
-index eaa4b66e7b..657f259c0f 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_password/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_password/oval/shared.xml
-@@ -1,11 +1,7 @@
- {{% set grub_cfg_prefix = "/boot/grub2" %}}
- <def-group>
-   <definition class="compliance" id="grub2_password" version="1">
--    <metadata>
--      <title>Set Boot Loader Password</title>
--      {{{- oval_affected(products) }}}
--      <description>The grub2 boot loader should have password protection enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("The grub2 boot loader should have password protection enabled.") }}}
- 
-     <criteria operator="OR">
-       {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg", rule_id + "_grub_cfg") }}}
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/oval/shared.xml
-index b3b2051775..6142c8cdc3 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_admin_username/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="grub2_uefi_admin_username" version="1">
--    <metadata>
--      <title>Set the UEFI Boot Loader Superuser Username to Unique Value</title>
--      {{{- oval_affected(products) }}}
--      <description>The grub2 boot loader superuser should have a username that is hard to guess.</description>
--    </metadata>
-+    {{{ oval_metadata("The grub2 boot loader superuser should have a username that is hard to guess.") }}}
- 
-     <criteria operator="OR">
-       {{{ oval_file_absent_criterion("/boot/efi/EFI/redhat/grub.cfg", rule_id + "_grub_cfg") }}}
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/oval/shared.xml
-index bd00a9b13f..6d2a69d2ca 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/oval/shared.xml
-@@ -6,11 +6,7 @@
- 
- <def-group>
-   <definition class="compliance" id="grub2_uefi_password" version="1">
--    <metadata>
--      <title>Set the UEFI Boot Loader Password</title>
--      {{{- oval_affected(products) }}}
--      <description>The UEFI grub2 boot loader should have password protection enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("The UEFI grub2 boot loader should have password protection enabled.") }}}
- 
-     <criteria operator="OR">
-       {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg", rule_id + "_grub_cfg") }}}
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
-index 1ebf03ee37..986ee8ea0a 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="zipl_bls_entries_only" version="1">
--    <metadata>
--      <title>Ensure zIPL entries are BLS compliant</title>
--      {{{- oval_affected(products) }}}
--      <description>Check if /etc/zipl.conf configures any boot entry</description>
--    </metadata>
-+    {{{ oval_metadata("Check if /etc/zipl.conf configures any boot entry") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_zipl_bls_entries_only"
-       comment="Test presence of image configuration in /etc/zipl.conf" />
-diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
-index 6c446cbe59..5da4994cc5 100644
---- a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="zipl_bootmap_is_up_to_date" version="1">
--    <metadata>
--      <title>Ensure zIPL bootmap is up to date</title>
--      {{{- oval_affected(products) }}}
--      <description>Check if /boot/bootmap is up to date</description>
--    </metadata>
-+    {{{ oval_metadata("Check if /boot/bootmap is up to date") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_zipl_bootmap_is_up_to_date"
-       comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf" />
-diff --git a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/oval/shared.xml b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/oval/shared.xml
-index aebf947092..a1ad9be824 100644
---- a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/oval/shared.xml
-+++ b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_hostlimit/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="logwatch_configured_hostlimit" version="1">
--    <metadata>
--      <title>Ensure Logwatch HostLimit Configured</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Test if HostLimit line in logwatch.conf is set appropriately.</description>
--    </metadata>
-+    {{{ oval_metadata("Test if HostLimit line in logwatch.conf is set appropriately.") }}}
-     <criteria operator="AND">
-       <criterion comment="Test value of HostLimit" test_ref="test_logwatch_configured_hostlimit" />
-     </criteria>
-diff --git a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/oval/shared.xml b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/oval/shared.xml
-index 173dae3a99..1e6afb46fc 100644
---- a/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/oval/shared.xml
-+++ b/linux_os/guide/system/logging/configure_logwatch_on_logserver/logwatch_configured_splithosts/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="logwatch_configured_splithosts" version="1">
--    <metadata>
--      <title>Ensure Logwatch SplitHosts Configured</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Check if SplitHosts line in logwatch.conf is set appropriately.</description>
--    </metadata>
-+    {{{ oval_metadata("Check if SplitHosts line in logwatch.conf is set appropriately.") }}}
-     <criteria>
-       <criterion comment="Test value of SplitHosts" test_ref="test_logwatch_configured_splithosts" />
-     </criteria>
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml
-index 97e8d85b02..e72db1f576 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="rsyslog_cron_logging" version="1">
--    <metadata>
--      <title>Verify Cron is Logging to Rsyslog</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>Rsyslog should be configured to capture cron messages.</description>
--    </metadata>
-+    {{{ oval_metadata("Rsyslog should be configured to capture cron messages.") }}}
-     <criteria operator="OR">
-       <criterion comment="cron is configured in /etc/rsyslog.conf"
-       test_ref="test_cron_logging_rsyslog" />
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
-index 9941e2b94f..935b826554 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="rsyslog_files_groupownership" version="1">
--    <metadata>
--      <title>Confirm Existence and Permissions of System Log Files</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--      </affected>
--      <description>All syslog log files should be owned by the appropriate group.</description>
--    </metadata>
-+    {{{ oval_metadata("All syslog log files should be owned by the appropriate group.") }}}
- 
-     <criteria operator="AND">
-       {{% if product in ["debian8", "debian9", "debian10", "ubuntu1404", "ubuntu1604"] %}}
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
-index 29dd1a989e..15f776eb52 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="rsyslog_files_ownership" version="1">
--    <metadata>
--      <title>Confirm Existence and Permissions of System Log Files</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--      </affected>
--      <description>All syslog log files should be owned by the appropriate user.</description>
--    </metadata>
-+    {{{ oval_metadata("All syslog log files should be owned by the appropriate user.") }}}
- 
-     <criteria>
-       <criterion comment="Check if all system log files are owned by root user" test_ref="test_rsyslog_files_ownership" />
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-index da37a15b8c..884f2f8d88 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_permissions/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="rsyslog_files_permissions" version="1">
--    <metadata>
--      <title>Confirm Existence and Permissions of System Log Files</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--      </affected>
--      <description>File permissions for all syslog log files should be set correctly.</description>
--    </metadata>
-+    {{{ oval_metadata("File permissions for all syslog log files should be set correctly.") }}}
- 
-     <criteria operator="AND">
-       {{% if product in ["debian8", "debian9", "debian10", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}}
-diff --git a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
-index d85aad59ea..13eb5f2d4d 100644
---- a/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
-+++ b/linux_os/guide/system/logging/log_rotation/ensure_logrotate_activated/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="ensure_logrotate_activated" version="1">
--    <metadata>
--      <title>Ensure the logrotate utility performs the automatic rotation of log files on daily basis</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>
-+    {{{ oval_metadata("
-       The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria comment="/etc/logrotate.conf contains daily setting and /etc/cron.daily/logrotate file exists" operator="AND">
-       <criterion comment="Check if daily is set in /etc/logrotate.conf"
-       test_ref="test_logrotate_conf_daily_setting" />
-diff --git a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
-index 59331585bf..b96a39c665 100644
---- a/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
-+++ b/linux_os/guide/system/logging/rsyslog_accepting_remote_messages/rsyslog_nolisten/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="rsyslog_nolisten" version="2">
--    <metadata>
--      <title>Disable Rsyslogd from Accepting Remote Messages on Loghosts
--      Only</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>rsyslogd should reject remote messages</description>
--    </metadata>
-+    {{{ oval_metadata("rsyslogd should reject remote messages") }}}
-     <criteria>
-       <criterion comment="Conditions are satisfied"
-       test_ref="test_rsyslog_nolisten" />
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
-index 22307d40d2..5895b7fab2 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/oval/shared.xml
-@@ -1,18 +1,6 @@
- <def-group>
-   <definition class="compliance" id="rsyslog_remote_loghost" version="1">
--    <metadata>
--      <title>Send Logs to a Remote Loghost</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>Syslog logs should be sent to a remote loghost</description>
--    </metadata>
-+    {{{ oval_metadata("Syslog logs should be sent to a remote loghost") }}}
-     <criteria operator="OR">
-       <criterion comment="Remote logging set within /etc/rsyslog.conf" test_ref="test_remote_rsyslog_conf" />
-       <criterion comment="Remote logging set within /etc/rsyslog.d" test_ref="test_remote_rsyslog_d" />
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml
-index 31272b3905..ead7a770fd 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="rsyslog_remote_tls" version="1">
--    <metadata>
--      <title>Check that rsyslog is configured to use TLS for remote logging</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check that all needed TLS-related options are present</description>
--    </metadata>
-+    {{{ oval_metadata("Check that all needed TLS-related options are present") }}}
-     <criteria comment="Check that rsyslog is configured to use TLS for remote logging" operator="AND">
-       <criterion comment="Check that all needed TLS-related options are present" test_ref="test_rsyslog_remote_tls" />
-     </criteria>
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/oval/shared.xml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/oval/shared.xml
-index 7d43aa39a6..4f05eada51 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/oval/shared.xml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_tls_cacert/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="rsyslog_remote_tls_cacert" version="1">
--    <metadata>
--      <title>Check that CA certificate is configured for rsyslog remote logging</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Oracle Linux 8</platform>
--      </affected>
--      <description>Check that the CA certificate path is set</description>
--    </metadata>
-+    {{{ oval_metadata("Check that the CA certificate path is set") }}}
-     <criteria comment="Check that CA certificate is configured for rsyslog remote logging" operator="AND">
-       <criterion comment="Check that the CA certificate path is set" test_ref="test_rsyslog_remote_tls_cacert" />
-     </criteria>
-diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml
-index 8efeb7c33e..68ba778cf9 100644
---- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="configure_firewalld_ports" version="1">
--    <metadata>
--      <title>Configure the Firewalld Ports</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Configure the firewalld ports to allow approved
--      services to have access to the system.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure the firewalld ports to allow approved
-+      services to have access to the system.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="ssh port is enabled" definition_ref="firewalld_sshd_port_enabled" />
-     </criteria>
-diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/oval/shared.xml
-index 1ec35d208d..2383158c07 100644
---- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_rate_limiting/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_firewalld_rate_limiting" version="1">
--    <metadata>
--      <title>Configure firewalld To Rate Limit Connections</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <!--  there is problem with remediation on rhel8 -->
--        <platform>Red Hat Enterprise Linux 8</platform>
--        -->
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Create a direct firewall rule to protect against DoS attacks by rate limiting incoming connections.</description>
--    </metadata>
-+    {{{ oval_metadata("Create a direct firewall rule to protect against DoS attacks by rate limiting incoming connections.") }}}
-     <criteria operator="AND">
-       <criterion comment="check if the file /etc/firewalld/direct.xml contains correct rule" test_ref="test_firewalld_rate_limiting"/>
-     </criteria>
-diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml
-index cc275f028d..d1c89b4fc8 100644
---- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/set_firewalld_default_zone/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="set_firewalld_default_zone" version="2">
--    <metadata>
--      <title>Change the default firewalld zone to drop</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Change the default firewalld zone to drop.</description>
--    </metadata>
-+    {{{ oval_metadata("Change the default firewalld zone to drop.") }}}
-     <criteria>
-       <criterion comment="Set default zone to drop" test_ref="test_firewalld_input_drop" />
-     </criteria>
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/oval/shared.xml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/oval/shared.xml
-index 5855da2d04..cd126417f3 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_default_gateway/oval/shared.xml
-@@ -1,14 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="network_ipv6_default_gateway" version="1">
--    <metadata>
--      <title>Manually Assign IPv6 Router Address</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Define default gateways for IPv6 traffic</description>
--    </metadata>
-+    {{{ oval_metadata("Define default gateways for IPv6 traffic") }}}
-     <criteria operator="OR">
-       {{%- if product == "rhel6" -%}}
-       <extend_definition comment="IPv6 disabled or..."
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/oval/shared.xml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/oval/shared.xml
-index 06751697fa..011425968c 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_privacy_extensions/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="network_ipv6_privacy_extensions" version="1">
--    <metadata>
--      <title>Enable Privacy Extensions for IPv6</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Enable privacy extensions for IPv6</description>
--    </metadata>
-+    {{{ oval_metadata("Enable privacy extensions for IPv6") }}}
-     <criteria operator="OR">
-       {{%- if product == "rhel6" -%}}
-       <extend_definition comment="IPv6 disabled or..."
-diff --git a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/oval/shared.xml b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/oval/shared.xml
-index 3213456bce..6f8d5f74fb 100644
---- a/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-ipv6/configuring_ipv6/network_ipv6_static_address/oval/shared.xml
-@@ -1,14 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="network_ipv6_static_address" version="1">
--    <metadata>
--      <title>Manually Assign Global IPv6 Address</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Manually configure addresses for IPv6</description>
--    </metadata>
-+    {{{ oval_metadata("Manually configure addresses for IPv6") }}}
-     <criteria operator="OR">
-       {{%- if product == "rhel6" -%}}
-       <extend_definition comment="IPv6 disabled or..."
-diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/oval/shared.xml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/oval/shared.xml
-index 87ccb1daac..59e929f8df 100644
---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/kernel_module_ipv6_option_disabled/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="kernel_module_ipv6_option_disabled" version="1">
--    <metadata>
--      <title>Disable IPv6 Kernel Module Functionality via Disable Option</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.</description>
--    </metadata>
-+    {{{ oval_metadata("The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.") }}}
-     <criteria>
-       <criterion test_ref="test_kernel_module_ipv6_option_disabled" comment="ipv6 disabled any modprobe conf file"/>
-     </criteria>
-diff --git a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/oval/shared.xml b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/oval/shared.xml
-index 0ba2dc2e5f..ca12d33c07 100644
---- a/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-ipv6/disabling_ipv6/network_ipv6_disable_rpc/oval/shared.xml
-@@ -1,14 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="network_ipv6_disable_rpc" version="1">
--    <metadata>
--      <title>Disable Support for RPC IPv6</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Disable ipv6 based rpc services</description>
--    </metadata>
-+    {{{ oval_metadata("Disable ipv6 based rpc services") }}}
-     <criteria operator="AND">
-       <criterion comment="Disable udp6" test_ref="test_network_ipv6_disable_rpc_udp6" />
-       <criterion comment="Disable tcp6" test_ref="test_network_ipv6_disable_rpc_tcp6" />
-diff --git a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/shared.xml b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/shared.xml
-index 46d6d3ce93..6268b831ee 100644
---- a/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/shared.xml
-+++ b/linux_os/guide/system/network/network-wireless/wireless_software/wireless_disable_interfaces/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="wireless_disable_interfaces" version="1">
--    <metadata>
--      <title>Deactivate Wireless Interfaces</title>
--      {{{- oval_affected(products) }}}
--      <description>All wireless interfaces should be disabled.</description>
--    </metadata>
-+    {{{ oval_metadata("All wireless interfaces should be disabled.") }}}
-     <criteria>
-       <criterion comment="query /proc/net/wireless" test_ref="test_wireless_disable_interfaces" />
-     </criteria>
-diff --git a/linux_os/guide/system/network/network_configure_name_resolution/oval/shared.xml b/linux_os/guide/system/network/network_configure_name_resolution/oval/shared.xml
-index e765e0d740..8c1494c341 100644
---- a/linux_os/guide/system/network/network_configure_name_resolution/oval/shared.xml
-+++ b/linux_os/guide/system/network/network_configure_name_resolution/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="network_configure_name_resolution" version="1">
--    <metadata>
--      <title>Configure Multiple DNS Servers in /etc/resolv.conf</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Multiple Domain Name System (DNS) Servers should be configured
--      in /etc/resolv.conf.</description>
--    </metadata>
-+    {{{ oval_metadata("Multiple Domain Name System (DNS) Servers should be configured
-+      in /etc/resolv.conf.") }}}
-     <criteria>
-       <criterion comment="check if more than one nameserver in /etc/resolv.conf"
-       test_ref="test_network_configure_name_resolution" />
-diff --git a/linux_os/guide/system/network/network_disable_ddns_interfaces/oval/shared.xml b/linux_os/guide/system/network/network_disable_ddns_interfaces/oval/shared.xml
-index 4a7f324692..8765204b6b 100644
---- a/linux_os/guide/system/network/network_disable_ddns_interfaces/oval/shared.xml
-+++ b/linux_os/guide/system/network/network_disable_ddns_interfaces/oval/shared.xml
-@@ -1,15 +1,8 @@
- <def-group>
-   <definition class="compliance" id="network_disable_ddns_interfaces"
-   version="1">
--    <metadata>
--      <title>Disable Client Dynamic DNS Updates</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--      </affected>
--      <description>Clients should not automatically update their own
--      DNS record.</description>
--    </metadata>
-+    {{{ oval_metadata("Clients should not automatically update their own
-+      DNS record.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_network_disable_ddns_interfaces_ifcfg" />
-       <criterion test_ref="test_network_disable_ddns_interfaces_dhclient" />
-diff --git a/linux_os/guide/system/network/network_disable_zeroconf/oval/shared.xml b/linux_os/guide/system/network/network_disable_zeroconf/oval/shared.xml
-index a79ca75194..ddc269df0f 100644
---- a/linux_os/guide/system/network/network_disable_zeroconf/oval/shared.xml
-+++ b/linux_os/guide/system/network/network_disable_zeroconf/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="network_disable_zeroconf" version="1">
--    <metadata>
--      <title>Disable Zeroconf Networking</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Disable Zeroconf automatic route assignment in the
--      169.254.0.0 subnet.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable Zeroconf automatic route assignment in the
-+      169.254.0.0 subnet.") }}}
-     <criteria>
-       <criterion comment="Look for NOZEROCONF=yes in /etc/sysconfig/network"
-       test_ref="test_sysconfig_nozeroconf_yes" />
-diff --git a/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml b/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
-index 7ebb0885ab..f943fb32e9 100644
---- a/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
-+++ b/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="network_nmcli_permissions" version="1">
--    <metadata>
--      <title>Ensure non-Privileged Users Cannot Change Network Settings</title>
--      {{{- oval_affected(products) }}}
--      <description>polkit is properly configured to prevent non-privilged users from changing networking settings</description>
--    </metadata>
-+    {{{ oval_metadata("polkit is properly configured to prevent non-privilged users from changing networking settings") }}}
-     <criteria>
-       <criterion test_ref="test_network_nmcli_permissions" comment="check for properly configured .pkla file" />
-     </criteria>
-diff --git a/linux_os/guide/system/network/network_sniffer_disabled/oval/shared.xml b/linux_os/guide/system/network/network_sniffer_disabled/oval/shared.xml
-index 2e73c45710..b94a0dce39 100644
---- a/linux_os/guide/system/network/network_sniffer_disabled/oval/shared.xml
-+++ b/linux_os/guide/system/network/network_sniffer_disabled/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="network_sniffer_disabled" version="1">
--    <metadata>
--      <title>Disable the network sniffer</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Disable the network sniffer</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the network sniffer") }}}
-     <criteria>
-       <criterion comment="promisc interfaces" test_ref="test_promisc_interfaces" negate="true" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
-index 12df194796..e36015f316 100644
---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_sticky_bits/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dir_perms_world_writable_sticky_bits" version="1">
--    <metadata>
--      <title>Verify that All World-Writable Directories Have Sticky Bits Set</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The sticky bit should be set for all world-writable directories.</description>
--    </metadata>
-+    {{{ oval_metadata("The sticky bit should be set for all world-writable directories.") }}}
-     <criteria>
-       <criterion comment="all local world writable directories have sticky bit set" test_ref="test_dir_perms_world_writable_sticky_bits" negate="true" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
-index 83367d33ea..eae7e654a2 100644
---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dir_perms_world_writable_system_owned" version="1">
--    <metadata>
--      <title>Find world writable directories not owned by a system account</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>All world writable directories should be owned by a system user.</description>
--    </metadata>
-+    {{{ oval_metadata("All world writable directories should be owned by a system user.") }}}
-     <criteria comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" negate="true">
-       <criterion comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_uid_gt_value" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml
-index eaa923c432..d6140d865d 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_systemmap/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_systemmap" version="1">
--    <metadata>
--      <title>Verify that System.map files are readable only by root</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>
-+    {{{ oval_metadata("
-         Checks that /boot/System.map-* are only readable by root.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_permissions_systemmap_files" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
-index 83988feec7..b932ac038b 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_sgid/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-     <definition id="file_permissions_unauthorized_sgid" version="1" class="compliance">
--        <metadata>
--            <title>Find SGID files that are not owned by RPM packages</title>
--            <affected family="unix">
--                <platform>multi_platform_fedora</platform>
--                <platform>multi_platform_rhel</platform>
--                <platform>multi_platform_ol</platform>
--                <platform>multi_platform_wrlinux</platform>
--            </affected>
--            <description>Evaluates to true if all files with SGID set are owned by RPM packages.</description>
--        </metadata>
-+        {{{ oval_metadata("Evaluates to true if all files with SGID set are owned by RPM packages.") }}}
-         <criteria>
-             <criterion comment="Check all sgid files" test_ref="test_file_permissions_unauthorized_sgid"/>
-         </criteria>
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
-index e83595c198..aeac442e52 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_suid/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-     <definition id="file_permissions_unauthorized_suid" version="1" class="compliance">
--        <metadata>
--            <title>Find SUID files that are not owned by RPM packages</title>
--            <affected family="unix">
--                <platform>multi_platform_fedora</platform>
--                <platform>multi_platform_rhel</platform>
--                <platform>multi_platform_ol</platform>
--                <platform>multi_platform_wrlinux</platform>
--            </affected>
--            <description>Evaluates to true if all files with SUID set are owned by RPM packages.</description>
--        </metadata>
-+        {{{ oval_metadata("Evaluates to true if all files with SUID set are owned by RPM packages.") }}}
-         <criteria>
-             <criterion comment="Check all suid files" test_ref="test_file_permissions_unauthorized_suid"/>
-         </criteria>
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
-index 4455469edc..f46aa5c0c2 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_unauthorized_world_writable/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_unauthorized_world_writable" version="1">
--    <metadata>
--      <title>Find Unauthorized World-Writable Files</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_opensuse</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>The world-write permission should be disabled for all files.</description>
--    </metadata>
-+    {{{ oval_metadata("The world-write permission should be disabled for all files.") }}}
-     <criteria>
-       <criterion test_ref="test_file_permissions_unauthorized_world_write" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
-index 3f8d054714..db76acb4e7 100644
---- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_ungroupowned" version="2">
--    <metadata>
--      <title>Find files unowned by a group</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>All files should be owned by a group</description>
--    </metadata>
-+    {{{ oval_metadata("All files should be owned by a group") }}}
-     <criteria>
-       <criterion comment="Check all files and make sure they are owned by a group"
-       test_ref="test_file_permissions_ungroupowned" />
-diff --git a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
-index 6334c8a3b9..abcec8f34b 100644
---- a/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/no_files_unowned_by_user/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="no_files_unowned_by_user" version="1">
--    <metadata>
--      <title>Find files unowned by a user</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>All files should be owned by a user</description>
--    </metadata>
-+    {{{ oval_metadata("All files should be owned by a user") }}}
-     <criteria>
-       <criterion comment="Check all files and make sure they are owned by a user" test_ref="no_files_unowned_by_user_test" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/oval/shared.xml
-index 0fbed4bc32..a71e8d51df 100644
---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/oval/shared.xml
-@@ -1,18 +1,9 @@
- <def-group>
-   <definition class="compliance" id="file_ownership_binary_dirs" version="2">
--    <metadata>
--      <title>Verify that System Executables Have Root Ownership</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>
-+    {{{ oval_metadata("
-         Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
-         /usr/local/sbin, /usr/libexec, and objects therein, are owned by root.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_ownership_binary_directories" />
-       <criterion test_ref="test_ownership_binary_files" />
-diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
-index cce677c95a..59ee3d82a2 100644
---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
-@@ -1,18 +1,9 @@
- <def-group>
-   <definition class="compliance" id="file_ownership_library_dirs" version="1">
--    <metadata>
--      <title>Verify that Shared Library Files Have Root Ownership</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>
-+    {{{ oval_metadata("
-         Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
-         objects therein, are owned by root.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_ownership_lib_dir" />
-       <criterion test_ref="test_ownership_lib_files" />
-diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/oval/shared.xml
-index 4c5866c60d..9978caf23d 100644
---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/oval/shared.xml
-@@ -1,18 +1,9 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_binary_dirs" version="2">
--    <metadata>
--      <title>Verify that System Executables Have Restrictive Permissions</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>
-+    {{{ oval_metadata("
-         Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
-         /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_perms_binary_files" />
-     </criteria>
-diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
-index b44b40b622..f25c52260c 100644
---- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
-@@ -1,18 +1,9 @@
- <def-group>
-   <definition class="compliance" id="file_permissions_library_dirs" version="1">
--    <metadata>
--      <title>Verify that Shared Library Files Have Restrictive Permissions</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>
-+    {{{ oval_metadata("
-         Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
-         objects therein, are not group-writable or world-writable.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_perms_lib_dir" />
-       <criterion test_ref="test_perms_lib_files" />
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml
-index ba2728b0db..24432b7adc 100644
---- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/oval/shared.xml
-@@ -1,17 +1,11 @@
- <def-group>
-   <definition class="compliance"
-   id="mount_option_nodev_nonroot_local_partitions" version="1">
--    <metadata>
--      <title>Add nodev Option to Non-Root Local Partitions</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The nodev mount option prevents files from being interpreted
-+    {{{ oval_metadata("The nodev mount option prevents files from being interpreted
-       as character or block devices. Legitimate character and block devices
-       should exist in the /dev directory on the root partition or within chroot
-       jails built for system services. All other locations should not allow
--      character and block devices.</description>
--    </metadata>
-+      character and block devices.") }}}
-     <criteria>
-       <criterion comment="nodev on local filesystems"
-       test_ref="test_nodev_nonroot_local_partitions" negate="true" />
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/oval/shared.xml b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/oval/shared.xml
-index 805f0f18ab..46a9a7c2e8 100644
---- a/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_var_tmp_bind/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="mount_option_var_tmp_bind" version="1">
--    <metadata>
--      <title>Bind Mount /var/tmp To /tmp</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The /var/tmp directory should be bind mounted to /tmp in
-+    {{{ oval_metadata("The /var/tmp directory should be bind mounted to /tmp in
-       order to consolidate temporary storage into one location protected by the
--      same techniques as /tmp.</description>
--    </metadata>
-+      same techniques as /tmp.") }}}
-     <criteria operator="AND">
-       <criterion comment="Ensure /var/tmp is configured to bind mount to /tmp"
-       test_ref="test_configure_mount_option_var_tmp_bind_tmp" />
-diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/oval/shared.xml
-index 8606971b66..a3bf6dfefb 100644
---- a/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/restrictions/coredumps/disable_users_coredumps/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="disable_users_coredumps" version="1">
--    <metadata>
--      <title>Disable Core Dumps</title>
--      {{{- oval_affected(products) }}}
--      <description>Core dumps for all users should be disabled</description>
--    </metadata>
-+    {{{ oval_metadata("Core dumps for all users should be disabled") }}}
-     <criteria operator="OR">
-       <criterion comment="Are core dumps disabled in /etc/security/limits.d/*" test_ref="test_core_dumps_limits_d" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/oval/shared.xml
-index a8ce76275f..0f90e1a703 100644
---- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="umask_for_daemons" version="2">
--    <metadata>
--      <title>Set Daemon umask</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The daemon umask should be set as appropriate</description>
--    </metadata>
-+    {{{ oval_metadata("The daemon umask should be set as appropriate") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Get value of var_accounts_user_umask variable as octal number"
-       definition_ref="var_umask_for_daemons_as_number" />
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/oval/shared.xml
-index 8bdd3cb52e..cc362dd748 100644
---- a/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sysctl_kernel_exec_shield" version="2">
--    <metadata>
--      <title>Kernel Runtime Parameter "kernel.exec-shield" Check</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--      </affected>
--      <description>The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.</description>
--    </metadata>
-+    {{{ oval_metadata("The kernel runtime parameter 'kernel.exec-shield' should not be disabled and set to 1 on 32-bit systems.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND" comment="system is RHEL6">
-         <extend_definition comment="RHEL6 installed" definition_ref="installed_OS_is_rhel6" />
-diff --git a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/oval/shared.xml
-index f8166fc215..a3b39a99d7 100644
---- a/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/restrictions/enable_nx/install_PAE_kernel_on_x86-32/oval/shared.xml
-@@ -1,15 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_PAE_kernel_on_x86-32" version="2">
--    <metadata>
--      <title>Package kernel-PAE Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>The RPM package kernel-PAE should be installed on 32-bit
--      systems.</description>
--    </metadata>
-+    {{{ oval_metadata("The RPM package kernel-PAE should be installed on 32-bit
-+      systems.") }}}
-     <criteria operator="OR">
-       <!-- System is not 32-bit. In that case, there's
-            nothing more to check -->
-diff --git a/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml b/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml
-index 22ee5b4147..d03c21cf14 100644
---- a/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/grub2_enable_selinux/oval/shared.xml
-@@ -1,12 +1,8 @@
- <def-group>
-   <definition class="compliance" id="grub2_enable_selinux" version="1">
--    <metadata>
--      <title>Enable SELinux in the GRUB2 Bootloader"</title>
--      {{{- oval_affected(products) }}}
--      <description>
-+    {{{ oval_metadata("
-         Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <criterion comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" test_ref="test_selinux_default_grub" />
-       <criterion comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" test_ref="test_selinux_grub2_cfg" />
-diff --git a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
-index 7dcfb98577..5183b1ce94 100644
---- a/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_all_devicefiles_labeled/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="selinux_all_devicefiles_labeled" version="1">
--    <metadata>
--      <title>Device Files Have Proper SELinux Context</title>
--      {{{- oval_affected(products) }}}
--      <description>All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.</description>
--    </metadata>
-+    {{{ oval_metadata("All device files in /dev should be assigned an SELinux security context other than 'device_t' and 'unlabeled_t'.") }}}
-     <criteria operator="AND">
-       <criterion comment="device_t in /dev" test_ref="test_selinux_dev_device_t" />
-       <criterion comment="unlabeled_t in /dev" test_ref="test_selinux_dev_unlabeled_t" />
-diff --git a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml
-index 0f3cfdd250..e3ca39c2e0 100644
---- a/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_confinement_of_daemons/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="selinux_confinement_of_daemons" version="1">
--    <metadata>
--      <title>Ensure No Daemons are Unconfined by SELinux</title>
--      {{{- oval_affected(products) }}}
--      <description>All pids in /proc should be assigned an SELinux security context other than 'initrc_t'.</description>
--    </metadata>
-+    {{{ oval_metadata("All pids in /proc should be assigned an SELinux security context other than 'initrc_t'.") }}}
-     <criteria>
-       <criterion comment="device_t in /dev" test_ref="test_selinux_confinement_of_daemons" />
-     </criteria>
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
-index 3d69fff07f..174ba1ca8d 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_policytype/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="selinux_policytype" version="1">
--    <metadata>
--      <title>Enable SELinux</title>
--      {{{- oval_affected(products) }}}
--      <description>The SELinux policy should be set appropriately.</description>
--    </metadata>
-+    {{{ oval_metadata("The SELinux policy should be set appropriately.") }}}
-     <criteria>
-       <criterion test_ref="test_selinux_policy" />
-     </criteria>
-diff --git a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
-index 8c328060af..87e6f44008 100644
---- a/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
-+++ b/linux_os/guide/system/selinux/selinux_state/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="selinux_state" version="1">
--    <metadata>
--      <title>SELinux Enforcing</title>
--      {{{- oval_affected(products) }}}
--      <description>The SELinux state should be enforcing the local policy.</description>
--    </metadata>
-+    {{{ oval_metadata("The SELinux state should be enforcing the local policy.") }}}
-     <criteria operator="AND">
-       <criterion comment="enforce is disabled" test_ref="test_etc_selinux_config" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
-index 6eaf1a83e9..dcddec299d 100644
---- a/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/dconf_db_up_to_date/oval/shared.xml
-@@ -48,16 +48,7 @@
-   {{% endmacro %}}
- 
-   <definition class="compliance" id="dconf_db_up_to_date" version="2">
--    <metadata>
--      <title>The dconf databases are up-to-date.</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Make sure that the dconf databases are up-to-date with regards to respective keyfiles.</description>
--    </metadata>
-+    {{{ oval_metadata("Make sure that the dconf databases are up-to-date with regards to respective keyfiles.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="check that all DBs in question are up-to-date" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/oval/shared.xml b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/oval/shared.xml
-index 6652e6cc92..7bdc901303 100644
---- a/linux_os/guide/system/software/gnome/enable_dconf_user_profile/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/enable_dconf_user_profile/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="enable_dconf_user_profile" version="1">
--    <metadata>
--      <title>Implement Local DB for DConf User Profile</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The DConf User profile should have the local DB configured.</description>
--    </metadata>
-+    {{{ oval_metadata("The DConf User profile should have the local DB configured.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criterion comment="dconf user profile exists" test_ref="test_dconf_user_profile" />
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/oval/shared.xml
-index f69211e0fc..57ca7f14ae 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_restart_shutdown/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_restart_shutdown" version="1">
--    <metadata>
--      <title>Disable the GNOME3 Login Restart and Shutdown Buttons</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable GUI shutdown and restart buttons and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/oval/shared.xml
-index cc62d249e4..7c66ff0db0 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_disable_user_list/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_user_list" version="1">
--    <metadata>
--      <title>Disable the GNOME3 Login User List</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Disable the GNOME3 GUI listing of all known users on the login screen.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME3 GUI listing of all known users on the login screen.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable GUI listing of known users and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/oval/shared.xml
-index 9030dadcaa..de8a5a1571 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_enable_smartcard_auth" version="1">
--    <metadata>
--      <title>Enable the GNOME3 Login Smartcard Authentication</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Enable smartcard authentication in the GNOME3 Login GUI.</description>
--    </metadata>
-+    {{{ oval_metadata("Enable smartcard authentication in the GNOME3 Login GUI.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable smartcard authentication and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/oval/shared.xml
-index c6012a9645..f9999b749c 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_login_retries/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_login_retries" version="1">
--    <metadata>
--      <title>Set the GNOME3 Login Number of Failures</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Set the GNOME3 number of login failure attempts.</description>
--    </metadata>
-+    {{{ oval_metadata("Set the GNOME3 number of login failure attempts.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Set number of login attempts and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/oval/shared.xml
-index d3cf80a931..65760bd679 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_automatic_login/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="gnome_gdm_disable_automatic_login" version="2">
--    <metadata>
--      <title>Disable GDM Automatic Login</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 6</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Disable the GNOME Display Manager (GDM) ability to allow users to
--      automatically login.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME Display Manager (GDM) ability to allow users to
-+      automatically login.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="gdm installed" definition_ref="package_gdm_installed" negate="true" />
-       <criterion comment="Disable GDM Automatic Login" test_ref="test_disable_automatic_login" />
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/oval/shared.xml
-index 47478726e1..20b1cfa015 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/gnome_gdm_disable_guest_login/oval/shared.xml
-@@ -1,17 +1,7 @@
- <def-group>
-   <definition class="compliance" id="gnome_gdm_disable_guest_login" version="2">
--    <metadata>
--      <title>Disable GDM Guest Login</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 6</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Disable the GNOME Display Manager (GDM) ability to allow guest users
--      to login.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME Display Manager (GDM) ability to allow guest users
-+      to login.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="gdm installed" definition_ref="package_gdm_installed" negate="true" />
-       <criterion comment="Disable GDM Guest Login" test_ref="test_disable_guest_login" />
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-index 4c2f3f935c..fb359a2278 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-@@ -1,17 +1,9 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_automount" version="1">
--    <metadata>
--      <title>Disable GNOME3 Automounting</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>The system's default desktop environment, GNOME3, will mount
-+    {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
-       devices and removable media (such as DVDs, CDs and USB flash drives)
-       whenever they are inserted into the system. Disable automount and autorun
--      within GNOME3.</description>
--    </metadata>
-+      within GNOME3.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/oval/shared.xml
-index d4b59405aa..86160832c3 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_thumbnailers/oval/shared.xml
-@@ -1,17 +1,9 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_thumbnailers" version="1">
--    <metadata>
--      <title>Disable All GNOME3 Thumbnailers</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>The system's default desktop environment, GNOME3, uses a
-+    {{{ oval_metadata("The system's default desktop environment, GNOME3, uses a
-       number of different thumbnailer programs to generate thumbnails for any
-       new or modified content in an opened folder. Disable the execution of
--      these thumbnail applications within GNOME3.</description>
--    </metadata>
-+      these thumbnail applications within GNOME3.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable Gnome3 Thumbnailers and prevent user from enabling" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/oval/shared.xml
-index 7819609a6a..d121ce543c 100644
---- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_create/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_wifi_create" version="1">
--    <metadata>
--      <title>Disable WIFI Network Connection Creation in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>Disable the GNOME3 wireless network creation settings.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME3 wireless network creation settings.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/oval/shared.xml
-index 8ad815c8d8..ac972df48d 100644
---- a/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_network_settings/dconf_gnome_disable_wifi_notification/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_wifi_notification" version="1">
--    <metadata>
--      <title>Disable WIFI Network Notification in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>Disable the GNOME3 wireless network notification.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME3 wireless network notification.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml
-index 085d74066b..92df6f493e 100644
---- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_credential_prompt/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_remote_access_credential_prompt" version="1">
--    <metadata>
--      <title>Require Credential Prompting for Remote Access in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Configure GNOME3 to require credential prompting for remote access.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure GNOME3 to require credential prompting for remote access.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml
-index 67b4b01891..6eb412c046 100644
---- a/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_remote_access_settings/dconf_gnome_remote_access_encryption/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_remote_access_encryption" version="1">
--    <metadata>
--      <title>Require Encryption for Remote Access in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Configure GNOME3 to require encryption for remote access connections.</description>
--    </metadata>
-+    {{{ oval_metadata("Configure GNOME3 to require encryption for remote access connections.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml
-index 6b2f99ba32..c32e58d549 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_enabled/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_idle_activation_enabled" version="1">
--    <metadata>
--      <title>Enable GNOME3 Screensaver Idle Activation</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Idle activation of the screen saver should be enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Idle activation of the screen saver should be enabled.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/oval/shared.xml
-index b778ba7459..7deffc74be 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_activation_locked/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_idle_activation_locked" version="1">
--    <metadata>
--      <title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Idle activation of the screen saver should not be changed by users.</description>
--    </metadata>
-+    {{{ oval_metadata("Idle activation of the screen saver should not be changed by users.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml
-index 69af85737f..0e17ad45ab 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_idle_delay" version="2">
--    <metadata>
--      <title>Configure the GNOME3 GUI Screen locking</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The allowed period of inactivity before the screensaver is activated.</description>
--    </metadata>
-+    {{{ oval_metadata("The allowed period of inactivity before the screensaver is activated.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml
-index 88ba590acc..53a229edf5 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_lock_delay" version="2">
--    <metadata>
--      <title>Enable GNOME3 Screensaver Lock Delay After Idle Period</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Idle activation of the screen lock should be enabled immediately or
--      after a delay.</description>
--    </metadata>
-+    {{{ oval_metadata("Idle activation of the screen lock should be enabled immediately or
-+      after a delay.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml
-index 9d4ee32619..cb7e87a93b 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_enabled/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_lock_enabled" version="2">
--    <metadata>
--      <title>Enable GNOME3 Screensaver Lock After Idle Period</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Idle activation of the screen lock should be enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Idle activation of the screen lock should be enabled.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/oval/shared.xml
-index 843f1ba3fd..76f787e3ee 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_locked/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_lock_locked" version="1">
--    <metadata>
--      <title>Ensure Users Cannot Change GNOME3 Screensaver Lock After Idle Period</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Idle activation of the screen lock should not be changed by users.</description>
--    </metadata>
-+    {{{ oval_metadata("Idle activation of the screen lock should not be changed by users.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml
-index 766ede3b9f..be54557180 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_mode_blank/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_mode_blank" version="2">
--    <metadata>
--      <title>Implement Blank Screensaver</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The GNOME3 screensaver should be blank.</description>
--    </metadata>
-+    {{{ oval_metadata("The GNOME3 screensaver should be blank.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Enable blank screensaver and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/oval/shared.xml
-index 202cd6e7cc..7d9ac8ac71 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_info/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_user_info" version="1">
--    <metadata>
--      <title>Disable Full User Name on Splash Shield</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>GNOME3 screen splash shield should not display full name of logged in user.</description>
--    </metadata>
-+    {{{ oval_metadata("GNOME3 screen splash shield should not display full name of logged in user.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable screensaver user info and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml
-index df069569d2..8f1a3cac00 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_user_locks/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_screensaver_user_locks" version="1">
--    <metadata>
--      <title>Ensure Users Cannot Change GNOME3 Screensaver Lock Delay Settings</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Ensure that users cannot change GNOME3 screensaver idle and lock settings.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure that users cannot change GNOME3 screensaver idle and lock settings.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml
-index 6edebf4269..8ceb642edb 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_session_idle_user_locks/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_session_idle_user_locks" version="1">
--    <metadata>
--      <title>Ensure Users Cannot Change GNOME3 Session Idle Settings</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Ensure that users cannot change GNOME3 session idle settings.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure that users cannot change GNOME3 session idle settings.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/oval/shared.xml
-index afbb99834d..e939229ad1 100644
---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_ctrlaltdel_reboot/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_ctrlaltdel_reboot" version="1">
--    <metadata>
--      <title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</title>
--      {{{- oval_affected(products) }}}
--      <description>Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/oval/shared.xml
-index 05b9c59356..9282fd03ea 100644
---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_geolocation/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_geolocation" version="1">
--    <metadata>
--      <title>Disable Geolocation in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>Disable GNOME3 Geolocation for the clock and system.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable GNOME3 Geolocation for the clock and system.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/oval/shared.xml
-index 40f807752a..929513d88e 100644
---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_power_settings/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_power_settings" version="1">
--    <metadata>
--      <title>Disable Power Settings in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>Disable GNOME3 power settings.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable GNOME3 power settings.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/oval/shared.xml
-index 5bd6b8add9..7b8b052edf 100644
---- a/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_system_settings/dconf_gnome_disable_user_admin/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_user_admin" version="1">
--    <metadata>
--      <title>Disable User Administration in GNOME3</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Disable GNOME3's ability to give users some administrative rights.</description>
--    </metadata>
-+    {{{ oval_metadata("Disable GNOME3's ability to give users some administrative rights.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
-index 46cb5e5cb5..fd5e43fa0c 100644
---- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_FIPS_certified/oval/shared.xml
-@@ -1,12 +1,8 @@
- <def-group>
-   <definition class="compliance" id="installed_OS_is_FIPS_certified" version="1">
--    <metadata>
--      <title>FIPS 140-2 Certified Operating System</title>
--      {{{- oval_affected(products) }}}
--      <description>
-+    {{{ oval_metadata("
-           The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria comment="Installed operating system is a certified operating system" operator="OR">
-       <extend_definition comment="Installed OS is RHEL6" definition_ref="installed_OS_is_rhel6" />
-       <extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
-diff --git a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
-index 6339441007..600b3c4add 100644
---- a/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/certified-vendor/installed_OS_is_vendor_supported/oval/shared.xml
-@@ -1,12 +1,8 @@
- <def-group>
-   <definition class="compliance" id="installed_OS_is_vendor_supported" version="1">
--    <metadata>
--      <title>Vendor Supported Operating System</title>
--      {{{- oval_affected(products) }}}
--     <description>
-+    {{{ oval_metadata("
-         The operating system installed on the system is supported by a vendor that provides security patches.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria comment="Installed operating system is supported by a vendor" operator="OR">
-       <extend_definition comment="Installed OS is RHEL6" definition_ref="installed_OS_is_rhel6" />
-       <extend_definition comment="Installed OS is RHEL7" definition_ref="installed_OS_is_rhel7" />
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml
-index e60540d1f7..d4ac6c0c74 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_bind_crypto_policy/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_bind_crypto_policy" version="1">
--    <metadata>
--      <title>Configure BIND to use System Crypto Policy.</title>
--      {{{- oval_affected(products) }}}
--      <description>BIND should be configured to use the system-wide crypto policy setting.</description>
--    </metadata>
-+    {{{ oval_metadata("BIND should be configured to use the system-wide crypto policy setting.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="Check if package bind is not installed" definition_ref="package_bind_removed" />
-       <criterion test_ref="test_configure_bind_crypto_policy"
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
-index 7bfd010945..7c45edf57e 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_crypto_policy" version="1">
--    <metadata>
--      <title>Configure System Cryptographic Policies</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure crypto policy is correctly configured in /etc/crypto-policies/config, and the policy is current.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure crypto policy is correctly configured in /etc/crypto-policies/config, and the policy is current.") }}}
-     <criteria operator="AND">
-       <criterion comment="check for crypto policy correctly configured in /etc/crypto-policy/config"
-       test_ref="test_configure_crypto_policy" />
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml
-index aa948c49c2..8cc6705879 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/oval/shared.xml
-@@ -3,11 +3,7 @@
- {{% set backend_krb5_config = "/etc/crypto-policies/back-ends/krb5.config" %}}
- <def-group>
-   <definition class="compliance" id="configure_kerberos_crypto_policy" version="2">
--    <metadata>
--      <title>Configure kerberos to use System Crypto Policy</title>
--      {{{- oval_affected(products) }}}
--      <description>Kerberos should be configured to use the system-wide crypto policy setting.</description>
--    </metadata>
-+    {{{ oval_metadata("Kerberos should be configured to use the system-wide crypto policy setting.") }}}
-     <criteria operator="OR" comment="The config file is always a symlink to the backend, but the backend itself may be either a file, or a symlink. For this reason, we need two tests, if one passes, the other one is expected to either fail, or error.">
-       <criterion comment="kerberos crypto-policy configuration links to same file as kerberos crypto-policy backend" test_ref="test_configure_kerberos_crypto_policy_symlink" />
-       <criterion comment="kerberos crypto-policy configuration links to the crypto-policy backend file" test_ref="test_configure_kerberos_crypto_policy_nosymlink" />
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml
-index 64b8d3537b..e7a875ce56 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_libreswan_crypto_policy/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_libreswan_crypto_policy" version="1">
--    <metadata>
--      <title>Configure Libreswan to use System Crypto Policy.</title>
--      {{{- oval_affected(products) }}}
--      <description>Libreswan should be configured to use the system-wide crypto policy setting.</description>
--    </metadata>
-+    {{{ oval_metadata("Libreswan should be configured to use the system-wide crypto policy setting.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="Check if package libreswan is not installed" definition_ref="package_libreswan_installed" negate="true" />
-       <criterion test_ref="test_configure_libreswan_crypto_policy"
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
-index 2019769736..1beedf9cb8 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_openssl_crypto_policy" version="1">
--    <metadata>
--      <title>Configure OpenSSL to use System Crypto Policy</title>
--      {{{- oval_affected(products) }}}
--      <description>OpenSSL should be configured to use the system-wide crypto policy setting.</description>
--    </metadata>
-+    {{{ oval_metadata("OpenSSL should be configured to use the system-wide crypto policy setting.") }}}
-     <criteria>
-       <criterion test_ref="test_configure_openssl_crypto_policy"
-       comment="Check that the configuration mandates usage of system-wide crypto policies." />
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
-index 0597123d6f..12cc06d3b4 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_ssh_crypto_policy/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="configure_ssh_crypto_policy" version="1">
--    <metadata>
--      <title>Configure SSH to use System Crypto Policy.</title>
--      {{{- oval_affected(products) }}}
--      <description>SSH should be configured to use the system-wide crypto policy setting.</description>
--    </metadata>
-+    {{{ oval_metadata("SSH should be configured to use the system-wide crypto policy setting.") }}}
-     <criteria>
-       <criterion test_ref="test_configure_ssh_crypto_policy"
-       comment="Check that the SSH configuration mandates usage of system-wide crypto policies." />
-diff --git a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml
-index e67490181e..6124f74480 100644
---- a/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/harden_ssh_client_crypto_policy/oval/shared.xml
-@@ -131,11 +131,7 @@
- 
- <def-group>
-   <definition class="compliance" id="harden_ssh_client_crypto_policy" version="3">
--    <metadata>
--      <title>Harden SSH client Crypto Policy</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf") }}}
-     <criteria comment="SSH client is configured correctly"
-     operator="AND">
-         {{{ oval_line_in_file_criterion(path='/etc/ssh/ssh_config.d/02-ospp.conf', parameter='Match') }}}
-diff --git a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
-index 847754f36d..df7915dac5 100644
---- a/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/openssl_use_strong_entropy/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="openssl_use_strong_entropy" version="1">
--    <metadata>
--      <title>Configure OpenSSL to use strong entropy</title>
--      {{{- oval_affected(products) }}}
--      <description>OpenSSL should be configured to generate random data with strong entropy.</description>
--    </metadata>
-+    {{{ oval_metadata("OpenSSL should be configured to generate random data with strong entropy.") }}}
-     <criteria>
-       <criterion test_ref="test_openssl_strong_entropy"
-       comment="Check that the OpenSSL is configured to generate random data with strong entropy." />
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-index 41fa0497ae..40881bef93 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/oval/shared.xml
-@@ -1,11 +1,7 @@
- 
- <def-group>
-   <definition class="compliance" id="{{{ rule_id }}}" version="1">
--    <metadata>
--      <title>{{{ rule_title }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf") }}}
-     <criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
-       <criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="test_ssh_client_rekey_limit_main_config" negate="true" />
-       <criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="test_ssh_client_rekey_limit_include_configs" />
-diff --git a/linux_os/guide/system/software/integrity/disable_prelink/oval/shared.xml b/linux_os/guide/system/software/integrity/disable_prelink/oval/shared.xml
-index 39642abe1f..063cc94860 100644
---- a/linux_os/guide/system/software/integrity/disable_prelink/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/disable_prelink/oval/shared.xml
-@@ -1,14 +1,10 @@
- 
- <def-group>
-   <definition class="compliance" id="disable_prelink" version="3">
--    <metadata>
--      <title>Disable Prelinking</title>
--      {{{- oval_affected(products) }}}
--      <description>The prelinking feature can interfere with the operation of
-+    {{{ oval_metadata("The prelinking feature can interfere with the operation of
-       checksum integrity tools (e.g. AIDE), mitigates the protection provided
-       by ASLR, and requires additional CPU cycles by software upgrades.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="OR" comment="Conditions for prelinking disabled are satisfied">
-       <extend_definition comment="prelink RPM package not installed" definition_ref="package_prelink_removed" />
-       <criterion comment="Prelinking is disabled" test_ref="test_prelinking_disabled" />
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/oval/shared.xml
-index db47de2570..52fd315f29 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_antivirus/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_antivirus"
-   version="1">
--    <metadata>
--      <title>Package Antivirus Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Antivirus software should be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("Antivirus software should be installed.") }}}
-     <criteria comment="Antivirus is not being used or conditions are met">
-       <extend_definition comment="McAfee A/V Installed" definition_ref="install_mcafee_antivirus" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/oval/shared.xml
-index 8eac364e34..fdb4cfb3c9 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/install_hids/oval/shared.xml
-@@ -1,15 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_hids"
-   version="1">
--    <metadata>
--      <title>Install Intrusion Detection Software</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Intrusion detection software or SELinux should be installed and enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Intrusion detection software or SELinux should be installed and enabled.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="McAfee HBSS" definition_ref="install_mcafee_hbss" />
-       <criterion comment="SELinux enabled" test_ref="test_selinux_enforcing" />
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/oval/shared.xml
-index f6efe5e5e2..1390e05598 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_antivirus/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_mcafee_antivirus"
-   version="1">
--    <metadata>
--      <title>Package McAfeeVSEForLinux Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>McAfee Antivirus software should be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("McAfee Antivirus software should be installed.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria comment="Antivirus is not being used or conditions are met" operator="AND">
-       <extend_definition comment="McAfee Runtime Libraries and Agent" definition_ref="install_mcafee_cma_rt" />
-       <criterion comment="Linuxshield AntiVirus package is installed"
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/oval/shared.xml
-index bda9a8d258..387b24de58 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/install_mcafee_cma_rt/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_mcafee_cma_rt"
-   version="1">
--    <metadata>
--      <title>Install the McAfee Runtime Libraries and Linux Agent</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma).</description>
--    </metadata>
-+    {{{ oval_metadata("Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma).", affected_platforms=["multi_platform_all"]) }}}
-     <criteria operator="AND">
-       <criterion comment="McAfee runtime library package installed"
-       test_ref="test_mcafee_runtime_installed" />
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/oval/shared.xml
-index 6b45031dde..0e61f69fc0 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_antivirus_definitions_updated/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="mcafee_antivirus_definitions_updated" version="1">
--    <metadata>
--      <title>McAfee AntiVirus Definitions Updated</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Verify that McAfee AntiVirus definitions have been updated.</description>
--    </metadata>
-+    {{{ oval_metadata("Verify that McAfee AntiVirus definitions have been updated.") }}}
- 
-     <criteria>
-       <criterion comment="Check if McAfee AntiVirus definitions have been updated" test_ref="test_mcafee_antivirus_definitions_updated" />
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/oval/shared.xml
-index d87d0b5110..98f58e3973 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_accm/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_mcafee_hbss_accm"
-   version="1">
--    <metadata>
--      <title>Install the Asset Configuration Compliance Module (ACCM)</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Install the Asset Configuration Compliance Module (ACCM).</description>
--    </metadata>
-+    {{{ oval_metadata("Install the Asset Configuration Compliance Module (ACCM).", affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-       <criterion comment="McAfee ACCM is installed"
-       test_ref="test_mcafee_accm_exists" />
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml
-index 9f796d9b0a..1ac70e5aeb 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="install_mcafee_hbss_hips"
-   version="1">
--    <metadata>
--      <title>Install the Host Intrusion Prevention System (HIPS) Module</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is
--      absolutely necessary. If SELinux is enabled, do not install or enable this module.</description>
--    </metadata>
-+	  {{{ oval_metadata("Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.",
-+	  affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-       <criterion comment="McAfee IPS  is installed"
-       test_ref="test_mcafee_hbss_hips_installed" />
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/oval/shared.xml
-index 30eeebe315..4dc6cc54b0 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_pa/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="install_mcafee_hbss_pa"
-   version="1">
--    <metadata>
--      <title>Install the Policy Auditor (PA) Module</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>Install the Policy Auditor (PA) Module.</description>
--    </metadata>
-+    {{{ oval_metadata("Install the Policy Auditor (PA) Module.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-       <criterion comment="McAfee Policy Auditor is installed"
-       test_ref="test_mcafee_auditengine_exists" />
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml
-index fc2c99da79..8985425bc0 100644
---- a/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/enable_dracut_fips_module/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="enable_dracut_fips_module" version="1">
--    <metadata>
--      <title>Enable Dracut FIPS Module</title>
--      {{{- oval_affected(products) }}}
--      <description>fips module should be enabled in Dracut configuration</description>
--    </metadata>
-+    {{{ oval_metadata("fips module should be enabled in Dracut configuration") }}}
-     <criteria operator="AND">
-       <criterion comment="dracut fips module is enabled" test_ref="test_enable_dracut_fips_module" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-index d48a5d0f88..699dca06dd 100644
---- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="enable_fips_mode" version="1">
--    <metadata>
--      <title>Enable FIPS Mode</title>
--      {{{- oval_affected(products) }}}
--      <description>Check if FIPS mode is enabled on the system</description>
--    </metadata>
-+    {{{ oval_metadata("Check if FIPS mode is enabled on the system") }}}
-     <criteria operator="AND">
-       <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
-       <extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="sysctl_crypto_fips_enabled" />
-diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml
-index 978a060e1b..e7ffcafd71 100644
---- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="etc_system_fips_exists" version="1">
--    <metadata>
--      <title>Check /etc/system-fips exists</title>
--      {{{- oval_affected(products) }}}
--      <description>Check /etc/system-fips exists</description>
--    </metadata>
-+    {{{ oval_metadata("Check /etc/system-fips exists") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_etc_system_fips" comment="/etc/system-fips exists" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml
-index dd5b5666c5..dcd668d97c 100644
---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="grub2_enable_fips_mode" version="1">
--    <metadata>
--      <title>Enable FIPS Mode in GRUB2</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure fips=1 is configured in the kernel line in /etc/default/grub.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure fips=1 is configured in the kernel line in /etc/default/grub.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
-       <extend_definition comment="prelink disabled" definition_ref="disable_prelink" />
-diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/oval/shared.xml
-index ba945ef66c..de11674eb0 100644
---- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips-aesni_installed/oval/shared.xml
-@@ -5,11 +5,7 @@
- <def-group>
-   <definition class="compliance" id="package_dracut-fips-aesni_installed"
-   version="1">
--    <metadata>
--      <title>Package dracut-fips-aesni Installed</title>
--      {{{- oval_affected(products) }}}
--      <description>The RPM package dracut-fips-aesni should be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The RPM package dracut-fips-aesni should be installed.") }}}
-     <criteria operator="OR">
-       <criterion comment="System does not support AES instruction set" test_ref="test_processor_aes_instruction" />
-       <criteria operator="AND">
-diff --git a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml
-index 1615b7c05b..af8b72d699 100644
---- a/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/package_dracut-fips_installed/oval/shared.xml
-@@ -5,11 +5,7 @@
- <def-group>
-   <definition class="compliance" id="package_dracut-fips_installed"
-   version="1">
--    <metadata>
--      <title>Package dracut-fips Installed</title>
--      {{{- oval_affected(products) }}}
--      <description>The RPM package dracut-fips should be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The RPM package dracut-fips should be installed.") }}}
-     <criteria>
-       <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
-       <criterion comment="package dracut-fips is installed"
-diff --git a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml
-index 0414e0a9fc..95e2528db1 100644
---- a/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/sysctl_crypto_fips_enabled/oval/shared.xml
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sysctl_crypto_fips_enabled" version="1">
--    <metadata>
--      <title>Kernel "crypto.fips_enabled" Parameter Runtime Check</title>
--      {{{- oval_affected(products) }}}
--      <description>The kernel "crypto.fips_enabled" parameter should be set to "1" in system runtime.</description>
--    </metadata>
-+    {{{ oval_metadata("The kernel 'crypto.fips_enabled' parameter should be set to '1' in system runtime.") }}}
-     <criteria operator="AND">
-       <criterion comment="kernel runtime parameter crypto.fips_enabled set to 1" test_ref="test_sysctl_crypto_fips_enabled" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
-index f9835af1a8..0a1f6675cd 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_build_database/oval/shared.xml
-@@ -1,15 +1,6 @@
- <def-group>
-   <definition class="compliance" id="aide_build_database" version="2">
--    <metadata>
--      <title>Aide Database Must Exist</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>The aide database must be initialized.</description>
--    </metadata>
-+    {{{ oval_metadata("The aide database must be initialized.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-       <!-- Only the configuration when location of the Aide database file is specified in the
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
-index 0af7f9072b..85ea188e9d 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_periodic_cron_checking/oval/shared.xml
-@@ -1,19 +1,9 @@
- <def-group>
-   <definition class="compliance" id="aide_periodic_cron_checking" version="3">
--    <metadata>
--      <title>Configure Periodic Execution of AIDE</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_ol</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--      </affected>
--      <description>By default, AIDE does not install itself for periodic
-+    {{{ oval_metadata("By default, AIDE does not install itself for periodic
-       execution. Periodically running AIDE is necessary to reveal
-       unexpected changes in installed files.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-       <criteria operator="OR">
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
-index 5182687f83..d6d9f2542e 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_scan_notification/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance" id="aide_scan_notification" version="1">
--    <metadata>
--      <title>Configure Notification of Post-AIDE Scan Details</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>AIDE should notify appropriate personnel of the details
--      of a scan after the scan has been run.</description>
--    </metadata>
-+    {{{ oval_metadata("AIDE should notify appropriate personnel of the details
-+      of a scan after the scan has been run.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-       <criteria operator="OR">
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml
-index d2efe727b7..8bd7901266 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml
-@@ -1,15 +1,7 @@
- <def-group>
-   <definition class="compliance" id="aide_use_fips_hashes" version="1">
--    <metadata>
--      <title>Configure AIDE to Use FIPS 140-2 for Validating Hashes</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>AIDE should be configured to use the FIPS 140-2 
--      cryptographic hashes.</description>
--    </metadata>
-+    {{{ oval_metadata("AIDE should be configured to use the FIPS 140-2 
-+      cryptographic hashes.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
-       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml
-index 7c57bdebe4..5b7368a7f7 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="aide_verify_acls" version="1">
--    <metadata>
--      <title>Configure AIDE to Verify Access Control Lists (ACLs)</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>AIDE should be configured to verify Access Control Lists (ACLs).</description>
--    </metadata>
-+    {{{ oval_metadata("AIDE should be configured to verify Access Control Lists (ACLs).") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-       <criterion comment="acl is set in /etc/aide.conf" test_ref="test_aide_verify_acls" />
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml
-index cbe4bf7465..8b64dddf9f 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="aide_verify_ext_attributes" version="1">
--    <metadata>
--      <title>Configure AIDE to Verify Extended Attributes</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>AIDE should be configured to verify extended file attributes.</description>
--    </metadata>
-+    {{{ oval_metadata("AIDE should be configured to verify extended file attributes.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="Aide is installed" definition_ref="package_aide_installed" />
-       <criterion comment="xattrs is set in /etc/aide.conf" test_ref="test_aide_verify_ext_attributes" />
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/oval/shared.xml
-index ec164dec1f..58baf253db 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/oval/shared.xml
-@@ -1,16 +1,6 @@
- <def-group>
-   <definition class="compliance" id="rpm_verify_hashes" version="3">
--    <metadata>
--      <title>Verify File Hashes with RPM</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Verify the RPM digests of system binaries using the RPM database.</description>
--    </metadata>
-+    {{{ oval_metadata("Verify the RPM digests of system binaries using the RPM database.") }}}
-     <criteria>
-       <criterion test_ref="test_files_fail_md5_hash" comment="verify file md5 hashes" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
-index 95bae46412..ec52adb92c 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
-@@ -1,18 +1,9 @@
- <def-group>
-   <definition class="compliance" id="rpm_verify_ownership" version="3">
--    <metadata>
--      <title>Verify File Ownership Using RPM</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Verify ownership of installed packages
-+    {{{ oval_metadata("Verify ownership of installed packages
-       by comparing the installed files with information about the
-       files taken from the package metadata stored in the RPM
--      database.</description>
--    </metadata>
-+      database.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_verify_all_rpms_user_ownership" comment="user ownership of all files matches local rpm database" />
-       <criterion test_ref="test_verify_all_rpms_group_ownership" comment="group ownership of all files matches local rpm database" />
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml
-index 6fd3ff827e..66e3dea203 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/oval/shared.xml
-@@ -1,19 +1,9 @@
- <def-group>
-   <definition class="compliance" id="rpm_verify_permissions" version="3">
--    <metadata>
--      <title>Verify File Permissions Using RPM</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Verify the permissions of installed packages
-+    {{{ oval_metadata("Verify the permissions of installed packages
-       by comparing the installed files with information about the
-       files taken from the package metadata stored in the RPM
--      database.</description>
--    </metadata>
-+      database.") }}}
-     <criteria>
-       <criterion test_ref="test_verify_all_rpms_mode" comment="mode of all files matches local rpm database" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
-index 4913602c34..4e42081d0d 100644
---- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
-+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/oval/shared.xml
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="accounts_authorized_local_users" version="1">
--    <metadata>
--      <title>Only Authorized Local User Accounts Exist on Operating System</title>
--      <affected family="unix">
--        <platform>Oracle Linux 7</platform>
--      </affected>
--      <description>Besides the default operating system user, there should be no other users
--      except the users that are authorized to exist locally on the operating system.</description>
--    </metadata>
-+    {{{ oval_metadata("Besides the default operating system user, there should be no other users
-+      except the users that are authorized to exist locally on the operating system.") }}}
-     <criteria>
-       <criterion test_ref="test_accounts_authorized_local_users"
-       comment="only root user and explicitly authorized users are allowed in /etc/passwd" />
-diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/oval/shared.xml b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/oval/shared.xml
-index 058be516f9..ca083308f8 100644
---- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/oval/shared.xml
-+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/oval/shared.xml
-@@ -1,16 +1,10 @@
- <def-group oval_version="5.11">
-   <definition class="compliance" id="accounts_authorized_local_users_sidadm_orasid" version="1">
--    <metadata>
--      <title>Only sidadm and orasid/oracle Exist as Local Users on Operating System</title>
--      <affected family="unix">
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description> SAP system users sidadm/sapadm and orasid/oracle should be the only
-+    {{{ oval_metadata(" SAP system users sidadm/sapadm and orasid/oracle should be the only
-       users besides the authorized usrs listed in var_accounts_authorized_local_users_regex
-       that exist locally on the operating system.
-       Limitation: only works with zero to one SAP system on each OS/VM. 
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria operator="AND">
-       <!-- users in the external list -->
-       <criterion test_ref="test_accounts_authorized_local_users_sidadm_orasid"
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/oval/shared.xml
-index 07fa056f97..a80705ac4d 100644
---- a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/oval/shared.xml
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/oval/shared.xml
-@@ -1,18 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sudo_remove_no_authenticate" version="1">
--    <metadata>
--      <title>Ensure !authenticate Is Not Used in Sudo</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Checks sudo usage without authentication</description>
--    </metadata>
-+    {{{ oval_metadata("Checks sudo usage without authentication") }}}
-     <criteria operator="AND">
-       <criterion comment="!authenticate does not exist in /etc/sudoers" test_ref="test_no_authenticate_etc_sudoers" />
-       <criterion comment="!authenticate does not exist in /etc/sudoers.d" test_ref="test_no_authenticate_etc_sudoers_d" />
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/oval/shared.xml
-index 8ad71c0a23..c850b8637a 100644
---- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/oval/shared.xml
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/oval/shared.xml
-@@ -1,18 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sudo_remove_nopasswd" version="1">
--    <metadata>
--      <title>Ensure NOPASSWD Is Not Used in Sudo</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Checks sudo usage without password</description>
--    </metadata>
-+    {{{ oval_metadata("Checks sudo usage without password") }}}
-     <criteria operator="AND">
-       <criterion comment="NOPASSWD is not configured in /etc/sudoers" test_ref="test_nopasswd_etc_sudoers" />
-       <criterion comment="NOPASSWD is not configured in /etc/sudoers.d" test_ref="test_nopasswd_etc_sudoers_d" />
-diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
-index 653575609b..b7241a4fae 100644
---- a/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
-+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
-@@ -1,17 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sudo_require_authentication" version="1">
--    <metadata>
--      <title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_debian</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ubuntu</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Checks sudo usage without password</description>
--    </metadata>
-+    {{{ oval_metadata("Checks sudo usage without password") }}}
-     <criteria operator="AND">
-       <extend_definition definition_ref="sudo_remove_no_authenticate" />
-       <extend_definition definition_ref="sudo_remove_nopasswd" />
-diff --git a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/oval/shared.xml
-index 7ce0bbf0d5..0661587161 100644
---- a/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/oval/shared.xml
-+++ b/linux_os/guide/system/software/sudo/sudo_vdsm_nopasswd/oval/shared.xml
-@@ -1,14 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sudo_vdsm_nopasswd" version="1">
--    <metadata>
--      <title>Ensure NOPASSWD Is Used Only for the VDSM User in Sudo</title>
--      <affected family="unix">
--        <platform>Red Hat Virtualization 4</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhel</platform>
--      </affected>
--      <description>Checks sudo usage for the vdsm user without a password</description>
--    </metadata>
-+    {{{ oval_metadata("Checks sudo usage for the vdsm user without a password") }}}
-     <criteria operator="AND">
-       <criterion comment="NOPASSWD only exists for vdsm user in /etc/sudoers" test_ref="test_vdsm_nopasswd_etc_sudoers" />
-       <criterion comment="NOPASSWD only exists for vdsm user in /etc/sudoers.d" test_ref="test_vdsm_nopasswd_etc_sudoers_d" />
-diff --git a/linux_os/guide/system/software/updating/clean_components_post_updating/oval/shared.xml b/linux_os/guide/system/software/updating/clean_components_post_updating/oval/shared.xml
-index 413156f85d..63887598e0 100644
---- a/linux_os/guide/system/software/updating/clean_components_post_updating/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/clean_components_post_updating/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group oval_version="5.10">
-   <definition class="compliance" id="clean_components_post_updating" version="1">
--    <metadata>
--      <title>Ensure YUM Removes Previous Package Versions</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The clean_requirements_on_remove option should be used to ensure that old 
--      versions of software components are removed after updating.</description>
--    </metadata>
-+    {{{ oval_metadata("The clean_requirements_on_remove option should be used to ensure that old 
-+      versions of software components are removed after updating.") }}}
-     <criteria>
-       <criterion comment="check value of clean_requirements_on_remove in /etc/yum.conf" test_ref="test_yum_clean_components_post_updating" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/oval/shared.xml
-index 42ac6adde5..8e0c00edff 100644
---- a/linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_fedora_gpgkey_installed/oval/shared.xml
-@@ -20,13 +20,7 @@
- 
- <def-group>
-   <definition class="compliance" id="ensure_fedora_gpgkey_installed" version="2">
--    <metadata>
--      <title>Fedora Release gpg-pubkey Package Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>The Fedora release key package is required to be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The Fedora release key package is required to be installed.") }}}
-     <criteria comment="Fedora Vendor keys" operator="AND">
-       <extend_definition comment="Fedora installed" definition_ref="installed_OS_is_fedora" />
-       <criteria comment="Supported Fedora key is installed" operator="OR">
-diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/oval/shared.xml
-index 4f27dd2ddc..791674f112 100644
---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_globally_activated/oval/shared.xml
-@@ -1,14 +1,8 @@
- <def-group>
-   <definition class="compliance" id="ensure_gpgcheck_globally_activated" version="1">
--    <metadata>
--      <title>Ensure {{{ pkg_manager }}} gpgcheck Globally Activated</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The gpgcheck option should be used to ensure that checking
-+    {{{ oval_metadata("The gpgcheck option should be used to ensure that checking
-       of an RPM package's signature always occurs prior to its
--      installation.</description>
--    </metadata>
-+      installation.") }}}
-     <criteria operator="AND">
-      <criterion comment="check value of gpgcheck in {{{ pkg_manager_config_file }}}" test_ref="test_ensure_gpgcheck_globally_activated" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/oval/shared.xml
-index 5baf312df5..ff59d34138 100644
---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_local_packages/oval/shared.xml
-@@ -1,19 +1,8 @@
- <def-group>
-   <definition class="compliance" id="ensure_gpgcheck_local_packages" version="1">
--    <metadata>
--      <title>Ensure gpgcheck Enabled for Local Packages</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The localpkg_gpgcheck option should be used to ensure that checking 
-+    {{{ oval_metadata("The localpkg_gpgcheck option should be used to ensure that checking 
-       of an RPM package's signature always occurs prior to its
--      installation.</description>
--    </metadata>
-+      installation.") }}}
-     <criteria>
-       <criterion comment="check value of localpkg_gpgcheck in {{{ pkg_manager_config_file }}}" test_ref="test_yum_ensure_gpgcheck_local_packages" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
-index 600c7c0a4e..0e661f91cf 100644
---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_never_disabled/oval/shared.xml
-@@ -1,16 +1,7 @@
- <def-group>
-   <definition class="compliance" id="ensure_gpgcheck_never_disabled"
-   version="1">
--    <metadata>
--      <title>Ensure gpgcheck Enabled For All Yum or Dnf Package Repositories</title>
--      <affected family="unix">
--        <platform>multi_platform_fedora</platform>
--        <platform>multi_platform_rhv</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>Ensure all yum or dnf repositories utilize signature checking.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure all yum or dnf repositories utilize signature checking.") }}}
-     <criteria comment="ensure all yum or dnf repositories utilize signiature checking" operator="AND">
-       <criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files"
-       test_ref="test_ensure_gpgcheck_never_disabled" />
-diff --git a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/oval/shared.xml
-index 83a14a1a5c..dc77750c56 100644
---- a/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_gpgcheck_repo_metadata/oval/shared.xml
-@@ -1,15 +1,7 @@
- <def-group>
-   <definition class="compliance" id="ensure_gpgcheck_repo_metadata" version="1">
--    <metadata>
--      <title>Ensure gpgcheck Enabled for Repository Metadata</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The repo_gpgcheck option should be used to ensure that checking
--      of repository metadata always occurs.</description>
--    </metadata>
-+    {{{ oval_metadata("The repo_gpgcheck option should be used to ensure that checking
-+      of repository metadata always occurs.") }}}
-     <criteria>
-       <criterion comment="check value of repo_gpgcheck in /etc/yum.conf" test_ref="test_yum_ensure_gpgcheck_repo_metadata" />
-     </criteria>
-diff --git a/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/oval/shared.xml
-index 1406fec48e..a920d54a7f 100644
---- a/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_oracle_gpgkey_installed/oval/shared.xml
-@@ -1,12 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ensure_oracle_gpgkey_installed" version="1">
--    <metadata>
--      <title>Oracle Linux gpg-pubkey Package Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_ol</platform>
--      </affected>
--      <description>The Oracle Linux key packages are required to be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The Oracle Linux key packages are required to be installed.") }}}
-     <criteria comment="Vendor GPG keys" operator="OR">
-       <criteria comment="Oracle Vendor GPG Keys" operator="AND">
-         <criteria comment="Oracle Linux Release Installed" operator="OR">
-diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
-index 748f30a293..77f0620f60 100644
---- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
-+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/oval/shared.xml
-@@ -1,13 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ensure_redhat_gpgkey_installed" version="2">
--    <metadata>
--      <title>Red Hat Release and Auxiliary gpg-pubkey Packages Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_rhv</platform>
--      </affected>
--      <description>The Red Hat release and auxiliary key packages are required to be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The Red Hat release and auxiliary key packages are required to be installed.") }}}
-     <criteria comment="Vendor GPG keys" operator="OR">
-       <criteria comment="Red Hat Vendor Keys" operator="AND">
-         <criteria comment="Red Hat Installed" operator="OR">
-diff --git a/shared/templates/template_OVAL_accounts_password b/shared/templates/template_OVAL_accounts_password
-index 8d4135601d..983290dcfb 100644
---- a/shared/templates/template_OVAL_accounts_password
-+++ b/shared/templates/template_OVAL_accounts_password
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="accounts_password_pam_{{{ VARIABLE }}}" version="3">
--    <metadata>
--      <title>Set Password {{{ VARIABLE }}} Requirements</title>
--      {{{- oval_affected(products) }}}
--      <description>The password {{{ VARIABLE }}} should meet minimum requirements</description>
--    </metadata>
-+    {{{ oval_metadata("The password " + VARIABLE + " should meet minimum requirements") }}}
- {{% if product == "rhel6" %}}
-     <criteria>
-         <criterion comment="rhel6 pam_cracklib {{{ VARIABLE }}}" test_ref="test_password_pam_cracklib_{{{ VARIABLE }}}" />
-diff --git a/shared/templates/template_OVAL_audit_rules_dac_modification b/shared/templates/template_OVAL_audit_rules_dac_modification
-index 70f0d47b6d..6b8deec1eb 100644
---- a/shared/templates/template_OVAL_audit_rules_dac_modification
-+++ b/shared/templates/template_OVAL_audit_rules_dac_modification
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="{{{ rule_id }}}" version="1">
--    <metadata>
--      <title>Audit Discretionary Access Control Modification Events - {{{ ATTR }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>The changing of file permissions and attributes should be audited.</description>
--    </metadata>
-+    {{{ oval_metadata("The changing of file permissions and attributes should be audited.") }}}
-     <criteria operator="OR">
- 
-       <!-- Test the augenrules case -->
-diff --git a/shared/templates/template_OVAL_audit_rules_file_deletion_events b/shared/templates/template_OVAL_audit_rules_file_deletion_events
-index bbf3edd6a0..97ed844bcc 100644
---- a/shared/templates/template_OVAL_audit_rules_file_deletion_events
-+++ b/shared/templates/template_OVAL_audit_rules_file_deletion_events
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_file_deletion_events_{{{ NAME }}}" version="1">
--    <metadata>
--      <title>Audit File Deletion Events - {{{ NAME }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>The deletion of files should be audited.</description>
--    </metadata>
-+    {{{ oval_metadata("The deletion of files should be audited.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_login_events b/shared/templates/template_OVAL_audit_rules_login_events
-index 77d989a031..916d13ab6c 100644
---- a/shared/templates/template_OVAL_audit_rules_login_events
-+++ b/shared/templates/template_OVAL_audit_rules_login_events
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_login_events_{{{ NAME }}}" version="2">
--    <metadata>
--      <title>Record Attempts to Alter Login and Logout Events - {{{ NAME }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules should be configured to log successful and unsuccessful login and logout events.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules should be configured to log successful and unsuccessful login and logout events.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall
-index 286c09e575..05331ee3fa 100644
---- a/shared/templates/template_OVAL_audit_rules_path_syscall
-+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Write Events to {{{ PATH }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the write events to {{{ PATH }}}</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the write events to " + PATH) }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_privileged_commands b/shared/templates/template_OVAL_audit_rules_privileged_commands
-index 1d81786477..4a5f9e1e6d 100644
---- a/shared/templates/template_OVAL_audit_rules_privileged_commands
-+++ b/shared/templates/template_OVAL_audit_rules_privileged_commands
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="{{{ ID }}}" version="1">
--    <metadata>
--      <title>{{{ TITLE }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the information on the use of {{{ NAME }}} is enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
-index 480d5de82b..fdb3367742 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ NAME }}}" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful) - {{{ NAME }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
-index aa8c8e354e..e8abbee7f9 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_o_creat" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_creat</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_CREAT is enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " O_CREAT is enabled.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
-index 14455348da..dda7b02430 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_o_trunc_write" version="1">
--    <metadata>
--      <title>Ensure auditd Collects Information on Unsuccesful Creation Attempts to Files - {{{ SYSCALL }}} o_trunc</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} O_TRUNC is enabled.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " O_TRUNC is enabled.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
-index 09453cbb66..1c16aed6e7 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
-@@ -1,11 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_rule_order" version="1">
--    <metadata>
--      <title>Ensure auditd Rules For Unauthorized Attempts To {{{ SYSCALL }}} Are Ordered Correctly</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit rules about the information on the unsuccessful use of {{{ SYSCALL }}} is configured in the proper rule order.</description>
--
--    </metadata>
-+    {{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " is configured in the proper rule order.") }}}
- 
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_usergroup_modification b/shared/templates/template_OVAL_audit_rules_usergroup_modification
-index 5bff9a04c0..28d9fdfeb0 100644
---- a/shared/templates/template_OVAL_audit_rules_usergroup_modification
-+++ b/shared/templates/template_OVAL_audit_rules_usergroup_modification
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="audit_rules_usergroup_modification_{{{ NAME }}}" version="1">
--    <metadata>
--      <title>Audit User/Group Modification - {{{ NAME }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Audit user/group modification.</description>
--    </metadata>
-+    {{{ oval_metadata("Audit user/group modification.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND">
-         <extend_definition comment="audit augenrules" definition_ref="audit_rules_augenrules" />
-diff --git a/shared/templates/template_OVAL_bls_entries_option b/shared/templates/template_OVAL_bls_entries_option
-index 7a64337b1f..d60f13c8f9 100644
---- a/shared/templates/template_OVAL_bls_entries_option
-+++ b/shared/templates/template_OVAL_bls_entries_option
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
--    <metadata>
--      <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " option is configured in the 'options' line in /boot/loader/entries/*.conf.") }}}
-     <criteria operator="AND">
-         <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
-         comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*" />
-diff --git a/shared/templates/template_OVAL_file_groupowner b/shared/templates/template_OVAL_file_groupowner
-index 9540b21cc0..8bdbf8ae15 100644
---- a/shared/templates/template_OVAL_file_groupowner
-+++ b/shared/templates/template_OVAL_file_groupowner
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_groupowner{{{ FILEID }}}" version="1">
--    <metadata>
--      <title>Verify {{{ FILEPATH }}} Group Owner</title>
--      {{{- oval_affected(products) }}}
--      <description>This test makes sure that {{{ FILEPATH }}} is group owned by {{{ FILEGID }}}.</description>
--    </metadata>
-+    {{{ oval_metadata("This test makes sure that " + FILEPATH + " is group owned by " + FILEGID + ".") }}}
-     <criteria>
-       <criterion comment="Check file group ownership of {{{ FILEPATH }}}" test_ref="test_file_groupowner{{{ FILEID }}}" />
-     </criteria>
-diff --git a/shared/templates/template_OVAL_file_owner b/shared/templates/template_OVAL_file_owner
-index 7ed366141f..25bd2bab8c 100644
---- a/shared/templates/template_OVAL_file_owner
-+++ b/shared/templates/template_OVAL_file_owner
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="file_owner{{{ FILEID }}}" version="1">
--    <metadata>
--      <title>Verify {{{ FILEPATH }}} Owner</title>
--      {{{- oval_affected(products) }}}
--      <description>This test makes sure that {{{ FILEPATH }}} is owned by {{{ FILEUID }}}.</description>
--    </metadata>
-+    {{{ oval_metadata("This test makes sure that " + FILEPATH + " is owned by " + FILEUID + ".") }}}
-     <criteria>
-       <criterion comment="Check file ownership of {{{ FILEPATH }}}" test_ref="test_file_owner{{{ FILEID }}}" />
-     </criteria>
-diff --git a/shared/templates/template_OVAL_file_permissions b/shared/templates/template_OVAL_file_permissions
-index 2c8a51ef00..e8c60c2372 100644
---- a/shared/templates/template_OVAL_file_permissions
-+++ b/shared/templates/template_OVAL_file_permissions
-@@ -1,12 +1,8 @@
- <def-group>
-   <definition class="compliance" id="file_permissions{{{ FILEID }}}" version="1">
--    <metadata>
--      <title>Verify {{{ FILEPATH }}} Mode Permissions</title>
--      {{{- oval_affected(products) }}}
--      <description>This test makes sure that {{{ FILEPATH }}} has mode {{{ FILEMODE }}}.
-+    {{{ oval_metadata("This test makes sure that " + FILEPATH + " has mode " + FILEMODE + ".
-       If the target file or directory has an extended ACL, then it will fail the mode check.
--      </description>
--    </metadata>
-+      ") }}}
-     <criteria>
-       <criterion comment="Check file mode of {{{ FILEPATH }}}" test_ref="test_file_permissions{{{ FILEID }}}" />
-     </criteria>
-diff --git a/shared/templates/template_OVAL_grub2_bootloader_argument b/shared/templates/template_OVAL_grub2_bootloader_argument
-index ca062ad65f..bda9716e26 100644
---- a/shared/templates/template_OVAL_grub2_bootloader_argument
-+++ b/shared/templates/template_OVAL_grub2_bootloader_argument
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
--    <metadata>
--      <title>Ensure GRUB 2 is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure {{{ ARG_NAME_VALUE }}} is configured in the kernel line in /etc/default/grub.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " is configured in the kernel line in /etc/default/grub.") }}}
-     <criteria operator="AND">
-       {{% if product in ["rhel7", "ol7"] %}}
-         <criterion test_ref="test_grub2_{{{ SANITIZED_ARG_NAME }}}_argument_grub_cfg"
-diff --git a/shared/templates/template_OVAL_kernel_module_disabled b/shared/templates/template_OVAL_kernel_module_disabled
-index f42840c633..d226d45b17 100644
---- a/shared/templates/template_OVAL_kernel_module_disabled
-+++ b/shared/templates/template_OVAL_kernel_module_disabled
-@@ -1,11 +1,7 @@
- <def-group>
-   <definition class="compliance"
-   id="kernel_module_{{{ KERNMODULE }}}_disabled" version="1">
--    <metadata>
--      <title>Disable {{{ KERNMODULE }}} Kernel Module</title>
--      {{{- oval_affected(products) }}}
--      <description>The kernel module {{{ KERNMODULE }}} should be disabled.</description>
--    </metadata>
-+    {{{ oval_metadata("The kernel module " + KERNMODULE + " should be disabled.") }}}
-     <criteria operator="OR">
-       <criterion test_ref="test_kernmod_{{{ KERNMODULE }}}_disabled" comment="kernel module {{{ KERNMODULE }}} disabled in /etc/modprobe.d" />
- 
-diff --git a/shared/templates/template_OVAL_mount b/shared/templates/template_OVAL_mount
-index 56a9c452bb..6896acc03c 100644
---- a/shared/templates/template_OVAL_mount
-+++ b/shared/templates/template_OVAL_mount
-@@ -1,14 +1,10 @@
- <def-group>
-   <definition class="compliance" id="partition_for{{{ POINTID }}}" version="1">
--    <metadata>
--      <title>Ensure {{{ MOUNTPOINT }}} Located On Separate Partition</title>
--      {{{- oval_affected(products) }}}
--      <description>If stored locally, create a separate partition for
-+    {{{ oval_metadata("If stored locally, create a separate partition for
-       {{{ MOUNTPOINT }}}. If {{{ MOUNTPOINT }}} will be mounted from another
-       system such as an NFS server, then creating a separate partition is not
-       necessary at this time, and the mountpoint can instead be configured
--      later.</description>
--    </metadata>
-+      later.") }}}
-     <criteria>
-       <criterion test_ref="test{{{ POINTID }}}_partition" comment="{{{ MOUNTPOINT }}} on own partition" />
-     </criteria>
-diff --git a/shared/templates/template_OVAL_mount_option b/shared/templates/template_OVAL_mount_option
-index 7ab6770d6f..a7bc29fa93 100644
---- a/shared/templates/template_OVAL_mount_option
-+++ b/shared/templates/template_OVAL_mount_option
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="mount_option_{{{ POINTID }}}_{{{ MOUNTOPTION }}}" version="1">
--    <metadata>
--      <title>Add {{{ MOUNTOPTION }}} Option to {{{ MOUNTPOINT }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>{{{ MOUNTPOINT }}} should be mounted with mount option {{{ MOUNTOPTION }}}.</description>
--    </metadata>
-+    {{{ oval_metadata(MOUNTPOINT + " should be mounted with mount option " + MOUNTOPTION + ".") }}}
-     <criteria>
-       <criterion comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}}" test_ref="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTION }}}" />
-     </criteria>
-diff --git a/shared/templates/template_OVAL_mount_option_remote_filesystems b/shared/templates/template_OVAL_mount_option_remote_filesystems
-index 86bb071b1f..67840767da 100644
---- a/shared/templates/template_OVAL_mount_option_remote_filesystems
-+++ b/shared/templates/template_OVAL_mount_option_remote_filesystems
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
--    <metadata>
--      <title>Mount Remote Filesystems with {{{ MOUNTOPTIONID }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>The {{{ MOUNTOPTIONID }}} option should be enabled for all NFS mounts in /etc/fstab.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + MOUNTOPTIONID + " option should be enabled for all NFS mounts in /etc/fstab.") }}}
-     <criteria operator="XOR">
-       <!-- these tests are designed to be mutually exclusive; either no nfs mounts exist in /etc/fstab -->
-       <!-- or all of the nfs mounts defined in /etc/fstab have the {{{ MOUNTOPTIONID }}} mount option specified -->
-diff --git a/shared/templates/template_OVAL_mount_option_removable_partitions b/shared/templates/template_OVAL_mount_option_removable_partitions
-index 4304c175e1..674b23fb31 100644
---- a/shared/templates/template_OVAL_mount_option_removable_partitions
-+++ b/shared/templates/template_OVAL_mount_option_removable_partitions
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="mount_option_{{{ MOUNTOPTION }}}_removable_partitions" version="5">
--    <metadata>
--      <title>Add {{{ MOUNTOPTION }}} Option to Removable Media Partitions</title>
--      {{{- oval_affected(products) }}}
--      <description>The {{{ MOUNTOPTION }}} option should be enabled for all removable devices mounts in /etc/fstab.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + MOUNTOPTION + " option should be enabled for all removable devices mounts in /etc/fstab.") }}}
-     <criteria operator="OR">
-       <!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab
-            since there's no device to check against -->
-diff --git a/shared/templates/template_OVAL_package_installed b/shared/templates/template_OVAL_package_installed
-index dddafd8d1e..1f2c6554b3 100644
---- a/shared/templates/template_OVAL_package_installed
-+++ b/shared/templates/template_OVAL_package_installed
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="package_{{{ PKGNAME }}}_installed"
-   version="1">
--    <metadata>
--      <title>Package {{{ PKGNAME }}} Installed</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ pkg_system|upper }}} package {{{ PKGNAME }}} should be installed.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-       <criterion comment="package {{{ PKGNAME }}} is installed"
-       test_ref="test_package_{{{ PKGNAME }}}_installed" />
-diff --git a/shared/templates/template_OVAL_package_removed b/shared/templates/template_OVAL_package_removed
-index ccf92ccb30..22afb786ca 100644
---- a/shared/templates/template_OVAL_package_removed
-+++ b/shared/templates/template_OVAL_package_removed
-@@ -1,13 +1,7 @@
- <def-group>
-   <definition class="compliance" id="package_{{{ PKGNAME }}}_removed"
-   version="1">
--    <metadata>
--      <title>Package {{{ PKGNAME }}} Removed</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ pkg_system|upper }}} package {{{ PKGNAME }}} should be removed.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-       <criterion comment="package {{{ PKGNAME }}} is removed"
-       test_ref="test_package_{{{ PKGNAME }}}_removed" />
-diff --git a/shared/templates/template_OVAL_permissions b/shared/templates/template_OVAL_permissions
-index 667b731f3b..94a548905a 100644
---- a/shared/templates/template_OVAL_permissions
-+++ b/shared/templates/template_OVAL_permissions
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="permissions{{{ FILEID }}}" version="1">
--    <metadata>
--      <title>Ensure Correct Mode, Owner, Group Owner for {{{ FILEPATH }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Checks for correct UNIX permissions on {{{ FILEPATH }}}.</description>
--    </metadata>
-+    {{{ oval_metadata("Checks for correct UNIX permissions on " + FILEPATH + ".") }}}
-     <criteria operator="AND">
-       {{% if FILEGID != "" %}}
-       <extend_definition comment="Check file group ownership of {{{ FILEPATH }}}" definition_ref="file_groupowner{{{ FILEID }}}" />
-diff --git a/shared/templates/template_OVAL_sebool b/shared/templates/template_OVAL_sebool
-index b48ec26e47..6cb8e86351 100644
---- a/shared/templates/template_OVAL_sebool
-+++ b/shared/templates/template_OVAL_sebool
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="sebool_{{{ SEBOOLID }}}" version="1">
--    <metadata>
--      <title>SELinux "{{{ SEBOOLID }}}" Boolean Check</title>
--      {{{- oval_affected(products) }}}
--      <description>The SELinux "{{{ SEBOOLID }}}" boolean should be set in the system configuration.</description>
--    </metadata>
-+    {{{ oval_metadata("The SELinux '" + SEBOOLID + "' boolean should be set in the system configuration.") }}}
-     <criteria>
-       <criterion comment="{{{ SEBOOLID }}} is configured correctly" test_ref="test_sebool_{{{ SEBOOLID }}}" />
-     </criteria>
-diff --git a/shared/templates/template_OVAL_service_disabled b/shared/templates/template_OVAL_service_disabled
-index 1ee62374dc..941c289c43 100644
---- a/shared/templates/template_OVAL_service_disabled
-+++ b/shared/templates/template_OVAL_service_disabled
-@@ -7,13 +7,7 @@
-   {{# we are using systemd and our target OVAL version does support the systemd related tests #}}
- 
-   <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled" version="1">
--    <metadata>
--      <title>Service {{{ SERVICENAME }}} Disabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ SERVICENAME }}} service should be disabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start" operator="OR">
-       <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
-       <criteria operator="AND" comment="service {{{ SERVICENAME }}} is not configured to start">
-@@ -95,13 +89,7 @@
- 
-   <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled"
-   version="1">
--    <metadata>
--      <title>Service {{{ SERVICENAME }}} Disabled</title>
--      <affected family="unix">
--        <platform>Ubuntu 14.04</platform>
--      </affected>
--      <description>The {{{ SERVICENAME }}} service should be disabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-    <criteria comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start" operator="OR">
-     <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
- 
-@@ -132,13 +120,7 @@
- 
-   <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled"
-   version="1">
--    <metadata>
--      <title>Service {{{ SERVICENAME }}} Disabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ SERVICENAME }}} service should be disabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-    <criteria comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start" operator="OR">
-     <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
-     <criteria operator="AND" comment="service {{{ SERVICENAME }}} is not configured to start">
-@@ -232,13 +214,7 @@
-   {{# fallback if we are using systemd but can't use the new systemd features of OVAL 5.11 #}}
- 
-   <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled" version="2">
--    <metadata>
--      <title>Service {{{ SERVICENAME }}} Disabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ SERVICENAME }}} service should be disabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria comment="package {{{ PACKAGENAME }}} removed or service and socket {{{ SERVICENAME }}} are not configured to start" operator="OR">
-       <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
-       <criteria operator="AND" comment="service and socket {{{ SERVICENAME }}} are disabled">
-diff --git a/shared/templates/template_OVAL_service_enabled b/shared/templates/template_OVAL_service_enabled
-index 5958a97a74..70d6d0a197 100644
---- a/shared/templates/template_OVAL_service_enabled
-+++ b/shared/templates/template_OVAL_service_enabled
-@@ -5,13 +5,7 @@
- {{% if init_system == "systemd" and target_oval_version >= [5, 11] %}}
- 
-   <definition class="compliance" id="service_{{{ SERVICENAME }}}_enabled" version="1">
--    <metadata>
--      <title>Service {{{ SERVICENAME }}} Enabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ SERVICENAME }}} service should be enabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and service {{{ SERVICENAME }}} is configured to start" operator="AND">
-     <criterion comment="{{{ PACKAGENAME }}} installed" test_ref="{{{ package_installed_test_id }}}" />
-       <criteria comment="service {{{ SERVICENAME }}} is configured to start and is running" operator="AND">
-@@ -62,13 +56,7 @@
- 
-   <definition class="compliance" id="service_{{{ SERVICENAME }}}_enabled"
-   version="1">
--    <metadata>
--      <title>Service {{{ SERVICENAME }}} Enabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ SERVICENAME }}} service should be enabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and service {{{ SERVICENAME }}} is configured to start" operator="AND">
-     <criterion comment="{{{ PACKAGENAME }}} installed" test_ref="{{{ package_installed_test_id }}}" />
-     <criteria operator="OR" comment="service {{{ SERVICENAME }}} is configured to start">
-diff --git a/shared/templates/template_OVAL_sysctl b/shared/templates/template_OVAL_sysctl
-index f84fc3d081..f78ede402d 100644
---- a/shared/templates/template_OVAL_sysctl
-+++ b/shared/templates/template_OVAL_sysctl
-@@ -17,11 +17,7 @@
- 
- <def-group>
-   <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="3">
--    <metadata>
--      <title>Kernel "{{{ SYSCTLVAR }}}" Parameter Configuration and Runtime Check</title>
--      {{{- oval_affected(products) }}}
--      <description>The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</description>
--    </metadata>
-+    {{{ oval_metadata("The '" + SYSCTLVAR + "' kernel parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
-     <criteria operator="AND">
-       <extend_definition comment="{{{ SYSCTLVAR }}} configuration setting check" definition_ref="sysctl_static_{{{ SYSCTLID }}}" />
-       <extend_definition comment="{{{ SYSCTLVAR }}} runtime setting check" definition_ref="sysctl_runtime_{{{ SYSCTLID }}}" />
-@@ -33,13 +29,7 @@
- 
- <def-group>
-   <definition class="compliance" id="sysctl_{{{ SYSCTLID }}}" version="4">
--    <metadata>
--      <title>Kernel "{{{ SYSCTLVAR }}}" Parameter Configuration and Runtime Check</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The "{{{ SYSCTLVAR }}}" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</description>
--    </metadata>
-+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to the appropriate value in both system configuration and system runtime.") }}}
-     <criteria comment="IPv6 disabled or {{{ SYSCTLVAR }}} set correctly" operator="OR">
- {{% if product in ["rhel6", "debian8", "ubuntu1404", "ubuntu1604", "ubuntu1804"] %}}
-       <extend_definition comment="is IPv6 enabled?" definition_ref="kernel_module_ipv6_option_disabled" />
-@@ -59,17 +49,7 @@
- 
- <def-group>
-   <definition class="compliance" id="sysctl_runtime_{{{ SYSCTLID }}}" version="3">
--    <metadata>
--      <title>Kernel "{{{ SYSCTLVAR }}}" Parameter Runtime Check</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--{{%- if SYSCTLVAL == "" %}}
--      <description>The kernel "{{{ SYSCTLVAR }}}" parameter should be set to the appropriate value in system runtime.</description>
--{{%- else %}}
--      <description>The kernel "{{{ SYSCTLVAR }}}" parameter should be set to "{{{ SYSCTLVAL }}}" in system runtime.</description>
--{{%- endif %}}
--    </metadata>
-+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system runtime.") }}}
-     <criteria operator="AND">
- {{%- if SYSCTLVAL == "" %}}
-       <criterion comment="kernel runtime parameter {{{ SYSCTLVAR }}} set to the appropriate value" test_ref="test_sysctl_runtime_{{{ SYSCTLID }}}" />
-@@ -108,17 +88,7 @@
- 
- <def-group>
-   <definition class="compliance" id="sysctl_static_{{{ SYSCTLID }}}" version="3">
--    <metadata>
--      <title>Kernel "{{{ SYSCTLVAR }}}" Parameter Configuration Check</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--{{%- if SYSCTLVAL == "" %}}
--      <description>The kernel "{{{ SYSCTLVAR }}}" parameter should be set to the appropriate value in the system configuration.</description>
--{{%- else %}}
--      <description>The kernel "{{{ SYSCTLVAR }}}" parameter should be set to "{{{ SYSCTLVAL }}}" in the system configuration.</description>
--{{%- endif %}}
--    </metadata>
-+    {{{ oval_metadata("The kernel '" + SYSCTLVAR + "' parameter should be set to " + ("'" + SYSCTLVAL + "'") if SYSCTLVAL else " the appropriate value" + " in the system configuration.") }}}
- {{% if product == "rhel6" %}}
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_timer_enabled b/shared/templates/template_OVAL_timer_enabled
-index 3d80e1c045..fcf103c6a4 100644
---- a/shared/templates/template_OVAL_timer_enabled
-+++ b/shared/templates/template_OVAL_timer_enabled
-@@ -3,11 +3,7 @@
- {{% if target_oval_version >= [5, 11] %}}
- 
-   <definition class="compliance" id="timer_{{{ TIMERNAME }}}_enabled" version="1">
--    <metadata>
--      <title>Timer {{{ TIMERNAME }}} Enabled</title>
--      {{{- oval_affected(products) }}}
--      <description>The {{{ TIMERNAME }}} timer should be enabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + TIMERNAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and timer {{{ TIMERNAME }}} is configured to start" operator="AND">
-       <extend_definition comment="{{{ PACKAGENAME }}} installed" definition_ref="package_{{{ PACKAGENAME }}}_installed" />
-       <criteria comment="timer {{{ TIMERNAME }}} is configured to start and is running" operator="AND">
-@@ -45,13 +41,7 @@
- {{# fallback if we are using systemd but can't use the new systemd features of OVAL 5.11 #}}
- 
-   <definition class="compliance" id="timer_{{{ TIMERNAME }}}_enabled" version="1">
--    <metadata>
--      <title>Timer {{{ TIMERNAME }}} Enabled</title>
--      <affected family="unix">
--        <platform>multi_platform_all</platform>
--      </affected>
--      <description>The {{{ TIMERNAME }}} timer should be enabled if possible.</description>
--    </metadata>
-+    {{{ oval_metadata("The " + TIMERNAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and timer {{{ TIMERNAME }}} is configured to start" operator="AND">
-       <extend_definition comment="{{{ PACKAGENAME }}} installed" definition_ref="package_{{{ PACKAGENAME }}}_installed" />
-       <criterion comment="{{{ TIMERNAME }}} enabled in multi-user.target" test_ref="test_{{{ TIMERNAME }}}_enabled_multi_user_target" />
-diff --git a/shared/templates/template_OVAL_yamlfile_value b/shared/templates/template_OVAL_yamlfile_value
-index 02a3da5aa9..e42f5cf591 100644
---- a/shared/templates/template_OVAL_yamlfile_value
-+++ b/shared/templates/template_OVAL_yamlfile_value
-@@ -1,13 +1,8 @@
- {{% if target_oval_version >= [5, 11] %}}
- <def-group>
-   <definition class="compliance" id="{{{ rule_id }}}" version="1">
--    <metadata>
--      <title>Check the value(s) of '{{{ YAMLPATH }}}' in the file "{{{ FILEPATH }}}"</title>
--      {{{- oval_affected(products) }}}
--      <description>
--        The file "{{{ FILEPATH }}}" should {{% if NEGATE %}}not {{% endif %}}contain value "{{{ VALUE }}}"{{% if TYPE %}} of type {{{ TYPE }}}{{% endif %}} at '{{{ YAMLPATH }}}'.
--      </description>
--    </metadata>
-+    {{{ oval_metadata("
-+        The file '" + FILEPATH + "' should " + "not " if NEGATE else "" + "contain value '" + VALUE + "' " + ("of type " + TYPE + " ") if TYPE else "" + "at '" + YAMLPATH + "'.") }}}
-     <criteria>
-         <criterion comment="Make sure that {{% if NEGATE %}}no {{% endif %}}{{% if ENTITY_CHECK %}}({{{ ENTITY_CHECK }}}) {{% endif %}} element(s) of '{{{ YAMLPATH }}}' contain value '{{{ VALUE }}}'{{% if TYPE %}} of type {{{ TYPE }}}{{% endif %}}."{{% if NEGATE %}} negate="true"{{% endif %}} test_ref="test_{{{ rule_id }}}"/>
-         {{% if NEGATE %}}
-diff --git a/shared/templates/template_OVAL_zipl_bls_entries_option b/shared/templates/template_OVAL_zipl_bls_entries_option
-index 502d5e7d9a..8b786450f0 100644
---- a/shared/templates/template_OVAL_zipl_bls_entries_option
-+++ b/shared/templates/template_OVAL_zipl_bls_entries_option
-@@ -1,10 +1,6 @@
- <def-group>
-   <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
--    <metadata>
--      <title>Ensure that BLS-compatible boot loader is configured to run Linux operating system with argument {{{ ARG_NAME_VALUE }}}</title>
--      {{{- oval_affected(products) }}}
--      <description>Ensure {{{ ARG_NAME_VALUE }}} option is configured in the 'options' line in /boot/loader/entries/*.conf.</description>
--    </metadata>
-+    {{{ oval_metadata("Ensure " + ARG_NAME_VALUE + " option is configured in the 'options' line in /boot/loader/entries/*.conf.") }}}
-     <criteria operator="AND">
-       <criterion test_ref="test_bls_{{{ SANITIZED_ARG_NAME }}}_options"
-       comment="Check if {{{ ARG_NAME_VALUE }}} is present in the 'options' line in /boot/loader/entries/*.conf" />
-
-From 86c42a00759b2fd5c482bb81e50c843af7b5986a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 4 Sep 2020 15:11:04 +0200
-Subject: [PATCH 3/6] Added a newline to the oval_metadata macro.
-
-so the affected element is always on a separate line.
----
- shared/macros-oval.jinja | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
-index babce11aff..0e077cd894 100644
---- a/shared/macros-oval.jinja
-+++ b/shared/macros-oval.jinja
-@@ -522,7 +522,7 @@
- {{%- else %}}
-         <title>{{{ rule_title }}}</title>
- {{%- endif -%}}
--{{%- if affected_platforms -%}}
-+{{%- if affected_platforms %}}
-             <affected family="unix">
- {{%- for platform in affected_platforms %}}
-                 <platform>{{{ platform }}}</platform>
-
-From ffb9f01814d560bf7325c7a2fae28e9a54b7d95d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 4 Sep 2020 16:31:05 +0200
-Subject: [PATCH 4/6] Adapt testoval to jinja macros.
-
-Testoval won't be able to resolve macros, as key information s.a.
-product, build config etc. is missing at invocation-time.
-However, it will collapse all macro invocations, so helper macros used in the definition
-won't cause any problems.
----
- ssg/oval.py | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/ssg/oval.py b/ssg/oval.py
-index 9b8601f10f..f25b2a5345 100644
---- a/ssg/oval.py
-+++ b/ssg/oval.py
-@@ -13,7 +13,8 @@
- from .rules import get_rule_dir_id, get_rule_dir_ovals, find_rule_dirs
- from .xml import ElementTree as ET
- from .xml import oval_generated_header
--from .jinja import process_file_with_macros
-+from .jinja import process_file_with_macros, add_python_functions
-+from .yaml import open_environment
- from .id_translate import IDTranslator
- 
- SHARED_OVAL = re.sub(r'ssg/.*', 'shared', __file__) + '/checks/oval/'
-@@ -54,7 +55,7 @@ def append(element, newchild):
-         element.append(newchild)
- 
- 
--def _add_elements(body, header):
-+def _add_elements(body, header, yaml_env):
-     """Add oval elements to the global Elements defined above"""
-     global definitions
-     global tests
-@@ -80,9 +81,9 @@ def _add_elements(body, header):
-                                               % ovalns):
-                 defid = defchild.get("definition_ref")
-                 extend_ref = find_testfile_or_exit(defid)
--                includedbody = read_ovaldefgroup_file(extend_ref)
-+                includedbody = read_ovaldefgroup_file(extend_ref, yaml_env)
-                 # recursively add the elements in the other file
--                _add_elements(includedbody, header)
-+                _add_elements(includedbody, header, yaml_env)
-         if childnode.tag.endswith("_test"):
-             append(tests, childnode)
-         if childnode.tag.endswith("_object"):
-@@ -281,10 +282,9 @@ def find_testfile(oval_id):
-     return found_file
- 
- 
--def read_ovaldefgroup_file(testfile):
-+def read_ovaldefgroup_file(testfile, yaml_env):
-     """Read oval files"""
--    with open(testfile, 'r') as test_file:
--        body = test_file.read()
-+    body = process_file_with_macros(testfile, yaml_env)
-     return body
- 
- 
-@@ -336,9 +336,10 @@ def main():
-     testfile = args.xmlfile
-     header = oval_generated_header("testoval.py", oval_version, "0.0.1")
-     testfile = find_testfile_or_exit(testfile)
--    body = read_ovaldefgroup_file(testfile)
-+    yaml_env = dict()
-+    body = read_ovaldefgroup_file(testfile, yaml_env)
- 
--    defname = _add_elements(body, header)
-+    defname = _add_elements(body, header, yaml_env)
-     if defname is None:
-         print("Error while evaluating oval: defname not set; missing "
-               "definitions section?")
-
-From c24bb33af0ff0eb768dc1c9105bcb751b304bb01 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matej.tyc@gmail.com>
-Date: Mon, 14 Sep 2020 16:17:59 +0200
-Subject: [PATCH 5/6] Apply fixes suggested by the code review
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Jan Černý <jcerny@redhat.com>
----
- .../openldap_client/ldap_client_start_tls/oval/shared.xml     | 2 +-
- .../ldap_client_tls_cacertpath/oval/shared.xml                | 2 +-
- .../services/usbguard/usbguard_allow_hid/oval/shared.xml      | 2 +-
- .../auditd_audispd_encrypt_sent_records/oval/shared.xml       | 4 ++++
- .../auditd_audispd_syslog_plugin_activated/oval/shared.xml    | 2 +-
- .../policy_rules/audit_rules_for_ospp/oval/shared.xml         | 2 +-
- .../system/network/network_nmcli_permissions/oval/shared.xml  | 2 +-
- 7 files changed, 10 insertions(+), 6 deletions(-)
-
-diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml
-index 169c3e6b48..22d1bb1420 100644
---- a/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml
-+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_start_tls/oval/shared.xml
-@@ -1,6 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ldap_client_start_tls" version="1">
--    {{{ oval_metadata("Require the use of TLS for ldap clients.") }}}
-+    {{{ oval_metadata("Require the use of TLS for LDAP clients.") }}}
-     {{%- if product == "rhel6" -%}}
-     <criteria comment="package pam_ldap is not present" operator="OR">
-       <extend_definition comment="pam_ldap not present or not in use"
-diff --git a/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml b/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml
-index 1d500c7c7b..18c5c200e5 100644
---- a/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml
-+++ b/linux_os/guide/services/ldap/openldap_client/ldap_client_tls_cacertpath/oval/shared.xml
-@@ -1,6 +1,6 @@
- <def-group>
-   <definition class="compliance" id="ldap_client_tls_cacertpath" version="1">
--    {{{ oval_metadata("Require the use of TLS for ldap clients.") }}}
-+    {{{ oval_metadata("Require the use of TLS for LDAP clients.") }}}
-     {{%- if product == "rhel6" -%}}
-     <criteria comment="package pam_ldap is not present" operator="OR">
-       <extend_definition comment="pam_ldap not present or in use"
-diff --git a/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml b/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml
-index b805071180..2294730eb3 100644
---- a/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml
-+++ b/linux_os/guide/services/usbguard/usbguard_allow_hid/oval/shared.xml
-@@ -1,6 +1,6 @@
- <def-group>
-   <definition class="compliance" id="usbguard_allow_hid" version="1">
--    {{{ oval_metadata("Check that /etc/usbguard/rules.conf contains at least one non white space character empty and exists.") }}}
-+    {{{ oval_metadata("Check that /etc/usbguard/rules.conf exists and that it contains at least one non white space character.") }}}
-     <criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-       <extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="usbguard_rules_not_empty_not_missing" />
-     </criteria>
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
-index 768adf66bd..1e21e071ae 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_encrypt_sent_records/oval/shared.xml
-@@ -1,6 +1,10 @@
- <def-group>
-   <definition class="compliance" id="auditd_audispd_encrypt_sent_records" version="1">
-+    {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
-+    {{{ oval_metadata("transport setting in /etc/audit/audisp-remote.conf is set to 'KRB5'") }}}
-+    {{% else %}}
-     {{{ oval_metadata("enable_krb5 setting in /etc/audisp/audisp-remote.conf is set to 'yes'") }}}
-+    {{% endif %}}
- 
-     <criteria>
-       <criterion comment="setting in audisp-remote.conf" test_ref="test_auditd_audispd_encrypt_sent_records" />
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
-index cb035ca81d..834225ca42 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_syslog_plugin_activated/oval/shared.xml
-@@ -1,6 +1,6 @@
- <def-group>
-   <definition class="compliance" id="auditd_audispd_syslog_plugin_activated" version="1">
--    {{{ oval_metadata("active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes'") }}}
-+    {{{ oval_metadata("active setting in " + ("/etc/audit/plugins.d/syslog.conf" if product in ["rhel8", "fedora", "ol8", "rhv4"] else "/etc/audisp/plugins.d/syslog.conf") + " is set to 'yes'") }}}
- 
-     <criteria>
-         <criterion comment="active setting in syslog.conf" test_ref="test_auditd_audispd_syslog_plugin_activated" />
-diff --git a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
-index 748f0d4fb4..9b7b85b25a 100644
---- a/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/policy_rules/audit_rules_for_ospp/oval/shared.xml
-@@ -32,7 +32,7 @@
- 
- <def-group>
-   <definition class="compliance" id="audit_rules_for_ospp" version="1">
--    {{{ oval_metadata("Compare configure audit rules againd the recommended pre-configured files") }}}
-+    {{{ oval_metadata("Compare configure audit rules against the recommended pre-configured files.") }}}
- 
-     <criteria operator="AND">
-       {{{- audit_file_compare_criterion("10-base-config") -}}}
-diff --git a/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml b/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
-index f943fb32e9..1892e7fd90 100644
---- a/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
-+++ b/linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
-@@ -1,6 +1,6 @@
- <def-group>
-   <definition class="compliance" id="network_nmcli_permissions" version="1">
--    {{{ oval_metadata("polkit is properly configured to prevent non-privilged users from changing networking settings") }}}
-+    {{{ oval_metadata("polkit is properly configured to prevent non-privileged users from changing networking settings") }}}
-     <criteria>
-       <criterion test_ref="test_network_nmcli_permissions" comment="check for properly configured .pkla file" />
-     </criteria>
-
-From 965de6891bde4356069a405422b9419d7b628393 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matej.tyc@gmail.com>
-Date: Tue, 15 Sep 2020 14:38:35 +0200
-Subject: [PATCH 6/6] Fix description typo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-authored-by: Jan Černý <jcerny@redhat.com>
----
- shared/templates/template_OVAL_timer_enabled | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/templates/template_OVAL_timer_enabled b/shared/templates/template_OVAL_timer_enabled
-index fcf103c6a4..e9c8c8e74a 100644
---- a/shared/templates/template_OVAL_timer_enabled
-+++ b/shared/templates/template_OVAL_timer_enabled
-@@ -3,7 +3,7 @@
- {{% if target_oval_version >= [5, 11] %}}
- 
-   <definition class="compliance" id="timer_{{{ TIMERNAME }}}_enabled" version="1">
--    {{{ oval_metadata("The " + TIMERNAME + " service should be enabled if possible.") }}}
-+    {{{ oval_metadata("The " + TIMERNAME + " timer should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and timer {{{ TIMERNAME }}} is configured to start" operator="AND">
-       <extend_definition comment="{{{ PACKAGENAME }}} installed" definition_ref="package_{{{ PACKAGENAME }}}_installed" />
-       <criteria comment="timer {{{ TIMERNAME }}} is configured to start and is running" operator="AND">
diff --git a/SOURCES/scap-security-guide-0.1.53-correct_templates-PR_6162.patch b/SOURCES/scap-security-guide-0.1.53-correct_templates-PR_6162.patch
deleted file mode 100644
index 4d8c1e8..0000000
--- a/SOURCES/scap-security-guide-0.1.53-correct_templates-PR_6162.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-From 378387ab76b0265d8a80dd8a62cac5f2dc029826 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Thu, 8 Oct 2020 15:31:37 +0200
-Subject: [PATCH] Set the OVAL ID of templated OVALs to the rule ID
-
-Provide a fallback if the rule ID is not known - this may happen in cases
-when the OVAL is generated using the template for another reason
-than because a rule needs it.
----
- shared/templates/template_OVAL_accounts_password           | 2 +-
- .../templates/template_OVAL_audit_rules_dac_modification   | 2 +-
- .../template_OVAL_audit_rules_file_deletion_events         | 2 +-
- shared/templates/template_OVAL_audit_rules_login_events    | 2 +-
- shared/templates/template_OVAL_audit_rules_path_syscall    | 2 +-
- .../template_OVAL_audit_rules_privileged_commands          | 2 +-
- ...emplate_OVAL_audit_rules_unsuccessful_file_modification | 2 +-
- ...OVAL_audit_rules_unsuccessful_file_modification_o_creat | 2 +-
- ...udit_rules_unsuccessful_file_modification_o_trunc_write | 2 +-
- ...L_audit_rules_unsuccessful_file_modification_rule_order | 2 +-
- .../template_OVAL_audit_rules_usergroup_modification       | 2 +-
- shared/templates/template_OVAL_file_groupowner             | 2 +-
- shared/templates/template_OVAL_file_owner                  | 2 +-
- shared/templates/template_OVAL_file_permissions            | 2 +-
- shared/templates/template_OVAL_mount                       | 2 +-
- shared/templates/template_OVAL_mount_option                | 2 +-
- .../template_OVAL_mount_option_removable_partitions        | 2 +-
- shared/templates/template_OVAL_package_installed           | 2 +-
- shared/templates/template_OVAL_package_removed             | 2 +-
- shared/templates/template_OVAL_permissions                 | 2 +-
- shared/templates/template_OVAL_sebool                      | 2 +-
- shared/templates/template_OVAL_service_disabled            | 7 +++----
- shared/templates/template_OVAL_service_enabled             | 4 ++--
- shared/templates/template_OVAL_timer_enabled               | 4 ++--
- shared/templates/template_OVAL_yamlfile_value              | 2 +-
- 25 files changed, 29 insertions(+), 30 deletions(-)
-
-diff --git a/shared/templates/template_OVAL_accounts_password b/shared/templates/template_OVAL_accounts_password
-index 983290dcfb..c6b4ef3e6b 100644
---- a/shared/templates/template_OVAL_accounts_password
-+++ b/shared/templates/template_OVAL_accounts_password
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="accounts_password_pam_{{{ VARIABLE }}}" version="3">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="3">
-     {{{ oval_metadata("The password " + VARIABLE + " should meet minimum requirements") }}}
- {{% if product == "rhel6" %}}
-     <criteria>
-diff --git a/shared/templates/template_OVAL_audit_rules_dac_modification b/shared/templates/template_OVAL_audit_rules_dac_modification
-index 6b8deec1eb..5b1bf5dc6d 100644
---- a/shared/templates/template_OVAL_audit_rules_dac_modification
-+++ b/shared/templates/template_OVAL_audit_rules_dac_modification
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The changing of file permissions and attributes should be audited.") }}}
-     <criteria operator="OR">
- 
-diff --git a/shared/templates/template_OVAL_audit_rules_file_deletion_events b/shared/templates/template_OVAL_audit_rules_file_deletion_events
-index 97ed844bcc..55629d35be 100644
---- a/shared/templates/template_OVAL_audit_rules_file_deletion_events
-+++ b/shared/templates/template_OVAL_audit_rules_file_deletion_events
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_file_deletion_events_{{{ NAME }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The deletion of files should be audited.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_login_events b/shared/templates/template_OVAL_audit_rules_login_events
-index 916d13ab6c..855e7391b2 100644
---- a/shared/templates/template_OVAL_audit_rules_login_events
-+++ b/shared/templates/template_OVAL_audit_rules_login_events
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_login_events_{{{ NAME }}}" version="2">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
-     {{{ oval_metadata("Audit rules should be configured to log successful and unsuccessful login and logout events.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_path_syscall b/shared/templates/template_OVAL_audit_rules_path_syscall
-index 05331ee3fa..bf7cbd5ed5 100644
---- a/shared/templates/template_OVAL_audit_rules_path_syscall
-+++ b/shared/templates/template_OVAL_audit_rules_path_syscall
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_{{{ PATHID }}}_{{{ SYSCALL }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit rules about the write events to " + PATH) }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_privileged_commands b/shared/templates/template_OVAL_audit_rules_privileged_commands
-index 4a5f9e1e6d..a2bf4f5669 100644
---- a/shared/templates/template_OVAL_audit_rules_privileged_commands
-+++ b/shared/templates/template_OVAL_audit_rules_privileged_commands
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="{{{ ID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit rules about the information on the use of " + NAME + " is enabled.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
-index fdb3367742..4691c7f488 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ NAME }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
-index e8abbee7f9..29172298e1 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_creat
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_o_creat" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " O_CREAT is enabled.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
-index dda7b02430..0fff269463 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_o_trunc_write
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_o_trunc_write" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " O_TRUNC is enabled.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
-index 1c16aed6e7..7ae0d160e9 100644
---- a/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
-+++ b/shared/templates/template_OVAL_audit_rules_unsuccessful_file_modification_rule_order
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_unsuccessful_file_modification_{{{ SYSCALL }}}_rule_order" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit rules about the information on the unsuccessful use of " + SYSCALL + " is configured in the proper rule order.") }}}
- 
-     <criteria operator="OR">
-diff --git a/shared/templates/template_OVAL_audit_rules_usergroup_modification b/shared/templates/template_OVAL_audit_rules_usergroup_modification
-index 28d9fdfeb0..c7af7e247b 100644
---- a/shared/templates/template_OVAL_audit_rules_usergroup_modification
-+++ b/shared/templates/template_OVAL_audit_rules_usergroup_modification
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="audit_rules_usergroup_modification_{{{ NAME }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Audit user/group modification.") }}}
-     <criteria operator="OR">
-       <criteria operator="AND">
-diff --git a/shared/templates/template_OVAL_file_groupowner b/shared/templates/template_OVAL_file_groupowner
-index 8bdbf8ae15..507d82c70a 100644
---- a/shared/templates/template_OVAL_file_groupowner
-+++ b/shared/templates/template_OVAL_file_groupowner
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="file_groupowner{{{ FILEID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("This test makes sure that " + FILEPATH + " is group owned by " + FILEGID + ".") }}}
-     <criteria>
-       <criterion comment="Check file group ownership of {{{ FILEPATH }}}" test_ref="test_file_groupowner{{{ FILEID }}}" />
-diff --git a/shared/templates/template_OVAL_file_owner b/shared/templates/template_OVAL_file_owner
-index 25bd2bab8c..c9718fc9ef 100644
---- a/shared/templates/template_OVAL_file_owner
-+++ b/shared/templates/template_OVAL_file_owner
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="file_owner{{{ FILEID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("This test makes sure that " + FILEPATH + " is owned by " + FILEUID + ".") }}}
-     <criteria>
-       <criterion comment="Check file ownership of {{{ FILEPATH }}}" test_ref="test_file_owner{{{ FILEID }}}" />
-diff --git a/shared/templates/template_OVAL_file_permissions b/shared/templates/template_OVAL_file_permissions
-index e8c60c2372..7f37284aab 100644
---- a/shared/templates/template_OVAL_file_permissions
-+++ b/shared/templates/template_OVAL_file_permissions
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="file_permissions{{{ FILEID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("This test makes sure that " + FILEPATH + " has mode " + FILEMODE + ".
-       If the target file or directory has an extended ACL, then it will fail the mode check.
-       ") }}}
-diff --git a/shared/templates/template_OVAL_mount b/shared/templates/template_OVAL_mount
-index 6896acc03c..5852d0fe56 100644
---- a/shared/templates/template_OVAL_mount
-+++ b/shared/templates/template_OVAL_mount
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="partition_for{{{ POINTID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("If stored locally, create a separate partition for
-       {{{ MOUNTPOINT }}}. If {{{ MOUNTPOINT }}} will be mounted from another
-       system such as an NFS server, then creating a separate partition is not
-diff --git a/shared/templates/template_OVAL_mount_option b/shared/templates/template_OVAL_mount_option
-index a7bc29fa93..790cc25b88 100644
---- a/shared/templates/template_OVAL_mount_option
-+++ b/shared/templates/template_OVAL_mount_option
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="mount_option_{{{ POINTID }}}_{{{ MOUNTOPTION }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata(MOUNTPOINT + " should be mounted with mount option " + MOUNTOPTION + ".") }}}
-     <criteria>
-       <criterion comment="{{{ MOUNTOPTION }}} on {{{ MOUNTPOINT }}}" test_ref="test_{{{ POINTID }}}_partition_{{{ MOUNTOPTION }}}" />
-diff --git a/shared/templates/template_OVAL_mount_option_removable_partitions b/shared/templates/template_OVAL_mount_option_removable_partitions
-index 674b23fb31..bb6b64816d 100644
---- a/shared/templates/template_OVAL_mount_option_removable_partitions
-+++ b/shared/templates/template_OVAL_mount_option_removable_partitions
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="mount_option_{{{ MOUNTOPTION }}}_removable_partitions" version="5">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="5">
-     {{{ oval_metadata("The " + MOUNTOPTION + " option should be enabled for all removable devices mounts in /etc/fstab.") }}}
-     <criteria operator="OR">
-       <!-- First check if specified removable partition truly exists on the system. If not, don't check /etc/fstab
-diff --git a/shared/templates/template_OVAL_package_installed b/shared/templates/template_OVAL_package_installed
-index 1f2c6554b3..51a5cb4a08 100644
---- a/shared/templates/template_OVAL_package_installed
-+++ b/shared/templates/template_OVAL_package_installed
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="package_{{{ PKGNAME }}}_installed"
-+  <definition class="compliance" id="{{{ _RULE_ID }}}"
-   version="1">
-     {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be installed.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-diff --git a/shared/templates/template_OVAL_package_removed b/shared/templates/template_OVAL_package_removed
-index 22afb786ca..2dee455ad1 100644
---- a/shared/templates/template_OVAL_package_removed
-+++ b/shared/templates/template_OVAL_package_removed
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="package_{{{ PKGNAME }}}_removed"
-+  <definition class="compliance" id="{{{ _RULE_ID }}}"
-   version="1">
-     {{{ oval_metadata("The " + pkg_system|upper + " package " + PKGNAME + " should be removed.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria>
-diff --git a/shared/templates/template_OVAL_permissions b/shared/templates/template_OVAL_permissions
-index 94a548905a..07aeeb50d4 100644
---- a/shared/templates/template_OVAL_permissions
-+++ b/shared/templates/template_OVAL_permissions
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="permissions{{{ FILEID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("Checks for correct UNIX permissions on " + FILEPATH + ".") }}}
-     <criteria operator="AND">
-       {{% if FILEGID != "" %}}
-diff --git a/shared/templates/template_OVAL_sebool b/shared/templates/template_OVAL_sebool
-index 6cb8e86351..f470a66839 100644
---- a/shared/templates/template_OVAL_sebool
-+++ b/shared/templates/template_OVAL_sebool
-@@ -1,5 +1,5 @@
- <def-group>
--  <definition class="compliance" id="sebool_{{{ SEBOOLID }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The SELinux '" + SEBOOLID + "' boolean should be set in the system configuration.") }}}
-     <criteria>
-       <criterion comment="{{{ SEBOOLID }}} is configured correctly" test_ref="test_sebool_{{{ SEBOOLID }}}" />
-diff --git a/shared/templates/template_OVAL_service_disabled b/shared/templates/template_OVAL_service_disabled
-index 61d3748688..3beced4e14 100644
---- a/shared/templates/template_OVAL_service_disabled
-+++ b/shared/templates/template_OVAL_service_disabled
-@@ -6,7 +6,7 @@
- 
-   {{# we are using systemd and our target OVAL version does support the systemd related tests #}}
- 
--  <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start" operator="OR">
-       <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
-@@ -86,10 +86,9 @@
- {{% else %}}
- 
-   {{% if init_system != "systemd" %}}
--
-   {{# we are not using systemd, it doesn't matter if we can or cannot use OVAL 5.11, let us just use the runlevel test #}}
- 
--  <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled"
-+  <definition class="compliance" id="{{{ _RULE_ID }}}"
-   version="1">
-     {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-    <criteria comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start" operator="OR">
-@@ -184,7 +183,7 @@
- 
-   {{# fallback if we are using systemd but can't use the new systemd features of OVAL 5.11 #}}
- 
--  <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled" version="2">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="2">
-     {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
-     <criteria comment="package {{{ PACKAGENAME }}} removed or service and socket {{{ SERVICENAME }}} are not configured to start" operator="OR">
-       <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
-diff --git a/shared/templates/template_OVAL_service_enabled b/shared/templates/template_OVAL_service_enabled
-index 70d6d0a197..ec78861e37 100644
---- a/shared/templates/template_OVAL_service_enabled
-+++ b/shared/templates/template_OVAL_service_enabled
-@@ -4,7 +4,7 @@
- 
- {{% if init_system == "systemd" and target_oval_version >= [5, 11] %}}
- 
--  <definition class="compliance" id="service_{{{ SERVICENAME }}}_enabled" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and service {{{ SERVICENAME }}} is configured to start" operator="AND">
-     <criterion comment="{{{ PACKAGENAME }}} installed" test_ref="{{{ package_installed_test_id }}}" />
-@@ -54,7 +54,7 @@
- 
- {{% else %}}
- 
--  <definition class="compliance" id="service_{{{ SERVICENAME }}}_enabled"
-+  <definition class="compliance" id="{{{ _RULE_ID }}}"
-   version="1">
-     {{{ oval_metadata("The " + SERVICENAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and service {{{ SERVICENAME }}} is configured to start" operator="AND">
-diff --git a/shared/templates/template_OVAL_timer_enabled b/shared/templates/template_OVAL_timer_enabled
-index e9c8c8e74a..3a5f6b13b5 100644
---- a/shared/templates/template_OVAL_timer_enabled
-+++ b/shared/templates/template_OVAL_timer_enabled
-@@ -2,7 +2,7 @@
- 
- {{% if target_oval_version >= [5, 11] %}}
- 
--  <definition class="compliance" id="timer_{{{ TIMERNAME }}}_enabled" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The " + TIMERNAME + " timer should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and timer {{{ TIMERNAME }}} is configured to start" operator="AND">
-       <extend_definition comment="{{{ PACKAGENAME }}} installed" definition_ref="package_{{{ PACKAGENAME }}}_installed" />
-@@ -40,7 +40,7 @@
- 
- {{# fallback if we are using systemd but can't use the new systemd features of OVAL 5.11 #}}
- 
--  <definition class="compliance" id="timer_{{{ TIMERNAME }}}_enabled" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("The " + TIMERNAME + " service should be enabled if possible.") }}}
-     <criteria comment="package {{{ PACKAGENAME }}} installed and timer {{{ TIMERNAME }}} is configured to start" operator="AND">
-       <extend_definition comment="{{{ PACKAGENAME }}} installed" definition_ref="package_{{{ PACKAGENAME }}}_installed" />
-diff --git a/shared/templates/template_OVAL_yamlfile_value b/shared/templates/template_OVAL_yamlfile_value
-index e42f5cf591..56686cba58 100644
---- a/shared/templates/template_OVAL_yamlfile_value
-+++ b/shared/templates/template_OVAL_yamlfile_value
-@@ -1,6 +1,6 @@
- {{% if target_oval_version >= [5, 11] %}}
- <def-group>
--  <definition class="compliance" id="{{{ rule_id }}}" version="1">
-+  <definition class="compliance" id="{{{ _RULE_ID }}}" version="1">
-     {{{ oval_metadata("
-         The file '" + FILEPATH + "' should " + "not " if NEGATE else "" + "contain value '" + VALUE + "' " + ("of type " + TYPE + " ") if TYPE else "" + "at '" + YAMLPATH + "'.") }}}
-     <criteria>
diff --git a/SOURCES/scap-security-guide-0.1.53-fix-extended-definition-PR_6186.patch b/SOURCES/scap-security-guide-0.1.53-fix-extended-definition-PR_6186.patch
deleted file mode 100644
index 67c99c6..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix-extended-definition-PR_6186.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From d1e2c3c84bee6dc81fc8ee37d9ef9013548a51ec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Mon, 12 Oct 2020 16:05:49 +0200
-Subject: [PATCH 1/2] Update prodtypes of rules that have their OVAL reused.
-
----
- .../smart_card_login/install_smartcard_packages/rule.yml        | 2 +-
- .../mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml   | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
-index 1747b7901a..8bb91bd3e4 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: ol7,rhel7
-+prodtype: fedora,ol7,rhel7
- 
- title: 'Install Smart Card Packages For Multifactor Authentication'
- 
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
-index 00e5f12873..c4448df036 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: fedora,rhel6,rhel7,rhel8,rhv4
-+prodtype: fedora,rhcos4,rhel6,rhel7,rhel8,rhv4
- 
- title: 'Install the Host Intrusion Prevention System (HIPS) Module'
- 
-
-From 1602513bf9f1dacc7ca75898779c05ad92f4cb6a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Tue, 13 Oct 2020 10:44:10 +0200
-Subject: [PATCH 2/2] Fixed the referenced check ID.
-
-The pkcs package check used to exist separatly from existing rules,
-but now it exists only as OVAL of install_smartcard_packages.
----
- .../smart_card_login/smartcard_auth/oval/shared.xml             | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
-index f1b620056f..b61a2473ad 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/oval/shared.xml
-@@ -2,7 +2,7 @@
-   <definition class="compliance" id="smartcard_auth" version="3">
-     {{{ oval_metadata("Enable Smart Card logins") }}}
-     <criteria comment="smart card authentication is configured" operator="AND">
--      <extend_definition comment="pam_pkcs11 package is installed" definition_ref="package_pam_pkcs11_installed" />
-+      <extend_definition comment="packages needed for smartcard support are installed" definition_ref="install_smartcard_packages" />
-       <extend_definition comment="pcscd service is enabled" definition_ref="service_pcscd_enabled" />
-       <criteria operator="OR">
-         <extend_definition comment="esc package is installed" definition_ref="package_esc_installed" />
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_aide_rules-PR_6152.patch b/SOURCES/scap-security-guide-0.1.53-fix_aide_rules-PR_6152.patch
deleted file mode 100644
index dd5afb9..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_aide_rules-PR_6152.patch
+++ /dev/null
@@ -1,181 +0,0 @@
-From 78b70a215233846bb1590b2c9fa436372e8cdf18 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 5 Oct 2020 13:34:22 +0200
-Subject: [PATCH] Fix regex in aide rules to consider first letter as
- uppercase.
-
----
- .../aide/aide_use_fips_hashes/bash/shared.sh                  | 2 +-
- .../aide/aide_use_fips_hashes/oval/shared.xml                 | 4 ++--
- .../aide/aide_use_fips_hashes/tests/correct_value.pass.sh     | 1 +
- .../aide/aide_use_fips_hashes/tests/wrong_value.fail.sh       | 2 ++
- .../software-integrity/aide/aide_verify_acls/bash/shared.sh   | 2 +-
- .../software-integrity/aide/aide_verify_acls/oval/shared.xml  | 2 +-
- .../aide/aide_verify_acls/tests/correct_value.pass.sh         | 1 +
- .../aide/aide_verify_acls/tests/wrong_value.fail.sh           | 1 +
- .../aide/aide_verify_ext_attributes/bash/shared.sh            | 2 +-
- .../aide/aide_verify_ext_attributes/oval/shared.xml           | 2 +-
- .../aide_verify_ext_attributes/tests/correct_value.pass.sh    | 1 +
- .../aide/aide_verify_ext_attributes/tests/wrong_value.fail.sh | 1 +
- 12 files changed, 14 insertions(+), 7 deletions(-)
-
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh
-index f957996ecd..3e829abf72 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/bash/shared.sh
-@@ -5,7 +5,7 @@
- aide_conf="/etc/aide.conf"
- forbidden_hashes=(sha1 rmd160 sha256 whirlpool tiger haval gost crc32)
- 
--groups=$(LC_ALL=C grep "^[A-Za-z]\+" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u)
-+groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | cut -f1 -d ' ' | tr -d ' ' | sort -u)
- 
- for group in $groups
- do
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml
-index 8bd7901266..e800ba49bd 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/oval/shared.xml
-@@ -18,7 +18,7 @@
-   <ind:textfilecontent54_object id="object_aide_non_fips_hashes"
-   version="1">
-     <ind:filepath>/etc/aide.conf</ind:filepath>
--    <ind:pattern operation="pattern match">^[a-zA-Z]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[A-Z][a-zA-Z_]*[\s]*=[\s]*.*(sha1|rmd160|sha256|whirlpool|tiger|haval|gost|crc32).*$</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">0</ind:instance>
-   </ind:textfilecontent54_object>
- 
-@@ -31,7 +31,7 @@
-   <ind:textfilecontent54_object id="object_aide_use_fips_hashes"
-   version="1">
-     <ind:filepath>/etc/aide.conf</ind:filepath>
--    <ind:pattern operation="pattern match">^[a-zA-Z]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[A-Z][A-Za-z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-   </ind:textfilecontent54_object>
-   <ind:textfilecontent54_state id="state_aide_use_fips_hashes" version="1">
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh
-index fb305ce441..c40ce01f7e 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/correct_value.pass.sh
-@@ -5,6 +5,7 @@ yum install -y aide
- 
- cat >/etc/aide.conf <<EOL
- All = p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
-+option = yes
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- EOL
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/wrong_value.fail.sh
-index 19516ef3b3..f8ae79ce8a 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_use_fips_hashes/tests/wrong_value.fail.sh
-@@ -5,6 +5,8 @@ yum install -y aide
- 
- cat >/etc/aide.conf <<EOL
- All = p+i+n+u+g+s+m+S+acl+xattrs+selinux
-+option = yes
-+Group = selinux
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- EOL
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh
-index 31190a28de..1de7a6f893 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/bash/shared.sh
-@@ -4,7 +4,7 @@
- 
- aide_conf="/etc/aide.conf"
- 
--groups=$(LC_ALL=C grep "^[A-Za-z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
-+groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
- 
- for group in $groups
- do
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml
-index 5b7368a7f7..b9b45d28a2 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/oval/shared.xml
-@@ -16,7 +16,7 @@
-   <ind:textfilecontent54_object id="object_aide_verify_acls"
-   version="2">
-     <ind:filepath>/etc/aide.conf</ind:filepath>
--    <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)[a-zA-Z]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
-+    <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)[A-Z][a-zA-Z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/correct_value.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/correct_value.pass.sh
-index fb305ce441..c40ce01f7e 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/correct_value.pass.sh
-@@ -5,6 +5,7 @@ yum install -y aide
- 
- cat >/etc/aide.conf <<EOL
- All = p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
-+option = yes
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- EOL
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/wrong_value.fail.sh
-index 651f7a631a..e6f18ff5b8 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_acls/tests/wrong_value.fail.sh
-@@ -5,6 +5,7 @@ yum install -y aide
- 
- cat >/etc/aide.conf <<EOL
- All = p+i+n+u+g+s+m+S+sha512+xattrs+selinux
-+option = yes
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- EOL
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh
-index a25ff2423e..1bce723a70 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/bash/shared.sh
-@@ -4,7 +4,7 @@
- 
- aide_conf="/etc/aide.conf"
- 
--groups=$(LC_ALL=C grep "^[A-Za-z]\+" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
-+groups=$(LC_ALL=C grep "^[A-Z][A-Za-z_]*" $aide_conf | grep -v "^ALLXTRAHASHES" | cut -f1 -d '=' | tr -d ' ' | sort -u)
- 
- for group in $groups
- do
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml
-index 8b64dddf9f..5ea93bb32a 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/oval/shared.xml
-@@ -16,7 +16,7 @@
-   <ind:textfilecontent54_object id="object_aide_verify_ext_attributes"
-   version="2">
-     <ind:filepath>/etc/aide.conf</ind:filepath>
--    <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)[a-zA-Z]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
-+    <ind:pattern operation="pattern match">^(?!ALLXTRAHASHES)[A-Z][a-zA-Z_]*[\s]*=[\s]*([a-zA-Z0-9\+]*)$</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/correct_value.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/correct_value.pass.sh
-index fb305ce441..c40ce01f7e 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/correct_value.pass.sh
-@@ -5,6 +5,7 @@ yum install -y aide
- 
- cat >/etc/aide.conf <<EOL
- All = p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
-+option = yes
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- EOL
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/wrong_value.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/wrong_value.fail.sh
-index 970bd91536..9507131248 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/tests/wrong_value.fail.sh
-@@ -5,6 +5,7 @@ yum install -y aide
- 
- cat >/etc/aide.conf <<EOL
- All = p+i+n+u+g+s+m+S+sha512+acl+selinux
-+option = yes
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- EOL
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_ansible_remediation-PR_6116.patch b/SOURCES/scap-security-guide-0.1.53-fix_ansible_remediation-PR_6116.patch
deleted file mode 100644
index 4e18e98..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_ansible_remediation-PR_6116.patch
+++ /dev/null
@@ -1,342 +0,0 @@
-From 43223c64eb10feefa4e7946173b6bdcb33974461 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 23 Sep 2020 14:47:27 +0200
-Subject: [PATCH 1/3] Fix snmpd_not_default_password ansible remediation when
- file doesn't exist.
-
----
- .../snmpd_not_default_password/ansible/shared.yml          | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-index d92c0a17da..9094560a1d 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-@@ -6,14 +6,21 @@
- 
- {{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
- 
-+- name: "Check if file /etc/snmp/snmpd.conf exists"
-+  stat:
-+    path: /etc/snmp/snmpd.conf
-+  register: snmpd
-+
- - name: "Replace all instances of SNMP RO strings"
-   replace:
-     path: "/etc/snmp/snmpd.conf"
-     regexp: 'public'
-     replace: '{{ var_snmpd_ro_string }}'
-+  when: snmpd.stat is defined and snmpd.stat.exists
- 
- - name: "Replace all instances of SNMP RW strings"
-   replace:
-     path: "/etc/snmp/snmpd.conf"
-     regexp: 'private'
-     replace: '{{ var_snmpd_rw_string }}'
-+  when: snmpd.stat is defined and snmpd.stat.exists
-
-From 459d15b2fc2a86d37588cbebbbe1732910e1a397 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 24 Sep 2020 14:06:48 +0200
-Subject: [PATCH 2/3] Add net-snmp CPE entry to detect if package is installed.
-
----
- debian10/cpe/debian10-cpe-dictionary.xml      |  4 ++
- debian10/product.yml                          |  4 ++
- debian9/cpe/debian9-cpe-dictionary.xml        |  4 ++
- debian9/product.yml                           |  4 ++
- fedora/cpe/fedora-cpe-dictionary.xml          |  4 ++
- .../snmp/snmp_configure_server/group.yml      |  2 +
- .../ansible/shared.yml                        |  4 +-
- .../oval/shared.xml                           |  3 +-
- .../tests/missing.pass.sh                     |  3 ++
- .../tests/package_missing.notapplicable.sh    |  3 ++
- ol7/cpe/ol7-cpe-dictionary.xml                |  4 ++
- ol8/cpe/ol8-cpe-dictionary.xml                |  4 ++
- rhel6/cpe/rhel6-cpe-dictionary.xml            |  4 ++
- rhel7/cpe/rhel7-cpe-dictionary.xml            |  4 ++
- rhel8/cpe/rhel8-cpe-dictionary.xml            |  4 ++
- .../installed_env_has_net-snmp_package.xml    | 38 +++++++++++++++++++
- ssg/constants.py                              |  1 +
- .../cpe/wrlinux1019-cpe-dictionary.xml        |  4 ++
- 18 files changed, 94 insertions(+), 4 deletions(-)
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
- create mode 100644 shared/checks/oval/installed_env_has_net-snmp_package.xml
-
-diff --git a/debian10/cpe/debian10-cpe-dictionary.xml b/debian10/cpe/debian10-cpe-dictionary.xml
-index ddb68c34bd..f94c59d028 100644
---- a/debian10/cpe/debian10-cpe-dictionary.xml
-+++ b/debian10/cpe/debian10-cpe-dictionary.xml
-@@ -76,4 +76,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/debian10/product.yml b/debian10/product.yml
-index c9b30b9d23..88fb497eb0 100644
---- a/debian10/product.yml
-+++ b/debian10/product.yml
-@@ -9,3 +9,7 @@ profiles_root: "./profiles"
- pkg_manager: "apt_get"
- 
- init_system: "systemd"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  net-snmp: "snmp"
-diff --git a/debian9/cpe/debian9-cpe-dictionary.xml b/debian9/cpe/debian9-cpe-dictionary.xml
-index d5595fd594..bd18e5e754 100644
---- a/debian9/cpe/debian9-cpe-dictionary.xml
-+++ b/debian9/cpe/debian9-cpe-dictionary.xml
-@@ -76,4 +76,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/debian9/product.yml b/debian9/product.yml
-index 53e4e7509a..cfbdfd109a 100644
---- a/debian9/product.yml
-+++ b/debian9/product.yml
-@@ -9,3 +9,7 @@ profiles_root: "./profiles"
- pkg_manager: "apt_get"
- 
- init_system: "systemd"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  net-snmp: "snmp"
-diff --git a/fedora/cpe/fedora-cpe-dictionary.xml b/fedora/cpe/fedora-cpe-dictionary.xml
-index bef1337fc9..581abc41c7 100644
---- a/fedora/cpe/fedora-cpe-dictionary.xml
-+++ b/fedora/cpe/fedora-cpe-dictionary.xml
-@@ -111,4 +111,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/group.yml b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
-index 339e5843c2..8052ade2f6 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/group.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
-@@ -17,3 +17,5 @@ description: |-
-     stations</li>
-     <li>ensure that permissions on the <tt>snmpd.conf</tt> configuration file (by default, in <tt>/etc/snmp</tt>) are 640 or more restrictive</li>
-     <li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
-+
-+platform: net-snmp
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-index 9094560a1d..b10733861d 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-@@ -16,11 +16,11 @@
-     path: "/etc/snmp/snmpd.conf"
-     regexp: 'public'
-     replace: '{{ var_snmpd_ro_string }}'
--  when: snmpd.stat is defined and snmpd.stat.exists
-+  when: (snmpd.stat.exists is defined and snmpd.stat.exists)
- 
- - name: "Replace all instances of SNMP RW strings"
-   replace:
-     path: "/etc/snmp/snmpd.conf"
-     regexp: 'private'
-     replace: '{{ var_snmpd_rw_string }}'
--  when: snmpd.stat is defined and snmpd.stat.exists
-+  when: (snmpd.stat.exists is defined and snmpd.stat.exists)
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-index 0ff056c48c..5504c0151f 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-@@ -1,8 +1,7 @@
- <def-group>
-   <definition class="compliance" id="snmpd_not_default_password" version="2">
-     {{{ oval_metadata("SNMP default communities must be removed.") }}}
--    <criteria operator="OR">
--      <extend_definition comment="SMNP installed" definition_ref="package_net-snmp_removed" />
-+    <criteria>
-       <criterion comment="SNMP communities" test_ref="test_snmp_default_communities" />
-     </criteria>
-   </definition>
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
-new file mode 100644
-index 0000000000..3982740e83
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+yum -y install net-snmp
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
-new file mode 100644
-index 0000000000..c388fe3652
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/package_missing.notapplicable.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+
-+yum -y remove net-snmp
-diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
-index 59c5c728aa..6b1ab98ab6 100644
---- a/ol7/cpe/ol7-cpe-dictionary.xml
-+++ b/ol7/cpe/ol7-cpe-dictionary.xml
-@@ -80,4 +80,8 @@
-             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
-index 473ba36235..3e90619c27 100644
---- a/ol8/cpe/ol8-cpe-dictionary.xml
-+++ b/ol8/cpe/ol8-cpe-dictionary.xml
-@@ -75,4 +75,8 @@
-             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/rhel6/cpe/rhel6-cpe-dictionary.xml b/rhel6/cpe/rhel6-cpe-dictionary.xml
-index 1b696b88d3..d0557cc807 100644
---- a/rhel6/cpe/rhel6-cpe-dictionary.xml
-+++ b/rhel6/cpe/rhel6-cpe-dictionary.xml
-@@ -96,4 +96,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
-index e6b88f55cd..50f8006c97 100644
---- a/rhel7/cpe/rhel7-cpe-dictionary.xml
-+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
-@@ -110,4 +110,8 @@
-             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
-index 699251868d..3b9b4fc038 100644
---- a/rhel8/cpe/rhel8-cpe-dictionary.xml
-+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
-@@ -80,4 +80,8 @@
-             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/shared/checks/oval/installed_env_has_net-snmp_package.xml b/shared/checks/oval/installed_env_has_net-snmp_package.xml
-new file mode 100644
-index 0000000000..66df54d473
---- /dev/null
-+++ b/shared/checks/oval/installed_env_has_net-snmp_package.xml
-@@ -0,0 +1,38 @@
-+<def-group>
-+  <definition class="inventory"
-+  id="installed_env_has_net-snmp_package" version="1">
-+    <metadata>
-+      <title>Package net-snmp is installed</title>
-+      <affected family="unix">
-+        <platform>multi_platform_all</platform>
-+      </affected>
-+      <description>Checks if package net-snmp is installed.</description>
-+      <reference ref_id="cpe:/a:net-snmp" source="CPE" />
-+    </metadata>
-+    <criteria>
-+      <criterion comment="Package net-snmp is installed" test_ref="test_env_has_net-snmp_installed" />
-+    </criteria>
-+  </definition>
-+
-+{{% if pkg_system == "rpm" %}}
-+  <linux:rpminfo_test check="all" check_existence="at_least_one_exists"
-+  id="test_env_has_net-snmp_installed" version="1"
-+  comment="system has package net-snmp installed">
-+    <linux:object object_ref="obj_env_has_net-snmp_installed" />
-+  </linux:rpminfo_test>
-+  <linux:rpminfo_object id="obj_env_has_net-snmp_installed" version="1">
-+    <linux:name>net-snmp</linux:name>
-+  </linux:rpminfo_object>
-+{{% elif pkg_system == "dpkg" %}}
-+  <linux:dpkginfo_test check="all" check_existence="all_exist"
-+  id="test_env_has_net-snmp_installed" version="1"
-+  comment="system has package net-snmp installed">
-+    <linux:object object_ref="obj_env_has_net-snmp_installed" />
-+  </linux:dpkginfo_test>
-+  <linux:dpkginfo_object id="obj_env_has_net-snmp_installed" version="1">
-+    <!-- dpkg systems differ in the package name -->
-+    <linux:name>snmp</linux:name>
-+  </linux:dpkginfo_object>
-+{{% endif %}}
-+
-+</def-group>
-diff --git a/ssg/constants.py b/ssg/constants.py
-index a585f32afc..fa2c4ccd76 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -500,6 +500,7 @@
-     "systemd": "cpe:/a:systemd",
-     "yum": "cpe:/a:yum",
-     "zipl": "cpe:/a:zipl",
-+    "net-snmp": "cpe:/a:net-snmp",
- }
- 
- # Default platform to package mapping
-diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
-index f32e69e118..f31bad72e8 100644
---- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
-+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
-@@ -79,4 +79,8 @@
-             <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:net-snmp">
-+            <title xml:lang="en-us">Package net-snmp is installed</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_net-snmp_package</check>
-+      </cpe-item>
- </cpe-list>
-
-From b058d43efac626eea413f0d185bb5219027cc7d4 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 29 Sep 2020 09:53:25 +0200
-Subject: [PATCH 3/3] Fix test scenario for snmpd_not_default_password.
-
----
- .../snmpd_not_default_password/tests/missing.pass.sh             | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
-index 3982740e83..d2a024f006 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/missing.pass.sh
-@@ -1,3 +1,4 @@
- #!/bin/bash
- 
- yum -y install net-snmp
-+rm -f /etc/snmp/snmpd.conf
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_audit_rules_privileged_commands_duplicate_rules-PR_6279.patch b/SOURCES/scap-security-guide-0.1.53-fix_audit_rules_privileged_commands_duplicate_rules-PR_6279.patch
deleted file mode 100644
index 96c2760..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_audit_rules_privileged_commands_duplicate_rules-PR_6279.patch
+++ /dev/null
@@ -1,475 +0,0 @@
-From 0e35c48ff14ed2cdcf16d79da52a276ee89ad7ce Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 19 Oct 2020 13:59:39 +0200
-Subject: [PATCH 01/10] remove perm=x from ansible, oval and rule.yaml
-
-this aligns with other audit_rules_privileged_commands_* which are handled by template
----
- .../audit_rules_privileged_commands/ansible/shared.yml      | 6 +++---
- .../audit_rules_privileged_commands/oval/shared.xml         | 4 ++--
- .../audit_rules_privileged_commands/rule.yml                | 4 ++--
- 3 files changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-index 9a8f91020c..79edfe1771 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-@@ -28,7 +28,7 @@
- - name: Overwrites the rule in rules.d
-   lineinfile:
-     path: "{{ item.1.path }}"
--    line: '-a always,exit -F path={{ item.0.item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-+    line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-     create: no
-     regexp: "^.*path={{ item.0.item }} .*$"
-   with_subelements:
-@@ -38,7 +38,7 @@
- - name: Adds the rule in rules.d
-   lineinfile:
-     path: /etc/audit/rules.d/privileged.rules
--    line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-+    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-     create: yes
-   with_items:
-     - "{{ files_result.results }}"
-@@ -49,7 +49,7 @@
- - name: Inserts/replaces the rule in audit.rules
-   lineinfile:
-     path: /etc/audit/audit.rules
--    line: '-a always,exit -F path={{ item.item }} -F perm=x -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-+    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-     create: yes
-     regexp: "^.*path={{ item.item }} .*$"
-   with_items:
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-index 798cffa42d..278bf6cb55 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-@@ -68,7 +68,7 @@
-   </ind:textfilecontent54_test>
-   <ind:textfilecontent54_object id="object_arpc_suid_sgid_augenrules" version="1">
-     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
--    <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]q|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-     <filter action="exclude">state_proper_audit_rule_but_for_unprivileged_command</filter>
-   </ind:textfilecontent54_object>
-@@ -92,7 +92,7 @@
-   </ind:textfilecontent54_test>
-   <ind:textfilecontent54_object id="object_arpc_suid_sgid_auditctl" version="1">
-     <ind:filepath>/etc/audit/audit.rules</ind:filepath>
--    <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F perm=[r|w]?x -F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-     <filter action="exclude">state_proper_audit_rule_but_for_unprivileged_command</filter>
-   </ind:textfilecontent54_object>
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
-index b64ba71099..9bc45ba933 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
-@@ -14,13 +14,13 @@ description: |-
-     <tt>/etc/audit/rules.d</tt> for each setuid / setgid program on the system,
-     replacing the <i>SETUID_PROG_PATH</i> part with the full path of that setuid /
-     setgid program in the list:
--    <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-+    <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-     utility to read audit rules during daemon startup, add a line of the following
-     form to <tt>/etc/audit/audit.rules</tt> for each setuid / setgid program on the
-     system, replacing the <i>SETUID_PROG_PATH</i> part with the full path of that
-     setuid / setgid program in the list:
--    <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F perm=x -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
-+    <pre>-a always,exit -F path=<i>SETUID_PROG_PATH</i> -F auid&gt;={{{ auid }}} -F auid!=unset -F key=privileged</pre>
- 
- rationale: |-
-     Misuse of privileged functions, either intentionally or unintentionally by
-
-From 96ac5e82f8ced55f7d49711520057dccba46e218 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 19 Oct 2020 14:00:24 +0200
-Subject: [PATCH 02/10] align with other rules fixing auditing of privileged
- commands
-
-remove the part checking perm= permissions
-change how the rule key is handled (-k vs -F key=)
----
- ...t_rules_privileged_commands_remediation.sh | 29 ++-----------------
- 1 file changed, 2 insertions(+), 27 deletions(-)
-
-diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-index d5df7b23b9..ff76b250f0 100644
---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-@@ -79,7 +79,7 @@ do
- 	local count_of_inspected_files=0
- 
- 	# Define expected rule form for this binary
--	expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged"
-+	expected_rule="-a always,exit -F path=${sbinary} -F auid>=${min_auid} -F auid!=unset -F key=privileged"
- 
- 	# If list of audit rules files to be inspected is empty, just add new rule and move on to next binary
- 	if [[ ${#files_to_inspect[@]} -eq 0 ]]; then
-@@ -101,7 +101,7 @@ do
- 		#   them in arbitrary order)
- 	
- 		base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
--				-e '/-F path=[^[:space:]]\+/!d'   -e '/-F perm=.*/!d'						\
-+				-e '/-F path=[^[:space:]]\+/!d'						\
- 				-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d'	\
- 				-e '/-k \|-F key=/!d' "$afile")
- 
-@@ -127,31 +127,6 @@ do
- 			# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
- 			readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
- 
--			# Separate concrete_rule into three sections using hash '#'
--			# sign as a delimiter around rule's permission section borders
--			concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")"
--
--			# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
--
--			rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
--			rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
--			rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
--
--			# Extract already present exact access type [r|w|x|a] from rule's permission section
--			access_type=${rule_perm//-F perm=/}
--
--			# Verify current permission access type(s) for rule contain 'x' (execute) permission
--			if ! grep -q "$exec_access" <<< "$access_type"
--			then
--
--				# If not, append the 'x' (execute) permission to the existing access type bits
--				access_type="$access_type$exec_access"
--				# Reconstruct the permissions section for the rule
--				new_rule_perm="-F perm=$access_type"
--				# Update existing rule in current audit rules file with the new permission section
--				sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile"
--
--			fi
- 
- 		# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
- 		#
-
-From e5a65a1de7eda39e237401417196e87fbc6ea840 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 20 Oct 2020 09:25:45 +0200
-Subject: [PATCH 03/10] unify rule key for ansible remediation of
- audit_rules_privileged_commands
-
----
- .../audit_rules_privileged_commands/ansible/shared.yml      | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-index 79edfe1771..2433073a05 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
-@@ -28,7 +28,7 @@
- - name: Overwrites the rule in rules.d
-   lineinfile:
-     path: "{{ item.1.path }}"
--    line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-+    line: '-a always,exit -F path={{ item.0.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-     create: no
-     regexp: "^.*path={{ item.0.item }} .*$"
-   with_subelements:
-@@ -38,7 +38,7 @@
- - name: Adds the rule in rules.d
-   lineinfile:
-     path: /etc/audit/rules.d/privileged.rules
--    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-+    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-     create: yes
-   with_items:
-     - "{{ files_result.results }}"
-@@ -49,7 +49,7 @@
- - name: Inserts/replaces the rule in audit.rules
-   lineinfile:
-     path: /etc/audit/audit.rules
--    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=special-config-changes'
-+    line: '-a always,exit -F path={{ item.item }} -F auid>={{{ auid }}} -F auid!=unset -F key=privileged'
-     create: yes
-     regexp: "^.*path={{ item.item }} .*$"
-   with_items:
-
-From 573d95dce8872e66738eae427a2ab0ec4ef84a79 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 23 Oct 2020 13:46:47 +0200
-Subject: [PATCH 04/10] fix typo in oval
-
----
- .../audit_rules_privileged_commands/oval/shared.xml             | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-index 278bf6cb55..a04e9df71a 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/oval/shared.xml
-@@ -68,7 +68,7 @@
-   </ind:textfilecontent54_test>
-   <ind:textfilecontent54_object id="object_arpc_suid_sgid_augenrules" version="1">
-     <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
--    <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]q|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid>={{{ auid }}} -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-     <filter action="exclude">state_proper_audit_rule_but_for_unprivileged_command</filter>
-   </ind:textfilecontent54_object>
-
-From 463462b27143b4d6c5246d20fc5c7dbc7ac4d48b Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 23 Oct 2020 14:54:16 +0200
-Subject: [PATCH 05/10] modify tests
-
----
- .../tests/auditctl_one_rule.fail.sh                       | 2 +-
- .../tests/auditctl_rules_with_perm_x.fail.sh              | 7 +++++++
- .../tests/augenrules_one_rule.fail.sh                     | 2 +-
- .../tests/augenrules_rules_with_perm_x.fail.sh            | 8 ++++++++
- .../tests/augenrules_two_rules_mixed_keys.fail.sh         | 4 ++--
- .../tests/augenrules_two_rules_sep_files.fail.sh          | 4 ++--
- .../tests/generate_privileged_commands_rule.sh            | 2 +-
- 7 files changed, 22 insertions(+), 7 deletions(-)
- create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh
- create mode 100644 linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
-index 5d2550760a..3f534d4deb 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_one_rule.fail.sh
-@@ -2,5 +2,5 @@
- # remediation = bash
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
- 
--echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
-+echo "-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/audit.rules
- sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh
-new file mode 100644
-index 0000000000..0ba1cfb201
---- /dev/null
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/auditctl_rules_with_perm_x.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# remediation = bash
-+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-+
-+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/audit.rules
-+sed -i -E 's/^(.*path=[[:graph:]]+ )(.*$)/\1-F perm=x \2/' /etc/audit/audit.rules
-+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
-index 0388acc598..ff78e3de3f 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_one_rule.fail.sh
-@@ -3,4 +3,4 @@
- # platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
- 
- mkdir -p /etc/audit/rules.d
--echo "-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
-+echo "-a always,exit -F path=/usr/bin/sudo -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh
-new file mode 100644
-index 0000000000..473d8a0b86
---- /dev/null
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_rules_with_perm_x.fail.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# remediation = bash
-+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
-+
-+mkdir -p /etc/audit/rules.d
-+./generate_privileged_commands_rule.sh 1000 privileged /etc/audit/rules.d/privileged.rules
-+sed -i -E 's/^(.*path=[[:graph:]]+ )(.*$)/\1-F perm=x \2/' /etc/audit/rules.d/privileged.rules
-+
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
-index 1119dfaf35..8c7f04794c 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_mixed_keys.fail.sh
-@@ -3,5 +3,5 @@
- # platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
- 
- mkdir -p /etc/audit/rules.d
--echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
--echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
-+echo "-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/privileged.rules
-+echo "-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
-index 992d66ed27..b7258fe027 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/augenrules_two_rules_sep_files.fail.sh
-@@ -3,5 +3,5 @@
- # platform = Fedora,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
- 
- mkdir -p /etc/audit/rules.d
--echo "-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k privileged" >> /etc/audit/rules.d/priv.rules
--echo "-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
-+echo "-a always,exit -F path=/usr/bin/newgrp -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/priv.rules
-+echo "-a always,exit -F path=/usr/bin/passwd -F auid>=1000 -F auid!=unset -F key=privileged" >> /etc/audit/rules.d/privileged.rules
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
-index 9dc0cd1ce2..ee4b678d6c 100755
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/tests/generate_privileged_commands_rule.sh
-@@ -4,5 +4,5 @@ AUID=$1
- KEY=$2
- RULEPATH=$3
- for file in $(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null); do
--     echo "-a always,exit -F path=$file -F perm=x -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH
-+     echo "-a always,exit -F path=$file -F auid>=$AUID -F auid!=unset -k $KEY" >> $RULEPATH
- done
-
-From e64e9228aadaddf8583a8ebf324d461410ca7197 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 23 Oct 2020 14:55:41 +0200
-Subject: [PATCH 06/10] fix remediation
-
----
- .../perform_audit_rules_privileged_commands_remediation.sh     | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-index ff76b250f0..4e8aa1740d 100644
---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-@@ -103,13 +103,12 @@ do
- 		base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
- 				-e '/-F path=[^[:space:]]\+/!d'						\
- 				-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d'	\
-+				-e '/-F perm=[rwxa]\+/d' \
- 				-e '/-k \|-F key=/!d' "$afile")
- 
- 		# Increase the count of inspected files for this sbinary
- 		count_of_inspected_files=$((count_of_inspected_files + 1))
- 
--		# Require execute access type to be set for existing audit rule
--		exec_access='x'
- 
- 		# Search current audit rules file's content for presence of rule pattern for this sbinary
- 		if [[ $base_search ]]
-
-From d1ddd29ad33fcdc74c6201fe67c9ca1aa7f152f6 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 23 Oct 2020 14:55:55 +0200
-Subject: [PATCH 07/10] change rule description
-
----
- .../audit_rules_privileged_commands/rule.yml                  | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
-index 9bc45ba933..e597e49527 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/rule.yml
-@@ -3,8 +3,8 @@ documentation_complete: true
- title: 'Ensure auditd Collects Information on the Use of Privileged Commands'
- 
- description: |-
--    At a minimum, the audit system should collect the execution of
--    privileged commands for all users and root. To find the relevant setuid /
-+    The audit system should collect information about usage of privileged
-+    commands for all users and root. To find the relevant setuid /
-     setgid programs, run the following command for each local partition
-     <i>PART</i>:
-     <pre>$ sudo find <i>PART</i> -xdev -type f -perm -4000 -o -type f -perm -2000 2&gt;/dev/null</pre>
-
-From 51db8d7b8260f7b0c89f99b6d2e6780ae08de74a Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 30 Oct 2020 13:48:57 +0100
-Subject: [PATCH 08/10] modify bash remediation to better handle rules with
- perm flag
-
----
- ...t_rules_privileged_commands_remediation.sh | 19 +++++++++++++++++--
- 1 file changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-index 4e8aa1740d..11e2f9fdd7 100644
---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-@@ -103,7 +103,6 @@ do
- 		base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'[^[:graph:]]/!d'		\
- 				-e '/-F path=[^[:space:]]\+/!d'						\
- 				-e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(4294967295\|unset\)/!d'	\
--				-e '/-F perm=[rwxa]\+/d' \
- 				-e '/-k \|-F key=/!d' "$afile")
- 
- 		# Increase the count of inspected files for this sbinary
-@@ -123,10 +122,26 @@ do
- 			readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
- 			handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
- 
--			# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
-+		# 		Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
- 			readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
- 
-+			# if there is aa -F perm flag, remove it
-+			if grep -q '.*-F\s\+perm=[rwxa]\+.*' <<< "$concrete_rule"; then
- 
-+				# Separate concrete_rule into three sections using hash '#'
-+				# sign as a delimiter around rule's permission section borders
-+				# note that the trailing space after perm flag is captured because there would be 
-+				# two consecutive spaces after joining remaining parts of the rule together
-+				concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\ \?\)\+/\1#\2#/p")"
-+
-+				# Split concrete_rule into head, perm, and tail sections using hash '#' delimiter
-+				rule_head=$(cut -d '#' -f 1 <<< "$concrete_rule")
-+				rule_perm=$(cut -d '#' -f 2 <<< "$concrete_rule")
-+				rule_tail=$(cut -d '#' -f 3 <<< "$concrete_rule")
-+
-+				# Remove permissions section from existing rule in the file
-+				sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${rule_tail}#" "$afile"
-+			fi
- 		# If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions:
- 		#
- 		# * in the "auditctl" mode of operation insert particular rule each time
-
-From d2abc07778453eeac47c6bbf4e125bf5d4fdda7d Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 2 Nov 2020 09:08:54 +0100
-Subject: [PATCH 09/10] fix typos in comments
-
----
- .../perform_audit_rules_privileged_commands_remediation.sh    | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-index 11e2f9fdd7..3ed6f10d86 100644
---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-@@ -122,10 +122,10 @@ do
- 			readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
- 			handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
- 
--		# 		Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
-+			# 		Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
- 			readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
- 
--			# if there is aa -F perm flag, remove it
-+			# if there is a -F perm flag, remove it
- 			if grep -q '.*-F\s\+perm=[rwxa]\+.*' <<< "$concrete_rule"; then
- 
- 				# Separate concrete_rule into three sections using hash '#'
-
-From 520c95a89c9c530a81e452fa7b4b4b4e5344e381 Mon Sep 17 00:00:00 2001
-From: vojtapolasek <krecoun@gmail.com>
-Date: Mon, 2 Nov 2020 09:52:53 +0100
-Subject: [PATCH 10/10] Update
- shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-
-Co-authored-by: Watson Yuuma Sato <wsato@redhat.com>
----
- .../perform_audit_rules_privileged_commands_remediation.sh      | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-index 3ed6f10d86..532faeacef 100644
---- a/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-+++ b/shared/bash_remediation_functions/perform_audit_rules_privileged_commands_remediation.sh
-@@ -122,7 +122,7 @@ do
- 			readarray -t handled_sbinaries < <(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")
- 			handled_sbinaries=("${handled_sbinaries[@]//-F path=/}")
- 
--			# 		Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
-+			# Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates
- 			readarray -t sbinaries_to_skip < <(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)
- 
- 			# if there is a -F perm flag, remove it
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_efi_grub_rule-PR_6276.patch b/SOURCES/scap-security-guide-0.1.53-fix_efi_grub_rule-PR_6276.patch
deleted file mode 100644
index 9e27342..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_efi_grub_rule-PR_6276.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 30ad9f95ef5256fea1844d2240b19eb2d717ee4e Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 19 Oct 2020 16:34:06 +0200
-Subject: [PATCH 1/3] Remove extra single quote from OVAL macros.
-
----
- shared/macros-oval.jinja | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
-index 47033bedbe..5ea97c7537 100644
---- a/shared/macros-oval.jinja
-+++ b/shared/macros-oval.jinja
-@@ -25,7 +25,7 @@
- {{%- endif -%}}
- <def-group>
-   <definition class="compliance" id="{{{ rule_id }}}" version="1">
--    {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in '" + path) }}}
-+    {{{ oval_metadata("Ensure '" + parameter + "' is configured with value '" + value | replace("(?i)", "") | replace("(?-i)", "") + (" in section '" + section if section else "") + "' in " + path) }}}
-     {{%- if missing_config_file_fail %}}
-     <criteria comment="{{{ application }}} is configured correctly and configuration file exists"
-     operator="AND">
-
-From 973a52024c21c3c2a97e8f159e53849eadc11285 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 19 Oct 2020 16:50:39 +0200
-Subject: [PATCH 2/3] Create custom OVAL check for uefi_no_removeable_media.
-
-Include the extended definition to check if the system is a UEFI system
-or not.
----
- .../uefi_no_removeable_media/oval/shared.xml  | 36 ++++++++++++++++++-
- .../tests/hard_disk_set.pass.sh               | 12 +++++++
- .../tests/removable_media_set.fail.sh         | 12 +++++++
- tests/shared/grub2.sh                         |  6 ++++
- 4 files changed, 65 insertions(+), 1 deletion(-)
- create mode 100644 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
- create mode 100644 linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
-
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-index fd482a3d9d..44e54538c8 100644
---- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-@@ -1 +1,35 @@
--{{{ oval_check_config_file(path='/boot/efi/EFI/redhat/grub.cfg', prefix_regex='^[ \\t]*', parameter='set root', separator_regex='=', value="'(?!fd)(?!cd)(?!usb).*'", missing_parameter_pass=false, missing_config_file_fail=true) }}}
-+{{% if product == "fedora" %}}
-+{{% set grub_cfg_prefix = "/boot/efi/EFI/fedora" %}}
-+{{% else %}}
-+{{% set grub_cfg_prefix = "/boot/efi/EFI/redhat" %}}
-+{{% endif %}}
-+
-+<def-group>
-+  <definition class="compliance" id="uefi_no_removeable_media" version="1">
-+    {{{ oval_metadata("Ensure 'set root' is configured with value '(?!fd)(?!cd)(?!usb).*' in /boot/efi/EFI/redhat/grub.cfg") }}}
-+    <criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
-+      <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
-+      <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
-+      {{{ oval_file_absent_criterion(grub_cfg_prefix + "/grub.cfg") }}}
-+    </criteria>
-+  </definition>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="tests the value of set root setting in the {{{ grub_cfg_prefix + "/grub.cfg" }}} file"
-+  id="test_uefi_no_removeable_media" version="1">
-+  <ind:object object_ref="obj_uefi_no_removeable_media" />
-+  <ind:state state_ref="state_uefi_no_removeable_media" />
-+  </ind:textfilecontent54_test>
-+
-+  <ind:textfilecontent54_object id="obj_uefi_no_removeable_media" version="1">
-+    <ind:filepath>{{{ grub_cfg_prefix + "/grub.cfg" }}}</ind:filepath>
-+    <ind:pattern operation="pattern match">^[ \t]*set root=(.+?)[ \t]*(?:$|#)</ind:pattern>
-+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+
-+  <ind:textfilecontent54_state id="state_uefi_no_removeable_media" version="1">
-+    <ind:subexpression datatype="string" operation="pattern match">^'(?!fd)(?!cd)(?!usb).*'$</ind:subexpression>
-+  </ind:textfilecontent54_state>
-+
-+  {{{ oval_file_absent(grub_cfg_prefix + "/grub.cfg") }}}
-+</def-group>
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
-new file mode 100644
-index 0000000000..afe131c417
---- /dev/null
-+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/hard_disk_set.pass.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+
-+# remediation = none
-+
-+. $SHARED/grub2.sh
-+
-+set_grub_uefi_root
-+
-+# make the check applicable since it tries to detect this directory first
-+# mkdir -p /sys/firmware/efi
-+
-+set_root_unquoted "'hd0,msdos1'"
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
-new file mode 100644
-index 0000000000..92499094c1
---- /dev/null
-+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/tests/removable_media_set.fail.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+
-+# remediation = none
-+
-+. $SHARED/grub2.sh
-+
-+set_grub_uefi_root
-+
-+# make the check applicable since it tries to detect this directory first
-+# mkdir -p /sys/firmware/efi
-+
-+set_root_unquoted "'usb0,msdos1'"
-diff --git a/tests/shared/grub2.sh b/tests/shared/grub2.sh
-index ce1943349e..bce7683a7c 100644
---- a/tests/shared/grub2.sh
-+++ b/tests/shared/grub2.sh
-@@ -25,3 +25,9 @@ function set_superusers_unquoted {
- 	mkdir -p "$GRUB_CFG_ROOT"
- 	echo "set superusers=$1" > "$GRUB_CFG_ROOT/grub.cfg"
- }
-+
-+
-+function set_root_unquoted {
-+	mkdir -p "$GRUB_CFG_ROOT"
-+	echo "set root=$1" > "$GRUB_CFG_ROOT/grub.cfg"
-+}
-
-From fc2b030015317ad465b9dd8c9d9e9714de9c8ac8 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 20 Oct 2020 16:30:10 +0200
-Subject: [PATCH 3/3] Update
- linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-
-Co-authored-by: Gabe Alford <redhatrises@gmail.com>
----
- .../bootloader-grub2/uefi_no_removeable_media/oval/shared.xml   | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-index 44e54538c8..5ae57cbfa6 100644
---- a/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-+++ b/linux_os/guide/system/bootloader-grub2/uefi_no_removeable_media/oval/shared.xml
-@@ -6,7 +6,7 @@
- 
- <def-group>
-   <definition class="compliance" id="uefi_no_removeable_media" version="1">
--    {{{ oval_metadata("Ensure 'set root' is configured with value '(?!fd)(?!cd)(?!usb).*' in /boot/efi/EFI/redhat/grub.cfg") }}}
-+    {{{ oval_metadata("Ensure the system is not configured to use a boot loader on removable media.") }}}
-     <criteria comment="The respective application or service is configured correctly or system boot mode is not UEFI" operator="OR">
-       <extend_definition definition_ref="system_boot_mode_is_uefi" negate="true" comment="Pass if system boot mode is not UEFI" />
-       <criterion comment="Check the set root in {{{ grub_cfg_prefix + "/grub.cfg" }}}" test_ref="test_uefi_no_removeable_media" />
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_emtpy_wrapping-PR_6173.patch b/SOURCES/scap-security-guide-0.1.53-fix_emtpy_wrapping-PR_6173.patch
deleted file mode 100644
index 45a1d9d..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_emtpy_wrapping-PR_6173.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 2dfde081b297f42690e10a0d9e550f5819ec2df2 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 9 Oct 2020 09:30:35 +0200
-Subject: [PATCH] Do not platform wrap empty Bash remediation
-
-The fix text for a rule can end up empty if a Jinja macro or conditional
-doesn't render any text.
-In these cases, avoid wrapping empty lines in an if-else, as this causes
-syntax error.
----
- ssg/build_remediations.py | 15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index f269d4d2d6..572db61701 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -273,6 +273,13 @@ def parse_from_file_with_jinja(self, env_yaml):
-         self.local_env_yaml.update(env_yaml)
-         result = super(BashRemediation, self).parse_from_file_with_jinja(self.local_env_yaml)
- 
-+        # Avoid platform wrapping empty fix text
-+        # Remediations can be empty when a Jinja macro or conditional
-+        # renders no fix text for a product
-+        stripped_fix_text = result.contents.strip()
-+        if stripped_fix_text == "":
-+            return result
-+
-         rule_platforms = set()
-         if self.associated_rule:
-             # There can be repeated inherited platforms and rule platforms
-@@ -301,15 +308,11 @@ def parse_from_file_with_jinja(self, env_yaml):
- 
-             all_conditions = " && ".join(platform_conditionals)
-             wrapped_fix_text.append("if {0}; then".format(all_conditions))
--
--            # Avoid adding extra blank line
--            if not result.contents.startswith("\n"):
--                wrapped_fix_text.append("")
--
-+            wrapped_fix_text.append("")
-             # It is possible to indent the original body of the remediation with textwrap.indent(),
-             # however, it is not supported by python2, and there is a risk of breaking remediations
-             # For example, remediations with a here-doc block could be affected.
--            wrapped_fix_text.append("{0}".format(result.contents))
-+            wrapped_fix_text.append("{0}".format(stripped_fix_text))
-             wrapped_fix_text.append("")
-             wrapped_fix_text.append("else")
-             wrapped_fix_text.append("    >&2 echo 'Remediation is not applicable, nothing was done'")
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_platform_bash_shellcheck_warning-PR_6184.patch b/SOURCES/scap-security-guide-0.1.53-fix_platform_bash_shellcheck_warning-PR_6184.patch
deleted file mode 100644
index ffcb6f4..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_platform_bash_shellcheck_warning-PR_6184.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 4e05806826cc0a5797e6ff50e6a953ae15607c03 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Mon, 12 Oct 2020 14:22:02 +0200
-Subject: [PATCH] Improve Bash machine platform check
-
-Fix ShellCheck warning SC2166, "-a" syntax is error prone.
----
- ssg/build_remediations.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 572db61701..6759b6c963 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -290,7 +290,7 @@ def parse_from_file_with_jinja(self, env_yaml):
-         for platform in rule_platforms:
-             if platform == "machine":
-                 # Based on check installed_env_is_a_container
--                platform_conditionals.append('[ ! -f /.dockerenv -a ! -f /run/.containerenv ]')
-+                platform_conditionals.append('[ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]')
-             elif platform is not None:
-                 # Assume any other platform is a Package CPE
- 
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_scap_val-PR_6166.patch b/SOURCES/scap-security-guide-0.1.53-fix_scap_val-PR_6166.patch
deleted file mode 100644
index 443140e..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_scap_val-PR_6166.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 7843a356be24c8b5c3cb148658d0420988dc3f9c Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 8 Oct 2020 11:02:55 +0200
-Subject: [PATCH] Remove platform net-snmp from the group and use it in
- individual rules.
-
----
- linux_os/guide/services/snmp/snmp_configure_server/group.yml    | 1 -
- .../snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml        | 2 ++
- .../snmp_configure_server/snmpd_not_default_password/rule.yml   | 2 ++
- .../snmp_configure_server/snmpd_use_newer_protocol/rule.yml     | 2 ++
- 4 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/group.yml b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
-index 8052ade2f6..c5a3fd75a1 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/group.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/group.yml
-@@ -18,4 +18,3 @@ description: |-
-     <li>ensure that permissions on the <tt>snmpd.conf</tt> configuration file (by default, in <tt>/etc/snmp</tt>) are 640 or more restrictive</li>
-     <li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
- 
--platform: net-snmp
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml
-index 6bf32ef62e..e50eaa9f4e 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_no_rwusers/rule.yml
-@@ -27,3 +27,5 @@ ocil: |-
-     To ensure there are no read-write users, run the following command:
-     <pre>$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep 'rwuser'</pre>
-     There should be no output.
-+
-+platform: net-snmp
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
-index 72d2495713..43c6c38b70 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
-@@ -45,3 +45,5 @@ ocil: |-
-     To ensure the default password is not set, run the following command:
-     <pre>$ sudo grep -v "^#" /etc/snmp/snmpd.conf| grep -E 'public|private'</pre>
-     There should be no output.
-+
-+platform: net-snmp
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml
-index d10939d2e9..e128d64390 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_use_newer_protocol/rule.yml
-@@ -30,3 +30,5 @@ ocil: |-
-     To ensure only SNMPv3 or newer is used, run the following command:
-     <pre>$ sudo grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
-     There should be no output.
-+
-+platform: net-snmp
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_severity_stig-PR_6110.patch b/SOURCES/scap-security-guide-0.1.53-fix_severity_stig-PR_6110.patch
deleted file mode 100644
index a0a8a6d..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_severity_stig-PR_6110.patch
+++ /dev/null
@@ -1,266 +0,0 @@
-From 147ad40e23d8bd1c839baa001105c659e732c7cd Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 21 Sep 2020 15:30:47 +0200
-Subject: [PATCH 1/4] Fix severity of RHEL 7 STIG rules.
-
----
- rhel7/profiles/stig.profile | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index b820d30608..57e88de210 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -104,6 +104,7 @@ selections:
-     - grub2_password
-     - require_singleuser_auth
-     - grub2_uefi_password
-+    - grub2_uefi_password.severity=high
-     - smartcard_auth
-     - package_rsh-server_removed
-     - package_ypserv_removed
-@@ -157,6 +158,7 @@ selections:
-     - grub2_enable_fips_mode
-     - aide_verify_acls
-     - aide_verify_ext_attributes
-+    - aide_verify_ext_attributes.severity=low
-     - aide_use_fips_hashes
-     - grub2_no_removeable_media
-     - uefi_no_removeable_media
-@@ -297,6 +299,9 @@ selections:
-     - sysctl_net_ipv4_conf_all_accept_redirects
-     - wireless_disable_interfaces
-     - mount_option_dev_shm_nodev
-+    - mount_option_dev_shm_nodev.severity=low
-     - mount_option_dev_shm_noexec
-+    - mount_option_dev_shm_noexec.severity=low
-     - mount_option_dev_shm_nosuid
-+    - mount_option_dev_shm_nosuid.severity=low
-     - audit_rules_privileged_commands_mount
-
-From 1e6ae626c138106ec8884f0863b09d0e628ae68f Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 21 Sep 2020 15:44:44 +0200
-Subject: [PATCH 2/4] Revert severity of some rules and refine on a profile
- basis.
-
-These rules had been previously severity mappings from NIST 800-53 and
-we should keep them as they were and refine as needed on the profile
-level.
----
- .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml        | 2 +-
- .../accounts-session/accounts_logon_fail_delay/rule.yml         | 2 +-
- rhel7/profiles/stig.profile                                     | 2 ++
- 3 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
-index 95e11e5787..2ead6f7896 100644
---- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
-+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
-@@ -10,7 +10,7 @@ rationale: |-
-     Removing the <tt>vsftpd</tt> package decreases the risk of its
-     accidental activation.
- 
--severity: high
-+severity: low
- 
- identifiers:
-     cce@rhel6: CCE-26687-4
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-index 08f81100f4..bb7c17108a 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-@@ -11,7 +11,7 @@ rationale: |-
-     Increasing the time between a failed authentication attempt and re-prompting to
-     enter credentials helps to slow a single-threaded brute force attack.
- 
--severity: medium
-+severity: low
- 
- identifiers:
-     cce@rhel7: CCE-80352-8
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 57e88de210..f3f94a66ba 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -97,6 +97,7 @@ selections:
-     - sudo_remove_nopasswd
-     - sudo_remove_no_authenticate
-     - accounts_logon_fail_delay
-+    - accounts_logon_fail_delay.severity=medium
-     - gnome_gdm_disable_automatic_login
-     - gnome_gdm_disable_guest_login
-     - sshd_do_not_permit_user_env
-@@ -274,6 +275,7 @@ selections:
-     - network_sniffer_disabled
-     - postfix_prevent_unrestricted_relay
-     - package_vsftpd_removed
-+    - package_vsftpd_removed.severity=high
-     - package_tftp-server_removed
-     - sshd_enable_x11_forwarding
-     - tftpd_uses_secure_mode
-
-From 4dcb7e0cfe8a59f7490e4eb4da18acc3a96e06a5 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 2 Oct 2020 17:18:19 +0200
-Subject: [PATCH 3/4] Revert to previous severity since what's in the STIG
- takes precedence.
-
----
- .../ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml        | 2 +-
- .../accounts-session/accounts_logon_fail_delay/rule.yml         | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
-index 2ead6f7896..95e11e5787 100644
---- a/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
-+++ b/linux_os/guide/services/ftp/disabling_vsftpd/package_vsftpd_removed/rule.yml
-@@ -10,7 +10,7 @@ rationale: |-
-     Removing the <tt>vsftpd</tt> package decreases the risk of its
-     accidental activation.
- 
--severity: low
-+severity: high
- 
- identifiers:
-     cce@rhel6: CCE-26687-4
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-index bb7c17108a..08f81100f4 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-@@ -11,7 +11,7 @@ rationale: |-
-     Increasing the time between a failed authentication attempt and re-prompting to
-     enter credentials helps to slow a single-threaded brute force attack.
- 
--severity: low
-+severity: medium
- 
- identifiers:
-     cce@rhel7: CCE-80352-8
-
-From 0da43ce6d4758a540ba3276a8c51819be643f709 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 2 Oct 2020 17:38:03 +0200
-Subject: [PATCH 4/4] Remove severity refinement from profile and change on a
- rule level.
-
----
- .../system/bootloader-grub2/grub2_uefi_password/rule.yml   | 2 +-
- .../partitions/mount_option_dev_shm_nodev/rule.yml         | 2 +-
- .../partitions/mount_option_dev_shm_noexec/rule.yml        | 2 +-
- .../partitions/mount_option_dev_shm_nosuid/rule.yml        | 2 +-
- .../aide/aide_verify_ext_attributes/rule.yml               | 2 +-
- rhel7/profiles/stig.profile                                | 7 -------
- 6 files changed, 5 insertions(+), 12 deletions(-)
-
-diff --git a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
-index e07094177b..0184c601a0 100644
---- a/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
-+++ b/linux_os/guide/system/bootloader-grub2/grub2_uefi_password/rule.yml
-@@ -24,7 +24,7 @@ rationale: |-
-     important bootloader settings. These include which kernel to use,
-     and whether to enter single-user mode.
- 
--severity: medium
-+severity: high
- 
- identifiers:
-     cce@rhel7: CCE-80354-4
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
-index 4f01edeebc..4a06fd5f2f 100644
---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nodev/rule.yml
-@@ -14,7 +14,7 @@ rationale: |-
- 
- {{{ complete_ocil_entry_mount_option("/dev/shm", "nodev") }}}
- 
--severity: medium
-+severity: low
- 
- identifiers:
-     cce@rhel6: CCE-26778-1
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
-index 0074e898c6..eaab02ff6d 100644
---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_noexec/rule.yml
-@@ -17,7 +17,7 @@ rationale: |-
- 
- {{{ complete_ocil_entry_mount_option("/dev/shm", "noexec") }}}
- 
--severity: medium
-+severity: low
- 
- identifiers:
-     cce@rhel6: CCE-26622-1
-diff --git a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
-index e0eabc2a9e..3771bf2451 100644
---- a/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
-+++ b/linux_os/guide/system/permissions/partitions/mount_option_dev_shm_nosuid/rule.yml
-@@ -14,7 +14,7 @@ rationale: |-
- 
- {{{ complete_ocil_entry_mount_option("/dev/shm", "nosuid") }}}
- 
--severity: medium
-+severity: low
- 
- identifiers:
-     cce@rhel6: CCE-26486-1
-diff --git a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
-index 9dba1deca5..2e81a270c5 100644
---- a/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
-+++ b/linux_os/guide/system/software/integrity/software-integrity/aide/aide_verify_ext_attributes/rule.yml
-@@ -17,7 +17,7 @@ rationale: |-
-     Extended attributes in file systems are used to contain arbitrary data and file metadata
-     with security implications.
- 
--severity: medium
-+severity: low
- 
- identifiers:
-     cce@rhel7: CCE-80376-7
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index f3f94a66ba..b820d30608 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -97,7 +97,6 @@ selections:
-     - sudo_remove_nopasswd
-     - sudo_remove_no_authenticate
-     - accounts_logon_fail_delay
--    - accounts_logon_fail_delay.severity=medium
-     - gnome_gdm_disable_automatic_login
-     - gnome_gdm_disable_guest_login
-     - sshd_do_not_permit_user_env
-@@ -105,7 +104,6 @@ selections:
-     - grub2_password
-     - require_singleuser_auth
-     - grub2_uefi_password
--    - grub2_uefi_password.severity=high
-     - smartcard_auth
-     - package_rsh-server_removed
-     - package_ypserv_removed
-@@ -159,7 +157,6 @@ selections:
-     - grub2_enable_fips_mode
-     - aide_verify_acls
-     - aide_verify_ext_attributes
--    - aide_verify_ext_attributes.severity=low
-     - aide_use_fips_hashes
-     - grub2_no_removeable_media
-     - uefi_no_removeable_media
-@@ -275,7 +272,6 @@ selections:
-     - network_sniffer_disabled
-     - postfix_prevent_unrestricted_relay
-     - package_vsftpd_removed
--    - package_vsftpd_removed.severity=high
-     - package_tftp-server_removed
-     - sshd_enable_x11_forwarding
-     - tftpd_uses_secure_mode
-@@ -301,9 +297,6 @@ selections:
-     - sysctl_net_ipv4_conf_all_accept_redirects
-     - wireless_disable_interfaces
-     - mount_option_dev_shm_nodev
--    - mount_option_dev_shm_nodev.severity=low
-     - mount_option_dev_shm_noexec
--    - mount_option_dev_shm_noexec.severity=low
-     - mount_option_dev_shm_nosuid
--    - mount_option_dev_shm_nosuid.severity=low
-     - audit_rules_privileged_commands_mount
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_srg_mapping_2-PR_6068.patch b/SOURCES/scap-security-guide-0.1.53-fix_srg_mapping_2-PR_6068.patch
deleted file mode 100644
index 90f6a9f..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_srg_mapping_2-PR_6068.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From f18c63f7d5b2da86fab1e6a135d6bb70689f46d6 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 9 Sep 2020 17:51:15 +0200
-Subject: [PATCH] Fix SRG mapping of audit rules.
-
----
- .../audit_rules_file_deletion_events_rename/rule.yml            | 2 +-
- .../audit_rules_file_deletion_events_renameat/rule.yml          | 2 +-
- .../audit_rules_file_deletion_events_rmdir/rule.yml             | 2 +-
- .../audit_rules_file_deletion_events_unlink/rule.yml            | 2 +-
- .../audit_rules_file_deletion_events_unlinkat/rule.yml          | 2 +-
- 5 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
-index b8a5922bb6..96794e06bb 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rename/rule.yml
-@@ -38,7 +38,7 @@ references:
-     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
-     ospp: FAU_GEN.1.1.c
-     pcidss: Req-10.2.7
--    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-+    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
-     stigid@rhel7: RHEL-07-030880
-     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
-index 585f90dfda..dac97d2dc2 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_renameat/rule.yml
-@@ -38,7 +38,7 @@ references:
-     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
-     ospp: FAU_GEN.1.1.c
-     pcidss: Req-10.2.7
--    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-+    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
-     stigid@rhel7: RHEL-07-030890
-     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
-index da3e3c0fd7..5bc1e04875 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_rmdir/rule.yml
-@@ -38,7 +38,7 @@ references:
-     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
-     ospp: FAU_GEN.1.1.c
-     pcidss: Req-10.2.7
--    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-+    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
-     stigid@rhel7: RHEL-07-030900
-     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
-index c9b1f16d66..0195814776 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlink/rule.yml
-@@ -38,7 +38,7 @@ references:
-     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
-     ospp: FAU_GEN.1.1.c
-     pcidss: Req-10.2.7
--    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-+    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
-     stigid@rhel7: RHEL-07-030910
-     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
-index 71ba90c2ce..74360cecaa 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_file_deletion_events/audit_rules_file_deletion_events_unlinkat/rule.yml
-@@ -38,7 +38,7 @@ references:
-     nist-csf: DE.AE-3,DE.AE-5,DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.AC-3,PR.MA-2,PR.PT-1,PR.PT-4,RS.AN-1,RS.AN-4
-     ospp: FAU_GEN.1.1.c
-     pcidss: Req-10.2.7
--    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00210,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-+    srg: SRG-OS-000466-GPOS-00210,SRG-OS-000467-GPOS-00211,SRG-OS-000468-GPOS-00212,SRG-OS-000392-GPOS-00172
-     vmmsrg: SRG-OS-000466-VMM-001870,SRG-OS-000468-VMM-001890
-     stigid@rhel7: RHEL-07-030920
-     isa-62443-2013: 'SR 1.13,SR 2.10,SR 2.11,SR 2.12,SR 2.6,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
diff --git a/SOURCES/scap-security-guide-0.1.53-fix_zipl_package_mapping-PR_6130.patch b/SOURCES/scap-security-guide-0.1.53-fix_zipl_package_mapping-PR_6130.patch
deleted file mode 100644
index fc1fecd..0000000
--- a/SOURCES/scap-security-guide-0.1.53-fix_zipl_package_mapping-PR_6130.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 570dc073739e9044b54e872c8368125bccadb704 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Tue, 29 Sep 2020 15:28:02 +0200
-Subject: [PATCH] Fix zIPL package mapping
-
----
- ssg/constants.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssg/constants.py b/ssg/constants.py
-index 0eca2f4f95..fa6c756ff6 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -470,7 +470,7 @@
-   "grub2": "grub2-pc",
-   "login_defs": "login",
-   "sssd": "sssd-common",
--  "zipl": "s390x-utils",
-+  "zipl": "s390utils-base",
- }
- 
- # _version_name_map = {
diff --git a/SOURCES/scap-security-guide-0.1.53-handle_non_package_cpes-PR_6292.patch b/SOURCES/scap-security-guide-0.1.53-handle_non_package_cpes-PR_6292.patch
deleted file mode 100644
index 3dade0f..0000000
--- a/SOURCES/scap-security-guide-0.1.53-handle_non_package_cpes-PR_6292.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From bde4b709e8c3e91a3fd0b3699146ad88a2897ce0 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Thu, 22 Oct 2020 22:20:30 +0200
-Subject: [PATCH] Add workround to skip non package CPEs
-
-Do not add checks for package installed for CPEs that are not related to
-package installed.
----
- ssg/build_remediations.py | 12 ++++++++++++
- ssg/constants.py          |  1 +
- 2 files changed, 13 insertions(+)
-
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 6759b6c963..9c7824560f 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -298,6 +298,12 @@ def parse_from_file_with_jinja(self, env_yaml):
-                 if platform in self.local_env_yaml["platform_package_overrides"]:
-                     platform = self.local_env_yaml["platform_package_overrides"].get(platform)
- 
-+                    # Workaround for plaforms that are not Package CPEs
-+                    # Skip platforms that are not about packages installed
-+                    # These should be handled in the remediation itself
-+                    if not platform:
-+                        continue
-+
-                 # Adjust package check command according to the pkg_manager
-                 pkg_manager = self.local_env_yaml["pkg_manager"]
-                 pkg_check_command = PKG_MANAGER_TO_PACKAGE_CHECK_COMMAND[pkg_manager]
-@@ -452,6 +458,12 @@ def update_when_from_rule(self, to_update):
-                 if platform in self.local_env_yaml["platform_package_overrides"]:
-                     platform = self.local_env_yaml["platform_package_overrides"].get(platform)
- 
-+                    # Workaround for plaforms that are not Package CPEs
-+                    # Skip platforms that are not about packages installed
-+                    # These should be handled in the remediation itself
-+                    if not platform:
-+                        continue
-+
-                 additional_when.append('"' + platform + '" in ansible_facts.packages')
-                 # After adding the conditional, we need to make sure package_facts are collected.
-                 # This is done via inject_package_facts_task()
-diff --git a/ssg/constants.py b/ssg/constants.py
-index f1b64e6827..c2f72f66df 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -464,6 +464,7 @@
-   "login_defs": "login",
-   "sssd": "sssd-common",
-   "zipl": "s390utils-base",
-+  "sssd-ldap": None,  # Force package check wrapping skip
- }
- 
- # _version_name_map = {
diff --git a/SOURCES/scap-security-guide-0.1.53-introduce_package_platform_name_overrides-PR_6047.patch b/SOURCES/scap-security-guide-0.1.53-introduce_package_platform_name_overrides-PR_6047.patch
deleted file mode 100644
index 07c698e..0000000
--- a/SOURCES/scap-security-guide-0.1.53-introduce_package_platform_name_overrides-PR_6047.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From 7c0b04c157374e9251360d1d5e12a9e00dd4375e Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 4 Sep 2020 09:50:54 +0200
-Subject: [PATCH 1/3] Introduce platform_package_overrides
-
-Introduce a mapping of CPE package platform name to a package name.
-
-Each linux distro or version may have its specific name for a package,
-this mapping allows a product to override the package name of a
-platorm.
-
-By default, it assumes that the package name will be the same as the
-platform name.
----
- rhel8/product.yml         | 7 +++++++
- ssg/build_remediations.py | 3 +++
- 2 files changed, 10 insertions(+)
-
-diff --git a/rhel8/product.yml b/rhel8/product.yml
-index 6cdc51919e..6b5b4e2748 100644
---- a/rhel8/product.yml
-+++ b/rhel8/product.yml
-@@ -18,3 +18,10 @@ aux_pkg_version: "d4082792"
- 
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  grub2: "grub2-pc"
-+  login_defs: "shadow-utils"
-+  sssd: "sssd-common"
-+  zipl: "s390x-utils"
-diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
-index 866450dd8c..ccbdf9fc1f 100644
---- a/ssg/build_remediations.py
-+++ b/ssg/build_remediations.py
-@@ -389,6 +389,9 @@ def update_when_from_rule(self, to_update):
-                 if "package_facts" in to_update:
-                     continue
- 
-+                if platform in self.local_env_yaml["platform_package_overrides"]:
-+                    platform = self.local_env_yaml["platform_package_overrides"].get(platform)
-+
-                 additional_when.append('"' + platform + '" in ansible_facts.packages')
-                 # After adding the conditional, we need to make sure package_facts are collected.
-                 # This is done via inject_package_facts_task()
-
-From 10dc62084cf8e38be9189b527c3b99b545826091 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 4 Sep 2020 14:42:57 +0200
-Subject: [PATCH 2/3] Move platform to cpe mappings to ssg/constants
-
----
- rhel8/product.yml | 6 ------
- ssg/constants.py  | 8 ++++++++
- 2 files changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/rhel8/product.yml b/rhel8/product.yml
-index 6b5b4e2748..d839b23231 100644
---- a/rhel8/product.yml
-+++ b/rhel8/product.yml
-@@ -19,9 +19,3 @@ aux_pkg_version: "d4082792"
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
- 
--# Mapping of CPE platform to package
--platform_package_overrides:
--  grub2: "grub2-pc"
--  login_defs: "shadow-utils"
--  sssd: "sssd-common"
--  zipl: "s390x-utils"
-diff --git a/ssg/constants.py b/ssg/constants.py
-index 3f9d7d37ce..7e9678241c 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -501,6 +501,14 @@
-     "zipl": "cpe:/a:zipl",
- }
- 
-+# Default platform to package mapping
-+XCCDF_PLATFORM_TO_PACKAGE = {
-+  "grub2": "grub2-pc",
-+  "login_defs": "login",
-+  "sssd": "sssd-common",
-+  "zipl": "s390x-utils",
-+}
-+
- # _version_name_map = {
- MAKEFILE_ID_TO_PRODUCT_MAP = {
-     'chromium': 'Google Chromium Browser',
-
-From feb012f06adae989138be15431020f2c174becc4 Mon Sep 17 00:00:00 2001
-From: Watson Sato <wsato@redhat.com>
-Date: Fri, 4 Sep 2020 14:47:29 +0200
-Subject: [PATCH 3/3] Allow override of default platform package mapping
-
-With default platform to package mappings defined, we need to allow a
-product to override it if needed.
----
- rhcos4/product.yml  | 4 ++++
- rhel6/product.yml   | 4 ++++
- rhel7/product.yml   | 4 ++++
- rhel8/product.yml   | 3 +++
- rhosp10/product.yml | 3 +++
- rhosp13/product.yml | 4 ++++
- rhv4/product.yml    | 4 ++++
- ssg/yaml.py         | 6 +++++-
- 8 files changed, 31 insertions(+), 1 deletion(-)
-
-diff --git a/rhcos4/product.yml b/rhcos4/product.yml
-index 7d51222952..71f0ae2758 100644
---- a/rhcos4/product.yml
-+++ b/rhcos4/product.yml
-@@ -9,3 +9,7 @@ profiles_root: "./profiles"
- pkg_system: "rpm"
- 
- init_system: "systemd"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/rhel6/product.yml b/rhel6/product.yml
-index cc8fa4f8ed..eab9b80c47 100644
---- a/rhel6/product.yml
-+++ b/rhel6/product.yml
-@@ -20,3 +20,7 @@ aux_pkg_version: "2fa658e0"
- 
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/rhel7/product.yml b/rhel7/product.yml
-index f03c928b8f..3ff996b8cc 100644
---- a/rhel7/product.yml
-+++ b/rhel7/product.yml
-@@ -18,3 +18,7 @@ aux_pkg_version: "2fa658e0"
- 
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "43A6E49C4A38F4BE9ABF2A5345689C882FA658E0"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/rhel8/product.yml b/rhel8/product.yml
-index d839b23231..f3aa59faec 100644
---- a/rhel8/product.yml
-+++ b/rhel8/product.yml
-@@ -19,3 +19,6 @@ aux_pkg_version: "d4082792"
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
- 
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/rhosp10/product.yml b/rhosp10/product.yml
-index 51d0a932a5..af42ca998d 100644
---- a/rhosp10/product.yml
-+++ b/rhosp10/product.yml
-@@ -10,3 +10,6 @@ pkg_manager: "yum"
- 
- init_system: "systemd"
- 
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/rhosp13/product.yml b/rhosp13/product.yml
-index 5e849ff609..ba42a31cd7 100644
---- a/rhosp13/product.yml
-+++ b/rhosp13/product.yml
-@@ -9,3 +9,7 @@ profiles_root: "./profiles"
- pkg_manager: "yum"
- 
- init_system: "systemd"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/rhv4/product.yml b/rhv4/product.yml
-index 10a2eda079..a61bf1588d 100644
---- a/rhv4/product.yml
-+++ b/rhv4/product.yml
-@@ -18,3 +18,7 @@ aux_pkg_version: "d4082792"
- 
- release_key_fingerprint: "567E347AD0044ADE55BA8A5F199E2F91FD431D51"
- auxiliary_key_fingerprint: "6A6AA7C97C8890AEC6AEBFE2F76F66C3D4082792"
-+
-+# Mapping of CPE platform to package
-+platform_package_overrides:
-+  login_defs: "shadow-utils"
-diff --git a/ssg/yaml.py b/ssg/yaml.py
-index cefbba374c..22cf5bad66 100644
---- a/ssg/yaml.py
-+++ b/ssg/yaml.py
-@@ -10,7 +10,8 @@
- 
- from .jinja import load_macros, process_file
- from .constants import (PKG_MANAGER_TO_SYSTEM,
--                        PKG_MANAGER_TO_CONFIG_FILE)
-+                        PKG_MANAGER_TO_CONFIG_FILE,
-+                        XCCDF_PLATFORM_TO_PACKAGE)
- from .constants import DEFAULT_UID_MIN
- 
- try:
-@@ -138,6 +139,9 @@ def open_raw(yaml_file):
- 
- def open_environment(build_config_yaml, product_yaml):
-     contents = open_raw(build_config_yaml)
-+    # Load common platform package mappings,
-+    # any specific mapping in product_yaml will override the default
-+    contents["platform_package_overrides"] = XCCDF_PLATFORM_TO_PACKAGE
-     contents.update(open_raw(product_yaml))
-     contents.update(_get_implied_properties(contents))
-     return contents
diff --git a/SOURCES/scap-security-guide-0.1.53-remove_eap6-PR_6119.patch b/SOURCES/scap-security-guide-0.1.53-remove_eap6-PR_6119.patch
deleted file mode 100644
index 19f3fdd..0000000
--- a/SOURCES/scap-security-guide-0.1.53-remove_eap6-PR_6119.patch
+++ /dev/null
@@ -1,6329 +0,0 @@
-From df5dcf087b8b34e37655de55f6766c8652c8c928 Mon Sep 17 00:00:00 2001
-From: Gabe <redhatrises@gmail.com>
-Date: Wed, 23 Sep 2020 15:48:35 -0600
-Subject: [PATCH] Remove JBoss EAP6
-
-- Product is wayyy past EOL
----
- CMakeLists.txt                                |    5 -
- build_product                                 |    1 -
- docs/manual/developer_guide.adoc              |    1 -
- docs/manual/user_guide.adoc                   |    8 +-
- eap6/CMakeLists.txt                           |   18 -
- eap6/checks/oval/installed_app_is_eap6.xml    |   96 --
- eap6/cpe/eap6-cpe-dictionary.xml              |  137 --
- eap6/guide/benchmark.yml                      |   53 -
- eap6/guide/eap6/group.yml                     |    5 -
- .../rule.yml                                  |   50 -
- .../oval/eap6.xml                             |   49 -
- .../rule.yml                                  |   57 -
- .../oval/eap6.xml                             |   45 -
- .../jboss_eap_configure_auditing/rule.yml     |   58 -
- .../rule.yml                                  |   48 -
- .../eap6/jboss_eap_configure_ha_lb/rule.yml   |   63 -
- .../rule.yml                                  |   59 -
- .../eap6/jboss_eap_configure_https/rule.yml   |   63 -
- .../oval/eap6.xml                             |   45 -
- .../jboss_eap_configure_keystore/rule.yml     |   46 -
- .../eap6/jboss_eap_configure_ldap/rule.yml    |   53 -
- .../rule.yml                                  |   66 -
- .../oval/eap6.xml                             |   65 -
- .../rule.yml                                  |   68 -
- .../oval/eap6.xml                             |   49 -
- .../rule.yml                                  |   58 -
- .../rule.yml                                  |   58 -
- .../rule.yml                                  |   74 -
- .../rule.yml                                  |   82 --
- .../rule.yml                                  |   39 -
- .../eap6/jboss_eap_configure_ports/rule.yml   |   60 -
- .../rule.yml                                  |   53 -
- .../oval/eap6.xml                             |   43 -
- .../rule.yml                                  |   94 --
- .../rule.yml                                  |   67 -
- .../jboss_eap_configure_syslog/oval/eap6.xml  |   45 -
- .../eap6/jboss_eap_configure_syslog/rule.yml  |   69 -
- .../rule.yml                                  |   50 -
- .../jboss_eap_configure_user_roles/rule.yml   |   56 -
- .../eap6/jboss_eap_disable_analytics/rule.yml |   40 -
- .../rule.yml                                  |   55 -
- .../rule.yml                                  |   51 -
- .../rule.yml                                  |   48 -
- .../guide/eap6/jboss_eap_enable_rbac/rule.yml |   55 -
- .../rule.yml                                  |   46 -
- .../jboss_eap_file_permissions/oval/eap6.xml  |   45 -
- .../eap6/jboss_eap_file_permissions/rule.yml  |   55 -
- .../eap6/jboss_eap_log_deployments/rule.yml   |   53 -
- .../jboss_eap_logs_permissions/oval/eap6.xml  |   60 -
- .../eap6/jboss_eap_logs_permissions/rule.yml  |   80 --
- .../jboss_eap_remove_group_accounts/rule.yml  |   75 -
- .../eap6/jboss_eap_remove_jmx/oval/eap6.xml   |   45 -
- eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml |   57 -
- .../oval/eap6.xml                             |   35 -
- .../jboss_eap_remove_quickstarts/rule.yml     |   26 -
- .../oval/eap6.xml                             |   36 -
- .../rule.yml                                  |   43 -
- .../rule.yml                                  |   43 -
- .../jboss_eap_restrict_jboss_account/rule.yml |   39 -
- .../oval/eap6.xml                             |   45 -
- .../rule.yml                                  |   75 -
- .../rule.yml                                  |   56 -
- .../rule.yml                                  |   76 -
- .../eap6/jboss_eap_system_up_to_date/rule.yml |   35 -
- .../eap6/jboss_eap_unprivileged_mode/rule.yml |   58 -
- .../jboss_eap_use_approved_ca_cert/rule.yml   |   49 -
- .../jboss_eap_use_approved_ciphers/rule.yml   |   72 -
- .../jboss_eap_use_dod_approved_certs/rule.yml |   49 -
- .../jboss_eap_use_secure_ldap_port/rule.yml   |   54 -
- eap6/guide/eap6/jboss_eap_use_tls/rule.yml    |   59 -
- .../jboss_eap_vendor_supported/oval/eap6.xml  |   14 -
- .../eap6/jboss_eap_vendor_supported/rule.yml  |   35 -
- eap6/guide/eap6/var_jboss_profile.var         |   15 -
- eap6/overlays/srg_support.xml                 |    0
- eap6/overlays/stig_overlay.xml                |  271 ----
- eap6/product.yml                              |    7 -
- eap6/profiles/stig.profile                    |   57 -
- eap6/transforms/cci2html.xsl                  |    6 -
- eap6/transforms/constants.xslt                |   21 -
- eap6/transforms/shorthand2xccdf.xslt          |    9 -
- eap6/transforms/table-add-srgitems.xslt       |    7 -
- eap6/transforms/table-sortbyref.xslt          |    6 -
- eap6/transforms/table-srgmap.xslt             |   11 -
- eap6/transforms/table-style.xslt              |    5 -
- eap6/transforms/xccdf-apply-overlay-stig.xslt |    8 -
- eap6/transforms/xccdf2stigformat.xslt         |    7 -
- eap6/transforms/xccdf2table-byref.xslt        |    9 -
- eap6/transforms/xccdf2table-cce.xslt          |    9 -
- .../xccdf2table-profileccirefs.xslt           |    9 -
- .../xccdf2table-profilecisrefs.xslt           |    9 -
- .../xccdf2table-profilenistrefs.xslt          |    8 -
- eap6/transforms/xccdf2table-stig.xslt         |    9 -
- .../disa-stig-eap6-v1r2-xccdf-manual.xml      | 1275 -----------------
- ssg/constants.py                              |   37 -
- 94 files changed, 6 insertions(+), 5509 deletions(-)
- delete mode 100644 eap6/CMakeLists.txt
- delete mode 100644 eap6/checks/oval/installed_app_is_eap6.xml
- delete mode 100644 eap6/cpe/eap6-cpe-dictionary.xml
- delete mode 100644 eap6/guide/benchmark.yml
- delete mode 100644 eap6/guide/eap6/group.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_https/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_ports/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_file_permissions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_log_deployments/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_require_password_access/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_use_tls/rule.yml
- delete mode 100644 eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml
- delete mode 100644 eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml
- delete mode 100644 eap6/guide/eap6/var_jboss_profile.var
- delete mode 100644 eap6/overlays/srg_support.xml
- delete mode 100644 eap6/overlays/stig_overlay.xml
- delete mode 100644 eap6/product.yml
- delete mode 100644 eap6/profiles/stig.profile
- delete mode 100644 eap6/transforms/cci2html.xsl
- delete mode 100644 eap6/transforms/constants.xslt
- delete mode 100644 eap6/transforms/shorthand2xccdf.xslt
- delete mode 100644 eap6/transforms/table-add-srgitems.xslt
- delete mode 100644 eap6/transforms/table-sortbyref.xslt
- delete mode 100644 eap6/transforms/table-srgmap.xslt
- delete mode 100644 eap6/transforms/table-style.xslt
- delete mode 100644 eap6/transforms/xccdf-apply-overlay-stig.xslt
- delete mode 100644 eap6/transforms/xccdf2stigformat.xslt
- delete mode 100644 eap6/transforms/xccdf2table-byref.xslt
- delete mode 100644 eap6/transforms/xccdf2table-cce.xslt
- delete mode 100644 eap6/transforms/xccdf2table-profileccirefs.xslt
- delete mode 100644 eap6/transforms/xccdf2table-profilecisrefs.xslt
- delete mode 100644 eap6/transforms/xccdf2table-profilenistrefs.xslt
- delete mode 100644 eap6/transforms/xccdf2table-stig.xslt
- delete mode 100644 shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index ca5fe336b5..1a62258cfb 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -64,7 +64,6 @@ option(SSG_PRODUCT_CHROMIUM "If enabled, the Chromium SCAP content will be built
- option(SSG_PRODUCT_DEBIAN8 "If enabled, the Debian 8 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_DEBIAN9 "If enabled, the Debian 9 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_DEBIAN10 "If enabled, the Debian 10 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
--option(SSG_PRODUCT_EAP6 "If enabled, the JBoss EAP6 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_EXAMPLE "If enabled, the Example SCAP content will be built" FALSE)
- option(SSG_PRODUCT_FEDORA "If enabled, the Fedora SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_FIREFOX "If enabled, the Firefox SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-@@ -238,7 +237,6 @@ message(STATUS "Chromium: ${SSG_PRODUCT_CHROMIUM}")
- message(STATUS "Debian 8: ${SSG_PRODUCT_DEBIAN8}")
- message(STATUS "Debian 9: ${SSG_PRODUCT_DEBIAN9}")
- message(STATUS "Debian 10: ${SSG_PRODUCT_DEBIAN10}")
--message(STATUS "JBoss EAP 6: ${SSG_PRODUCT_EAP6}")
- message(STATUS "Example: ${SSG_PRODUCT_EXAMPLE}")
- message(STATUS "Fedora: ${SSG_PRODUCT_FEDORA}")
- message(STATUS "Firefox: ${SSG_PRODUCT_FIREFOX}")
-@@ -309,9 +307,6 @@ endif()
- if (SSG_PRODUCT_DEBIAN10)
-     add_subdirectory("debian10")
- endif()
--if (SSG_PRODUCT_EAP6)
--    add_subdirectory("eap6")
--endif()
- if (SSG_PRODUCT_EXAMPLE)
-     add_subdirectory("example")
- endif()
-diff --git a/build_product b/build_product
-index 4cf68366e4..d2b762f577 100755
---- a/build_product
-+++ b/build_product
-@@ -257,7 +257,6 @@ all_cmake_products=(
- 	DEBIAN8
- 	DEBIAN9
- 	DEBIAN10
--	EAP6
- 	EXAMPLE
- 	FEDORA
- 	FIREFOX
-diff --git a/docs/manual/developer_guide.adoc b/docs/manual/developer_guide.adoc
-index d2794ce1c9..42d47ba221 100644
---- a/docs/manual/developer_guide.adoc
-+++ b/docs/manual/developer_guide.adoc
-@@ -515,7 +515,6 @@ We have multiple benchmarks in our project:
- | Applications | `/applications` (Notice no `guide` subdirectory there!)
- | Java Runtime Environment | `/jre/guide`
- | Fuse 6 | `/fuse6/guide`
--| EAP6 | `/eap6/guide`
- | Firefox | `/firefox/guide`
- | Chromium | `/chromium/guide`
- |===
-diff --git a/docs/manual/user_guide.adoc b/docs/manual/user_guide.adoc
-index d2fc8dbba0..4d5d3ab8c6 100644
---- a/docs/manual/user_guide.adoc
-+++ b/docs/manual/user_guide.adoc
-@@ -10,8 +10,7 @@ toc::[]
- 
- The ComplianceAsCode (SSG) project delivers security guidance, baselines and
- associated validation mechanisms utilizing the Security Content Automation
--Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux and JBoss
--Enterprise Application Server (JBoss EAP).
-+Protocol (SCAP). SSG provides content for Red Hat Enterprise Linux.
- In addition to hardening advice, SSG links back to compliance requirements in
- order to eease deployment activities, such as certification and accreditation.
- These include requirements in the U.S. Government (Federal, Defense, and
-@@ -304,6 +303,11 @@ If you need content for RHV based on el7, use the Red Hat Enterprise Linux 7 (`r
- |November 30, 2016
- | link:https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.35[SSG 0.1.35]
- 
-+|JBoss EAP 6
-+|June 30, 2019
-+| link:https://github.com/ComplianceAsCode/content/releases/tag/v0.1.53[content 0.1.53]
-+
-+
- |Red Hat Enterprise Linux 5
- |March 31, 2017
- | link:https://github.com/OpenSCAP/scap-security-guide/releases/tag/v0.1.34[SSG 0.1.34]
-diff --git a/eap6/CMakeLists.txt b/eap6/CMakeLists.txt
-deleted file mode 100644
-index 9833bf0c2e..0000000000
---- a/eap6/CMakeLists.txt
-+++ /dev/null
-@@ -1,18 +0,0 @@
--# Sometimes our users will try to do: "cd jboss_eap6; cmake ." That needs to error in a nice way.
--if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
--    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the developer_guide.adoc for more details!")
--endif()
--
--set(PRODUCT "eap6")
--set(DISA_SRG_TYPE "application")
--
--ssg_build_product(${PRODUCT})
--
--ssg_build_html_nistrefs_table(${PRODUCT} "stig")
--
--ssg_build_html_cce_table(${PRODUCT})
--
--ssg_build_html_srgmap_tables(${PRODUCT} "stig" ${DISA_SRG_TYPE})
--
--ssg_build_html_stig_tables(${PRODUCT} "stig")
--
-diff --git a/eap6/checks/oval/installed_app_is_eap6.xml b/eap6/checks/oval/installed_app_is_eap6.xml
-deleted file mode 100644
-index 59f580e073..0000000000
---- a/eap6/checks/oval/installed_app_is_eap6.xml
-+++ /dev/null
-@@ -1,96 +0,0 @@
--<def-group>
--  <definition version="1" class="inventory" id="installed_app_is_eap6">
--    <metadata>
--      <title>JBoss Enterprise Application Platform 6</title>
--      <description>EAP Version should be version 6</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18" />
--      <reference source="CPE" ref_id="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19" />
--    </metadata>
--    <criteria operator="OR">
--      <criterion test_ref="test_installed_eap_version_6" />
--      <criterion test_ref="test_installed_eap_version_6_container" />
--      <criterion test_ref="test_package_eap6_installed" />
--    </criteria>
--  </definition>
--
--  <linux:rpminfo_test check="all" check_existence="all_exist"
--  id="test_package_eap6_installed" version="1"
--  comment="package eap6 is installed">
--    <linux:object object_ref="obj_package_eap6_installed" />
--  </linux:rpminfo_test>
--  <linux:rpminfo_object id="obj_package_eap6_installed" version="1">
--    <linux:name>eap6</linux:name>
--  </linux:rpminfo_object>
--
--  <ind:environmentvariable58_object id="obj_env_installed_eap6_home" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <ind:textfilecontent54_test id="test_installed_eap_version_6" version="1" check="all" comment="Check EAP Version">
--    <ind:object object_ref="obj_installed_eap_version_6" />
--    <ind:state state_ref="state_installed_eap_version_6" />
--  </ind:textfilecontent54_test>
--  <ind:textfilecontent54_object id="obj_installed_eap_version_6" version="1">
--    <ind:path var_ref="local_var_installed_eap_version_6"/>
--    <ind:filename>version.txt</ind:filename>
--    <ind:pattern operation="pattern match">Red[\s]+Hat[\s]+JBoss[\s]+Enterprise[\s]+Application[\s]+Platform[\s]+\-[\s]+Version[\s]+(.*)GA</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_test id="test_installed_eap_version_6_container" version="1" check="all" comment="Check EAP Version">
--    <ind:object object_ref="obj_installed_eap_version_6_container" />
--    <ind:state state_ref="state_installed_eap_version_6" />
--  </ind:textfilecontent54_test>
--  <ind:textfilecontent54_object id="obj_installed_eap_version_6_container" version="1">
--    <ind:filepath>/opt/eap/version.txt</ind:filepath>
--    <ind:pattern operation="pattern match">Red[\s]+Hat[\s]+JBoss[\s]+Enterprise[\s]+Application[\s]+Platform[\s]+\-[\s]+Version[\s]+(.*)GA</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_state id="state_installed_eap_version_6" version="1">
--    <ind:subexpression operation="pattern match">6\.[0-4]+\.[0-9]+</ind:subexpression>
--  </ind:textfilecontent54_state>
--
--  <local_variable id="local_var_installed_eap_version_6" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_installed_eap6_home" item_field="value" />
--      <literal_component datatype="string">/</literal_component>
--    </concat>
--  </local_variable>
--
--</def-group>
-diff --git a/eap6/cpe/eap6-cpe-dictionary.xml b/eap6/cpe/eap6-cpe-dictionary.xml
-deleted file mode 100644
-index 6a1d490b5f..0000000000
---- a/eap6/cpe/eap6-cpe-dictionary.xml
-+++ /dev/null
-@@ -1,137 +0,0 @@
--<?xml version="1.0" encoding="UTF-8"?>
--
--<cpe-list xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns="http://cpe.mitre.org/dictionary/2.0" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2  http://nvd.nist.gov/schema/cpe-dictionary-metadata_0.2.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.2.xsd">
--
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.0.0</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.0.1</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.1.0</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.1.1</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.0</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.1</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.2</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.3</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.2.4</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.0</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.1</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.2</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.3.3</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.0</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.1</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.2</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.3</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.4</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.5</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.6</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.7</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.8</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.9</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.10</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.11</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.12</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.13</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.14</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.15</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.16</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.17</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.18</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--    <cpe-item name="cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19">
--        <title xml:lang="en-US">JBoss Enterprise Application Platform 6.4.19</title>
--        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_app_is_eap6</check>
--    </cpe-item>
--</cpe-list>
-diff --git a/eap6/guide/benchmark.yml b/eap6/guide/benchmark.yml
-deleted file mode 100644
-index 229e81e807..0000000000
---- a/eap6/guide/benchmark.yml
-+++ /dev/null
-@@ -1,53 +0,0 @@
-----
--documentation_complete: true
--
--title: Guide to the Secure Configuration of {{{ full_name }}}
--
--status: draft
--
--description: |
--    This guide presents a catalog of security-relevant
--    configuration settings for {{{ full_name }}}. It is a rendering of
--    content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
--    in order to support security automation.  The SCAP content is
--    is available in the <tt>scap-security-guide</tt> package which is developed at
--    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}.
--    <br/><br/>
--    Providing system administrators with such guidance informs them how to securely
--    configure systems under their control in a variety of network roles. Policy
--    makers and baseline creators can use this catalog of settings, with its
--    associated references to higher-level security control catalogs, in order to
--    assist them in security baseline creation. This guide is a <em>catalog, not a
--    checklist</em>, and satisfaction of every item is not likely to be possible or
--    sensible in many operational scenarios. However, the XCCDF format enables
--    granular selection and adjustment of settings, and their association with OVAL
--    and OCIL content provides an automated checking capability. Transformations of
--    this document, and its associated automated checking content, are capable of
--    providing baselines that meet a diverse set of policy objectives. Some example
--    XCCDF <em>Profiles</em>, which are selections of items that form checklists and
--    can be used as baselines, are available with this guide. They can be
--    processed, in an automated fashion, with tools that support the Security
--    Content Automation Protocol (SCAP). The DISA STIG for {{{ full_name }}},
--    which provides required settings for US Department of Defense systems, is
--    one example of a baseline created from this guidance.
--
--notice:
--    id: terms_of_use
--    description: |
--        Do not attempt to implement any of the settings in
--        this guide without first testing them in a non-operational environment. The
--        creators of this guidance assume no responsibility whatsoever for its use by
--        other parties, and makes no guarantees, expressed or implied, about its
--        quality, reliability, or any other characteristic.
--
--front-matter: |
--    The SCAP Security Guide Project<br/>
--    {{{ weblink(link="https://www.open-scap.org/security-policies/scap-security-guide") }}}
--
--rear-matter: |
--    Red Hat and Red Hat Enterprise Linux are either registered
--    trademarks or trademarks of Red Hat, Inc. in the United States and other
--    countries. All other names are registered trademarks or trademarks of their
--    respective companies.
--
--version: 0.9
-diff --git a/eap6/guide/eap6/group.yml b/eap6/guide/eap6/group.yml
-deleted file mode 100644
-index 8401098c5a..0000000000
---- a/eap6/guide/eap6/group.yml
-+++ /dev/null
-@@ -1,5 +0,0 @@
--documentation_complete: true
--
--title: 'JBoss Enterprise Application Platform 6'
--
--description: "JBoss Enterprise Application Platform is a popular Java \nEnterprise Edition application server platform by Red Hat. It is based\non the open-source JBoss Application Server, Community Edition.\nLeveraging robust container architecture, JBoss EAP is capable of\nhosting a wide variety of applications - anything from simple, static\nHTML pages all the way to distributed, transaction-based Java Enterprise\nEdition applications. JBoss EAP is known for being dependable, fast,\nflexible, and cost-effective. This section provides settings for\nconfiguring the JBoss Enterprise Application Platform running on \nRed Hat Enterprise Linux systems."
-diff --git a/eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml b/eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml
-deleted file mode 100644
-index 25b7c41119..0000000000
---- a/eap6/guide/eap6/jboss_eap_audit_privileged_actions/rule.yml
-+++ /dev/null
-@@ -1,50 +0,0 @@
--documentation_complete: true
--
--title: 'Audit JBoss Privileged Actions'
--
--description: |-
--    Launch the jboss-cli management interface substituting standalone or domain for
--    <i>CONFIG</i> based upon the server installation.
--    <br /><br />
--    <pre>&lt;JBOSS_HOME&gt;/<i>CONFIG/</i>/bin/jboss-cli</pre>
--    <br /><br />
--    connect to the server and run the following command:
--    <br /><br />
--    <pre>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
--
--rationale: |-
--    In order to be able to provide a forensic history of activity, the application
--    server must ensure users who are granted a privileged role or those who utilize
--    a separate distinct account when accessing privileged functions or data have
--    their actions logged.
--    <br /><br />
--    If privileged activity is not logged, no forensic logs
--    can be used to establish accountability for privileged actions that occur on the
--    system.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80487-2
--
--references:
--    disa: CCI-002234
--    srg: SRG-APP-000343-AS-000030
--    stigid: JBOS-AS-000480
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    <pre>/core-service=management/access=audit:read-resource(recursive=true)</pre>
--    <br /><br />
--    Under the <pre>"logger" =&gt; {audit-log}</pre> section of
--    the returned response:
--    If <pre>"enabled" =&gt;.</pre>, this is a finding
-diff --git a/eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml
-deleted file mode 100644
-index 85a50ad122..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_application_authentication/oval/eap6.xml
-+++ /dev/null
-@@ -1,49 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_application_authentication">
--    <metadata>
--      <title>Remove Silent Authentication - Application Security Realm</title>
--      <description>Verify that Silent Authentication has been removed from the default Application security realm.</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_configure_application_authentication" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_eap_configure_application_authentication" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_eap_configure_application_authentication" version="1" datatype="string" comment="configuration location">
--    <concat>
--      <object_component object_ref="obj_env_eap_configure_application_authentication" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_application_authentication" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_eap_configure_application_authentication" version="1" check="all" comment="Check EAP Audit Logging is Enabled">
--    <ind:object object_ref="obj_eap_configure_application_authentication" />
--    <ind:state state_ref="state_eap_configure_application_authentication" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_eap_configure_application_authentication" version="1">
--    <ind:path var_ref="local_var_eap_configure_application_authentication"/>
--    <ind:filename var_ref="local_var_eap_configure_application_authentication" />
--    <ind:xpath>count(//*[name()='server']/*[name()='management']/*[name()='security-realms']/*[name()='security-realm'][@name='ApplicationRealm']/*[name()='authentication']/*[name()='local'])</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--  <ind:xmlfilecontent_state id="state_eap_configure_application_authentication" comment="ensure that the number of local authentication elements in the ApplicationRealm is 0"  version="1">
--    <ind:value_of datatype="int" operation="equals">0</ind:value_of>
--  </ind:xmlfilecontent_state>
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml b/eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml
-deleted file mode 100644
-index 1498e7ed3e..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_application_authentication/rule.yml
-+++ /dev/null
-@@ -1,57 +0,0 @@
--documentation_complete: true
--
--title: 'Remove Silent Authentication - Application Security Realm'
--
--description: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Remove the local element from the Application Realm.
--    For standalone servers, run
--    the following command:
--    <pre>/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove</pre>
--    <br /><br />
--    For managed domain installations,
--    run the following command:
--    <pre>/host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication=local:remove</pre>
--
--rationale: |-
--    Silent Authentication is a configuration setting that allows local OS users
--    access to the JBoss server and a wide range of operations without specifically
--    authenticating on an individual user basis. By default $localuser is a
--    Superuser. This introduces an integrity and availability vulnerability and
--    violates best practice requirements regarding accountability.
--
--severity: high
--
--identifiers:
--    cce: CCE-80456-7
--
--references:
--    disa: CCI-000213
--    srg: SRG-APP-000033-AS-000024
--    stigid: JBOS-AS-000045
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the
--    <tt>&lt;JBOSS_HOME&gt;/bin/</tt> folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Verify that Silent Authentication has been removed from the default Application
--    security realm.
--    Run the following command.
--    <br /><br />
--    For standalone servers, run the following command:
--    <pre>ls /core-service=management/securityrealm=ApplicationRealm/authentication</pre>
--    <br /><br />
--    For managed domain installations, run the following command:
--    <pre>ls /host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication</pre>
--    <br /><br />
--    If <tt>local</tt> is returned, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml
-deleted file mode 100644
-index 1ae11d1062..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_auditing/oval/eap6.xml
-+++ /dev/null
-@@ -1,45 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_auditing">
--    <metadata>
--      <title>Configure Audit Logging</title>
--      <description>Audit logging must be enabled</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_configure_auditing" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_eap_configure_auditing" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_eap_configure_auditing" version="1" datatype="string" comment="configuration location">
--    <concat>
--      <object_component object_ref="obj_env_eap_configure_auditing" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_auditing" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_eap_configure_auditing" version="1" check="all" comment="Check EAP Audit Logging is Enabled">
--    <ind:object object_ref="obj_eap_configure_auditing" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_eap_configure_auditing" version="1">
--    <ind:path var_ref="local_var_eap_configure_auditing"/>
--    <ind:filename var_ref="local_var_profile_auditing" />
--    <ind:xpath>//*[name()='server']/*[name()='management']/*[name()='audit-log']/*[name()='logger'][@enabled='true']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml b/eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml
-deleted file mode 100644
-index a60181be8e..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_auditing/rule.yml
-+++ /dev/null
-@@ -1,58 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Auditing and Logging'
--
--description: |-
--    Launch the jboss-cli management interface.
--    Connect to the server by typing
--    <tt>connect</tt>, authenticate as a user in the Superuser role, and run the
--    following command:
--    <br /><br />
--    For a Managed Domain configuration:
--    <pre>host=master/server/<i>SERVERNAME</i>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
--    <br /><br />
--    For a Standalone
--    configuration:
--    <pre>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
--
--rationale: |-
--    Log records can be generated from various components within the JBoss
--    application server. The minimum list of logged events should be those
--    pertaining to access and authentication events to the management interface as
--    well as system startup and shutdown events.
--    <br /><br />
--    By default, JBoss does not log
--    management interface access but does provide a default file handler. This
--    handler needs to be enabled. Configuring this setting meets several STIG
--    auditing requirements.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80459-1
--
--references:
--    disa: CCI-000130,CCI-000131,CCI-000132,CCI-000133,CCI-000134,CCI-000169,CCI-000172,CCI-001464
--    srg: SRG-APP-000089-AS-000050,SRG-APP-000092-AS-000053,SRG-APP-000095-AS-000056,SRG-APP-000096-AS-000059,SRG-APP-000096-AS-000060,SRG-APP-000098-AS-000061,SRG-APP-000099-AS-000062,SRG-APP-000495-AS-000220,SRG-APP-000499-AS-000224,SRG-APP-000499-AS-000224,SRG-APP-000503-AS-000228,SRG-APP-000504-AS-000229,SRG-APP-000505-AS-000230,SRG-APP-000506-AS-000231,SRG-APP-000509-AS-000234
--    stigid: JBOS-AS-000080
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    For a Managed Domain
--    configuration:
--    <pre>ls host=master/server/<i>SERVERNAME</i>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
--    <br /><br />
--    For a Standalone configuration:
--    <pre>ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
--    <br /><br />
--    If <pre>"enabled" =.</pre>, this is
--    a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml b/eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml
-deleted file mode 100644
-index 4a888efc4f..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_auditor_roles/rule.yml
-+++ /dev/null
-@@ -1,48 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Auditor Role'
--
--description: |-
--    Obtain documented approvals from ISSM, and assign the appropriate personnel
--    into the <pre>Auditor</pre> role.
--
--rationale: |-
--    The JBoss server must be configured to select which personnel are assigned the
--    role of selecting which loggable events are to be logged.
--    In JBoss, the role
--    designated for selecting auditable events is the <tt>Auditor</tt> role.
--    The
--    personnel or roles that can select loggable events are only the ISSM (or
--    individuals or roles appointed by the ISSM).
--
--severity: medium
--
--identifiers:
--    cce: CCE-80460-9
--
--references:
--    disa: CCI-000171
--    srg: SRG-APP-000090-AS-000051
--    stigid: JBOS-AS-000085
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    For a Managed Domain
--    configuration:
--    <pre>ls host=master/server/<i>SERVERNAME</i>/core-service=management/access=authorization/role-mapping=Auditor/include=</pre>
--    <br /><br />
--    For a Standalone configuration:
--    <pre>ls /core-service=management/access=authorization/role-mapping=Auditor/include=</pre>
--    <br /><br />
--    If
--    the list of users in the Auditors group is not approved by the ISSM, this is a
--    finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml b/eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml
-deleted file mode 100644
-index 66d0d2e2b1..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_ha_lb/rule.yml
-+++ /dev/null
-@@ -1,63 +0,0 @@
--documentation_complete: true
--
--title: 'Configure Load Balancing (LB) or High Availability (HA)'
--
--description: |-
--    Configure the application server to provide LB or HA services for the hosted
--    application.
--
--rationale: |-
--    A MAC I system is a system that handles data vital to the organization's
--    operational readiness or effectiveness of deployed or contingency forces. A MAC
--    I system must maintain the highest level of integrity and availability. By HA
--    clustering the application server, the hosted application and data are given a
--    platform that is load-balanced and provides high availability.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80492-2
--
--references:
--    disa: CCI-002385
--    srg: SRG-APP-000435-AS-000069
--    stigid: JBOS-AS-000640
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Interview the system admin and determine if the applications hosted on the
--    application server are mission critical and require load balancing (LB) or high
--    availability (HA).
--    <br /><br />
--    If the applications do not require LB or HA, this
--    requirement is NA.
--    <br /><br />
--    If the documentation shows the LB or HA services are being
--    provided by another system other than the application server, this requirement
--    is NA.
--    <br /><br />
--    If applications require LB or HA, request documentation from the system
--    admin that identifies what type of LB or HA configuration has been implemented
--    on the application server.
--    <br /><br />
--    Ask the system admin to identify the components that
--    require protection. Some options are included here as an example. Bear in mind
--    the examples provided are not complete and absolute and are only provided as
--    examples. The components being made redundant or HA by the application server
--    will vary based upon application availability requirements.
--    <br /><br />
--    Examples are:
--    Instances of the Application Server
--    Web Applications
--    Stateful, stateless and
--    entity Enterprise Java Beans (EJBs)
--    Single Sign On (SSO) mechanisms
--    Distributed
--    Cache
--    HTTP sessions
--    JMS and Message Services.
--    <br /><br />
--    If the hosted application
--    requirements specify LB or HA and the JBoss server has not been configured to
--    offer HA or LB, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml b/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml
-deleted file mode 100644
-index a9b7f1b3b7..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_host_access_restrictions/rule.yml
-+++ /dev/null
-@@ -1,59 +0,0 @@
--documentation_complete: true
--
--title: 'Configure Host Access Restrictions for Applications'
--
--description: |-
--    Configure the Java security manager to enforce access restrictions to the host
--    system resources in accordance with application design and resource
--    requirements.
--
--rationale: |-
--    The Java Security Manager is a java class that manages the external boundary of
--    the Java Virtual Machine (JVM) sandbox, controlling how code executing within
--    the JVM can interact with resources outside the JVM.
--    <br /><br />
--    The JVM requires a
--    security policy in order to restrict application access. A properly configured
--    security policy will define what rights the application has to the underlying
--    system. For example, rights to make changes to files on the host system or to
--    initiate network sockets in order to connect to another system.
--
--severity: high
--
--identifiers:
--    cce: CCE-80452-6
--
--references:
--    disa: CCI-000213
--    srg: SRG-APP-000033-AS-000024
--    stigid: JBOS-AS-000025
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Obtain documentation from the admin that identifies the applications hosted on
--    the JBoss server as well as the corresponding rights the application requires.
--    For example, if the application requires network socket permissions and file
--    write permissions, those requirements should be documented.
--    <br /><br />
--    1. Identify the
--    JBoss installation as either domain or standalone and review the relevant
--    configuration file.
--    For domain installs: <tt>JBOSS_HOME/bin/domain.conf</tt>
--    For
--    standalone installs: <tt>JBOSS_HOME/bin/standalone.conf</tt>
--    <br /><br />
--    2. Identify the location
--    and name of the security policy by reading the JAVA_OPTS flag
--    <pre>-Djava.security.policy=<i>file name</i></pre>
--    where <i>file name</i> will indicate name and
--    location of security policy. If the application uses a policy URL, obtain URL
--    and policy file from system admin.
--    <br /><br />
--    3. Review security policy and ensure hosted
--    applications have the appropriate restrictions placed on them as per documented
--    application functionality requirements.
--    <br /><br />
--    If the security policy does not
--    restrict application access to host resources as per documented requirements,
--    this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_https/rule.yml b/eap6/guide/eap6/jboss_eap_configure_https/rule.yml
-deleted file mode 100644
-index a18298502d..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_https/rule.yml
-+++ /dev/null
-@@ -1,63 +0,0 @@
--documentation_complete: true
--
--title: 'Enable HTTPS for JBoss Web Interface'
--
--description: |-
--    Follow procedure "4.4. Configure the JBoss Web Server to use HTTPS."
--    The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at
--    the vendor's site, RedHat.com. An overview of steps is provided here.
--    <br /><br />
--    1. Obtain or generate DoD-approved SSL certificates.
--    2. Configure the SSL certificate using your certificate values.
--    3. Set the SSL protocol to TLS V1.1 or V1.2.
--
--rationale: |-
--    Encryption is critical for protection of remote access sessions. If encryption
--    is not being used for integrity, malicious users may gain the ability to modify
--    the application server configuration. The use of cryptography for ensuring
--    integrity of remote access sessions mitigates that risk.
--    <br /><br />
--    Application servers
--    utilize a web management interface and scripted commands when allowing remote
--    access. Web access requires the use of TLS, and scripted access requires using
--    ssh or some other form of approved cryptography. Application servers must have a
--    capability to enable a secure remote admin capability.
--    <br /><br />
--    FIPS 140-2 approved TLS
--    versions include TLS V1.0 or greater.
--    <br /><br />
--    FIPS 140-2 approved TLS versions must be
--    enabled, and non-FIPS-approved SSL versions must be disabled.
--    <br /><br />
--    NIST SP 800-52
--    specifies the preferred configurations for government systems.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80451-8
--
--references:
--    disa: CCI-001453
--    srg: SRG-APP-000015-AS-000010
--    stigid: JBOS-AS-000015
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    <br /><br />
--    Using the relevant OS commands and syntax, cd to the
--    <tt>&lt;JBOSS_HOME&gt;/bin/</tt> folder
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Review the web subsystem and ensure that HTTPS is enabled.
--    Run the command:
--    <br /><br />
--    For a managed domain:
--    <pre>ls /profile=<i>PROFILE_NAME</i>/subsystem=web/connector=</pre>
--    For a standalone system:
--    <pre>ls /subsystem=web/connector=</pre>
--    <br /><br />
--    If <tt>https</tt> is not returned, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml
-deleted file mode 100644
-index 96599de3d6..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_keystore/oval/eap6.xml
-+++ /dev/null
-@@ -1,45 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_keystore">
--    <metadata>
--      <title>Configure Vault for Passwords</title>
--      <description>The vault should be configured for storing passwords.</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_configure_keystore" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_configure_keystore" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_configure_keystore_jboss_home" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_configure_keystore" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_vault_passwords" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--    <ind:xmlfilecontent_test id="test_eap_configure_keystore" version="1" check="all" comment="Check EAP for vault">
--        <ind:object object_ref="obj_eap_configure_keystore" />
--    </ind:xmlfilecontent_test>
--    <ind:xmlfilecontent_object id="obj_eap_configure_keystore" version="1">
--        <ind:path var_ref="local_var_rollover_jboss_home"/>
--        <ind:filename var_ref="local_var_profile_vault_passwords" />
--        <ind:xpath>//*[name()='server']/*[name()='vault']</ind:xpath>
--    </ind:xmlfilecontent_object>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml b/eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml
-deleted file mode 100644
-index 34d8111266..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_keystore/rule.yml
-+++ /dev/null
-@@ -1,46 +0,0 @@
--documentation_complete: true
--
--title: 'Enable the JBoss Keystore'
--
--description: |-
--    Configure the application server to use the java keystore and JBoss vault as
--    per section 11.13.1 -Password Vault System in the
--    JBoss_Enterprise_Application_Platform-6.3
--    -Administration_and_Configuration_Guide-en-US document.
--    <br /><br />
--    1. Create a java keystore.
--    2. Mask the keystore password and initialize the password vault.
--    3. Configure JBoss to use the password vault.
--
--rationale: |-
--    JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an
--    encrypted keystore, and decrypt them for applications and verification systems.
--    Plain-text configuration files, such as XML deployment descriptors, need to
--    specify passwords and other sensitive information. Use the JBoss EAP Password
--    Vault to securely store sensitive strings in plain-text files.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80478-1
--
--references:
--    disa: CCI-000196
--    srg: SRG-APP-000171-AS-000119
--    stigid: JBOS-AS-000295
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    <pre>ls /core-service=vault</pre>
--    <br /><br />
--    If <pre>code=undefined</pre> and <pre>module=undefined</pre>,
--    this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml b/eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml
-deleted file mode 100644
-index 59a4282407..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_ldap/rule.yml
-+++ /dev/null
-@@ -1,53 +0,0 @@
--documentation_complete: true
--
--title: 'Configure LDAP'
--
--description: |-
--    Follow steps in section 11.8 - Management Interface Security in the
--    JBoss_Enterprise_Application_Platform-6.3
--    -Administration_and_Configuration_Guide-en-US document.
--    <br /><br />
--    1. Create an outbound connection to the LDAP server.
--    2. Create an LDAP-enabled security realm.
--    3. Reference the new security domain in the Management Interface.
--
--rationale: |-
--    To assure accountability and prevent unauthorized access, application server
--    users must be uniquely identified and authenticated. This is typically
--    accomplished via the use of a user store that is either local (OS-based) or
--    centralized (Active Directory/LDAP) in nature. It should be noted that JBoss
--    does not specifically mention Active Directory since AD is LDAP aware.
--    <br /><br />
--    To
--    ensure accountability and prevent unauthorized access, the JBoss Server must be
--    configured to utilize a centralized authentication mechanism.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80473-2
--
--references:
--    disa: CCI-000764
--    srg: SRG-APP-000148-AS-000101
--    stigid: JBOS-AS-000260
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    <br /><br />
--    To obtain the list of security realms run the command:
--    <pre>ls /core-service=management/security-realm=</pre>
--    <br /><br />
--    Review each security realm using the
--    command:
--    <pre>ls /core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
--    <br /><br />
--    If this command does not
--    return a security realm that uses LDAP for authentication, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml
-deleted file mode 100644
-index c3333eeb0f..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_log_permissions/rule.yml
-+++ /dev/null
-@@ -1,66 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Log Permissions'
--
--description: |-
--    Configure the OS file permissions on the application server to protect log
--    information from unauthorized access.
--
--rationale: |-
--    If log data were to become compromised, then competent forensic analysis and
--    discovery of the true source of potentially malicious system activity is
--    difficult, if not impossible, to achieve.
--    <br /><br />
--    When not configured to use a
--    centralized logging solution like a syslog server, the JBoss EAP application
--    server writes log data to log files that are stored on the OS; appropriate file
--    permissions must be used to restrict access.
--    <br /><br />
--    Log information includes all
--    information (e.g., log records, log settings, transaction logs, and log reports)
--    needed to successfully log information system activity. Application servers must
--    protect log information from unauthorized access.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80462-5
--
--references:
--    disa: CCI-000162,CCI-000163,CCI-000164
--    srg: SRG-APP-000118-AS-000078,SRG-APP-000119-AS-000079,SRG-APP-000120-AS-000080
--    stigid: JBOS-AS-000165
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Examine the log file locations and inspect the file permissions. Interview the
--    system admin to determine log file locations. The default location for the log
--    files is:
--    <br /><br />
--    Standalone configuration:
--    <pre>
--    &lt;JBOSS_HOME&gt;/standalone/log/
--    </pre>
--    <br /><br />
--    Managed
--    Domain configuration:
--    <pre>
--    &lt;JBOSS_HOME&gt;/domain/servers/<i>servername</i>/log/
--    &lt;JBOSS_HOME&gt;/domain/log/
--    </pre>
--    <br /><br />
--    Review the file permissions for the log file
--    directories. The method used for identifying file permissions will be based
--    upon the OS the EAP server is installed on.
--    <br /><br />
--    Identify all users with file
--    permissions that allow them to read, modify, or delete log files.
--    <br /><br />
--    Request documentation from
--    system admin that identifies the users who are authorized to read, modify, or delete log files.
--    <br /><br />
--    If
--    unauthorized users are allowed to read, modify, or delete log files, or if documentation that
--    identifies the users who are authorized to read, modify, or delete log files is missing, this is a
--    finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml
-deleted file mode 100644
-index 7022ef72a1..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_logging_level/oval/eap6.xml
-+++ /dev/null
-@@ -1,65 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_logging_level">
--    <metadata>
--      <title>Configure JBoss Logging Level</title>
--      <description>Verify that the logging level for the ROOT logger is INFO.</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria operator="OR">
--      <criterion test_ref="test_jboss_eap_configure_logging_level_info" />
--      <criterion test_ref="test_jboss_eap_configure_logging_level_debug" />
--      <criterion test_ref="test_jboss_eap_configure_logging_level_trace" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_jboss_eap_configure_logging_level" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_jboss_eap_configure_logging_level" version="1" datatype="string" comment="configuration location">
--    <concat>
--      <object_component object_ref="obj_env_jboss_eap_configure_logging_level" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_logging_level" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_jboss_eap_configure_logging_level_info" version="1" check="all" comment="Check that root logging is INFO level">
--    <ind:object object_ref="obj_jboss_eap_configure_logging_level_info" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_jboss_eap_configure_logging_level_info" version="1">
--    <ind:path var_ref="local_var_jboss_eap_configure_logging_level"/>
--    <ind:filename var_ref="local_var_jboss_eap_configure_logging_level" />
--    <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='INFO']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--  <ind:xmlfilecontent_test id="test_jboss_eap_configure_logging_level_debug" version="1" check="all" comment="Check that root logging is DEBUG level">
--    <ind:object object_ref="obj_jboss_eap_configure_logging_level_trace" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_jboss_eap_configure_logging_level_debug" version="1">
--    <ind:path var_ref="local_var_jboss_eap_configure_logging_level"/>
--    <ind:filename var_ref="local_var_jboss_eap_configure_logging_level" />
--    <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='DEBUG']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--  <ind:xmlfilecontent_test id="test_jboss_eap_configure_logging_level_trace" version="1" check="all" comment="Check that root logging is TRACE level">
--    <ind:object object_ref="obj_jboss_eap_configure_logging_level_debug" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_jboss_eap_configure_logging_level_trace" version="1">
--    <ind:path var_ref="local_var_jboss_eap_configure_logging_level"/>
--    <ind:filename var_ref="local_var_jboss_eap_configure_logging_level" />
--    <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='root-logger']/*[name()='level'][@name='TRACE']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml b/eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml
-deleted file mode 100644
-index 2d392a1820..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_logging_level/rule.yml
-+++ /dev/null
-@@ -1,68 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Logging Level'
--
--description: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
--    Connect to the server and authenticate.
--    <br /><br />
--    The PROFILE NAMEs included with a
--    Managed Domain JBoss configuration are:
--    <tt>default</tt>, <tt>full</tt>, <tt>full-ha</tt>, or <tt>ha</tt>
--    For a Managed Domain configuration, you must check
--    each profile name:
--    <br /><br />
--    For each PROFILE NAME, run the command:
--    <pre>/profile=<i>PROFILE NAME</i>/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)</pre>
--    <br /><br />
--    For a Standalone configuration:
--    <pre>/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)</pre>
--
--rationale: |-
--    800 records less data and may result in an insufficient amount of information
--    being logged by the ROOT logger. This can result in failed forensic
--    investigations. The ROOT logger level must be INFO level or lower to provide
--    adequate log information.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80461-7
--
--references:
--    disa: CCI-001487
--    srg: SRG-APP-000100-AS-000063
--    stigid: JBOS-AS-000135
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
--    Connect to the server and authenticate.
--    <br /><br />
--    The PROFILE NAMEs included with a
--    Managed Domain JBoss configuration are:
--    <tt>default</tt>, <tt>full</tt>, <tt>full-ha</tt>, or <tt>ha</tt>
--    For a Managed Domain configuration, you must check
--    each profile name:
--    <br /><br />
--    For each PROFILE NAME, run the command:
--    <pre>ls /profile=<i>PROFILE NAME</i>/subsystem=logging/root-logger=ROOT</pre>
--    <br /><br />
--    If ROOT logger
--    <tt>level</tt> is not set to INFO, DEBUG or TRACE
--    This is a finding for each
--    <i>PROFILE NAME</i> (default, full, full-ha and ha)
--    <br /><br />
--    For a Standalone configuration:
--    <pre>ls /subsystem=logging/root-logger=ROOT</pre>
--    <br /><br />
--    If "level" not = INFO, DEBUG or TRACE, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml
-deleted file mode 100644
-index b7d180238c..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_management_authentication/oval/eap6.xml
-+++ /dev/null
-@@ -1,49 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_management_authentication">
--    <metadata>
--      <title>Remove Silent Authentication - Management Security Realm</title>
--      <description>Verify that Silent Authentication has been removed from the default Management security realm.</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_configure_management_authentication" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_eap_configure_management_authentication" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_eap_configure_management_authentication" version="1" datatype="string" comment="configuration location">
--    <concat>
--      <object_component object_ref="obj_env_eap_configure_management_authentication" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_management_authentication" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_eap_configure_management_authentication" version="1" check="all" comment="Check EAP Audit Logging is Enabled">
--    <ind:object object_ref="obj_eap_configure_management_authentication" />
--    <ind:state state_ref="state_eap_configure_management_authentication" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_eap_configure_management_authentication" version="1">
--    <ind:path var_ref="local_var_eap_configure_management_authentication"/>
--    <ind:filename var_ref="local_var_profile_management_authentication" />
--    <ind:xpath>count(//*[name()='server']/*[name()='management']/*[name()='security-realms']/*[name()='security-realm'][@name='ManagementRealm']/*[name()='authentication']/*[name()='local'])</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--  <ind:xmlfilecontent_state id="state_eap_configure_management_authentication" comment="ensure that the number of local authentication elements in the ManagementRealm is 0"  version="1">
--    <ind:value_of datatype="int" operation="equals">0</ind:value_of>
--  </ind:xmlfilecontent_state>
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml b/eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml
-deleted file mode 100644
-index 1da3591c7e..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_management_authentication/rule.yml
-+++ /dev/null
-@@ -1,58 +0,0 @@
--documentation_complete: true
--
--title: 'Remove Silent Authentication - Management Security Realm'
--
--description: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <pre>&lt;JBOSS_HOME&gt;/bin/</pre>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Remove the local element from the Management Realm.
--    For standalone servers run
--    the following command:
--    <pre>/core-service=management/securityrealm=ManagementRealm/authentication=local:remove</pre>
--    <br /><br />
--    For managed domain installations run the following command:
--    <pre>/host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication=local:remove</pre>
--
--rationale: |-
--    Silent Authentication is a configuration setting that allows local OS users
--    access to the JBoss server and a wide range of operations without specifically
--    authenticating on an individual user basis. By default $localuser is a
--    Superuser. This introduces an integrity and availability vulnerability and
--    violates best practice requirements regarding accountability.
--
--severity: high
--
--identifiers:
--    cce: CCE-80457-5
--
--references:
--    disa: CCI-000213
--    srg: SRG-APP-000033-AS-000024
--    stigid: JBOS-AS-000050
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Verify that Silent Authentication has been removed from the default Management
--    security realm.
--    Run the following command.
--    <br /><br />
--    For standalone servers run the
--    following command:
--    <pre>ls /core-service=management/securityrealm=ManagementRealm/authentication</pre>
--    <br /><br />
--    For
--    managed domain installations run the following command:
--    <pre>ls /host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication</pre>
--    <br /><br />
--    If <tt>local</tt> is returned, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml b/eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml
-deleted file mode 100644
-index 46af8da8dc..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_management_ldap/rule.yml
-+++ /dev/null
-@@ -1,58 +0,0 @@
--documentation_complete: true
--
--title: 'Configure LDAP for Management Interfaces'
--
--description: |-
--    Follow steps in section 11.8 - Management Interface Security in the
--    JBoss_Enterprise_Application_Platform-6.3
--    -Administration_and_Configuration_Guide-en-US document.
--    <br /><br />
--    1. Create an outbound connection to the LDAP server.
--    2. Create an LDAP-enabled security realm.
--    3. Reference the new security domain in the Management Interface.
--
--rationale: |-
--    JBoss EAP provides a security realm called ManagementRealm. By default, this
--    realm uses the mgmt-users.properties file for authentication. Using file-based
--    authentication does not allow the JBoss server to be in compliance with a wide
--    range of user management requirements such as automatic disabling of inactive
--    accounts as per DoD policy. To address this issue, the management interfaces
--    used to manage the JBoss server must be associated with a security realm that
--    provides centralized authentication management. Examples are AD or LDAP.
--    Management of user identifiers is not applicable to shared information system
--    accounts (e.g., guest and anonymous accounts). It is commonly the case that a
--    user account is the name of an information system account associated with an
--    individual.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80477-3
--
--references:
--    disa: CCI-000795
--    srg: SRG-APP-000163-AS-000111
--    stigid: JBOS-AS-000290
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Obtain the list of management interfaces by running the command:
--    <pre>ls /core-service=management/management-interface</pre>
--    <br /><br />
--    Identify the security realm used
--    by each management interface configuration by running the command:
--    <pre>ls /core-service=management/management-interface=<i>MANAGEMENT-INTERFACE-NAME</i></pre>
--    Determine if the security realm assigned to the management interface uses LDAP
--    for authentication by running the command:
--    <pre>ls /core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
--    <br /><br />
--    If the security
--    realm assigned to the management interface does not utilize LDAP for
--    authentication, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml b/eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml
-deleted file mode 100644
-index 537cd8e656..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_management_network/rule.yml
-+++ /dev/null
-@@ -1,74 +0,0 @@
--documentation_complete: true
--
--title: 'Separate JBoss Management Network'
--
--description: |-
--    Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed
--    instructions on how to start JBoss as a service.
--    <br /><br />
--    Use the following command line
--    parameters to assign the management interface to a specific management network.
--    These command line flags must be added both when starting JBoss as a service and
--    when starting from the command line.
--    <br /><br />
--    Substitute your actual network address for
--    the 10.x.x.x addresses provided as an example below.
--    <br /><br />
--    For a standalone
--    configuration:
--    <pre>
--    JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
--    JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1
--    </pre>
--    <br /><br />
--    If a management
--    network is not available, you may substitute localhost/127.0.0.1 for management
--    address. This will force you to manage the JBoss server from the local host.
--
--rationale: |-
--    JBoss provides multiple interfaces for accessing the system. By default,
--    these are called public and management. Allowing non-
--    management traffic to access the JBoss management interface increases the
--    chances of a security compromise. The JBoss server must be configured to bind
--    the management interface to a network that controls access. This is usually a
--    network that has been designated as a management network and has restricted
--    access. Similarly, the public interface must be bound to a network that is not
--    on the same segment as the management interface.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80476-5
--
--references:
--    disa: CCI-000778
--    srg: SRG-APP-000158-AS-000108
--    stigid: JBOS-AS-000285
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Obtain documentation and network drawings from system admin that shows the
--    network interfaces on the JBoss server and the networks they are configured for.
--    If a management network is not used, you may substitute localhost/127.0.0.1 for
--    management address. If localhost/127.0.0.1 is used for management interface,
--    this is not a finding.
--    <br /><br />
--    From the JBoss server open the web-based admin console
--    by pointing a browser to <pre>HTTP://127.0.0.1:9990</pre>.
--    Log on to the management console
--    with admin credentials.
--    Select <tt>RUNTIME</tt>.
--    Expand <tt>STATUS</tt> by clicking on <tt>+</tt>.
--    Expand <tt>PLATFORM</tt> by clicking on <tt>+</tt>.
--    In the <tt>Environment</tt> tab, click the <tt>&gt;</tt>
--    arrow until you see the <tt>jboss.bind.properties</tt> and the
--    <pre>jboss.bind.properties.management</pre> values.
--    <br /><br />
--    If the
--    jboss.bind.properties and the jboss.bind.properties.management do not have
--    different IP network addresses assigned, this is a finding.
--    <br /><br />
--    Review the network
--    documentation. If access to the management IP address is not restricted, this
--    is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml b/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml
-deleted file mode 100644
-index 8b3bbb71d6..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_multifactor_authentication/rule.yml
-+++ /dev/null
-@@ -1,82 +0,0 @@
--documentation_complete: true
--
--title: 'Configure Multi-Factor Authentication'
--
--description: |-
--    Configure the application server to authenticate privileged users via
--    multifactor/certificate-based authentication mechanisms when using network
--    access to the management interface.
--
--rationale: |-
--    Multifactor authentication creates a layered defense and makes it more
--    difficult for an unauthorized person to access the application server. If one
--    factor is compromised or broken, the attacker still has at least one more
--    barrier to breach before successfully breaking into the target. Unlike a simple
--    username/password scenario where the attacker could gain access by knowing both
--    the username and password without the user knowing his account was compromised,
--    multifactor authentication adds the requirement that the attacker must have
--    something from the user, such as a token, or to biometrically be the user.
--    Multifactor authentication is defined as: using two or more factors to achieve
--    authentication.
--    <br /><br />
--    Factors include:
--    (i) something a user knows (e.g.,
--    password/PIN);
--    (ii) something a user has (e.g., cryptographic identification
--    device, token); or
--    (iii) something a user is (e.g., biometric). A CAC or PKI
--    Hardware Token meets this definition.
--    <br /><br />
--    A privileged account is defined as an
--    information system account with authorizations of a privileged user. These
--    accounts would be capable of accessing the web management interface.
--    <br /><br />
--    When
--    accessing the application server via a network connection, administrative access
--    to the application server must be PKI Hardware Token enabled or a DoD-approved
--    soft certificate.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80474-0
--
--references:
--    disa: CCI-000765
--    srg: SRG-APP-000149-AS-000102
--    stigid: JBOS-AS-000265
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Follow these steps:
--    1. Identify the security realm assigned to the management
--    interfaces by using the following command:
--    <br /><br />
--    For standalone systems:
--    <pre>ls /core-service=management/management-interface=<i>INTERFACE-NAME</i></pre>
--    <br /><br />
--    For
--    managed domain systems:
--    <pre>ls /host=master/core-service=management/management-interface=<i>INTERFACE-NAME</i></pre>
--    <br /><br />
--    Document the name of the security-realm associated with each management interface.
--    <br /><br />
--    2. Review the security realm
--    using the command:
--    <br /><br />
--    For standalone systems:
--    <pre>ls /core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
--    <br /><br />
--    For managed domains:
--    <pre>ls /host=master/core-service=management/security-realm=<i>SECURITY_REALM_NAME</i>/authentication</pre>
--    <br /><br />
--    If the command in step 2 does
--    not return a security realm that uses certificates for authentication, this is a
--    finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml b/eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml
-deleted file mode 100644
-index ab21300c16..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_offloading_max/rule.yml
-+++ /dev/null
-@@ -1,39 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Log Off-Loading Frequency'
--
--description: |-
--    Configure the application server to off-load log records every seven days onto
--    a different system or media from the system being logged.
--
--rationale: |-
--    JBoss logs by default are written to the local file system. A centralized
--    logging solution like syslog should be used whenever possible; however, any log
--    data stored to the file system needs to be off-loaded. JBoss EAP does not
--    provide an automated backup capability. Instead, reliance is placed on OS or
--    third-party tools to back up or off-load the log files.
--    <br /><br />
--    Protection of log data
--    includes assuring log data is not accidentally lost or deleted. Off-loading log
--    records to a different system or onto separate media from the system the
--    application server is actually running on helps to assure that, in the event of
--    a catastrophic system failure, the log records will be retained.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80463-3
--
--references:
--    disa: CCI-001348
--    srg: SRG-APP-000125-AS-000084
--    stigid: JBOS-AS-000195
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Interview the system admin and obtain details on how the log files are being
--    off-loaded to a different system or media.
--    <br /><br />
--    If the log files are not off-loaded
--    a minimum of every 7 days, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_ports/rule.yml b/eap6/guide/eap6/jboss_eap_configure_ports/rule.yml
-deleted file mode 100644
-index 272648843e..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_ports/rule.yml
-+++ /dev/null
-@@ -1,60 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Management and Application Ports'
--
--description: |-
--    Open the EAP web console by pointing a web browser to <pre>HTTPS://<i>Servername</i>:9990</pre>
--    Log on to the admin console using admin credentials
--    Select the
--    <tt>Configuration</tt> tab
--    Expand the <tt>General Configuration</tt> sub
--    system by clicking on the <tt>+</tt>
--    Select <tt>Socket Binding</tt>
--    Select the
--    <tt>View</tt> option next to <tt>standard-sockets</tt>
--    Select
--    <tt>Inbound</tt>
--    <br /><br />
--    Select the port that needs to be reconfigured and select
--    <tt>Edit</tt>.
--
--rationale: |-
--    Some networking protocols may not meet organizational security requirements to
--    protect data and components.
--    <br /><br />
--    Application servers natively host a number of
--    various features, such as management interfaces, httpd servers and message
--    queues. These features all run on TCPIP ports. This creates the potential that
--    the vendor may choose to utilize port numbers or network services that have been
--    deemed unusable by the organization. The application server must have the
--    capability to both reconfigure and disable the assigned ports without adversely
--    impacting application server operation capabilities.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80472-4
--
--references:
--    disa: CCI-000382
--    srg: SRG-APP-000142-AS-000014
--    stigid: JBOS-AS-000255
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Open the EAP web console by pointing a web browser to <pre>HTTPS://<i>Servername</i>:9443</pre>
--    or <pre>HTTP://<i>Servername</i>:9990</pre>
--    <br /><br />
--    Log on to the admin console using admin credentials
--    Select the <tt>Configuration</tt> tab
--    Expand the <tt>General Configuration</tt> sub system by clicking on the <tt>+</tt>
--    Select <tt>Socket Binding</tt>
--    Select the <tt>View</tt> option next to <tt>standard-sockets</tt>
--    Select <tt>Inbound</tt>
--    <br /><br />
--    Review the configured ports and
--    determine if they are all approved by the PPSM CAL.
--    <br /><br />
--    If all the ports are not
--    approved by the PPSM CAL, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml b/eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml
-deleted file mode 100644
-index 6b2e354b7c..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_secure_management_access/rule.yml
-+++ /dev/null
-@@ -1,53 +0,0 @@
--documentation_complete: true
--
--title: 'Enable HTTPS for Management Sessions'
--
--description: |-
--    Follow the specific instructions in the Red Hat Security Guide for EAP version
--    6.3 to configure the management console for HTTPS.
--    <br /><br />
--    This involves the following steps.
--    1. Create a keystore in JKS format.
--    2. Ensure the management console binds to HTTPS.
--    3. Create a new Security Realm.
--    4. Configure Management Interface to use new security realm.
--    5. Configure the management console to use the keystore.
--    6. Restart the EAP server.
--
--rationale: |-
--    Types of management interfaces utilized by the JBoss EAP application server
--    include web-based HTTP interfaces as well as command line-based management
--    interfaces. In the event remote HTTP management is required, the access must be
--    via HTTPS.
--    <br /><br />
--    This requirement is in conjunction with the requirement to isolate
--    all management access to a restricted network.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80450-0
--
--references:
--    disa: CCI-000068
--    srg: SRG-APP-000014-AS-000009
--    stigid: JBOS-AS-000010
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss. Using the relevant OS commands and syntax, cd to the
--    <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder. Run the <pre>jboss-cli</pre> script. Connect to the server and authenticate.
--    <br /><br />
--    For a standalone configuration run the following command:
--    <pre>ls /core-service=management/management-interface=http-interface</pre>
--    <br /><br />
--    If <pre>"secure-socket-binding"=undefined</pre>, this is a finding.
--    <br /><br />
--    For a domain configuration run
--    the following command:
--    <pre>ls /host=master/core-service=management/management-interface=http-interface</pre>
--    <br /><br />
--    If <tt>secure-port</tt> is undefined, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml
-deleted file mode 100644
-index ff58454341..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_security_manager/oval/eap6.xml
-+++ /dev/null
-@@ -1,43 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_security_manager">
--    <metadata>
--      <title>JBoss Enterprise Application Platform 6 Security Manager</title>
--      <description>Java security manager must be installed</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_sec_mgr" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_eap_sec_mgr_home" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <ind:textfilecontent54_test id="test_eap_sec_mgr" version="1" check="all" comment="Check EAP Security Manager">
--    <ind:object object_ref="obj_eap_sec_mgr" />
--    <ind:state state_ref="state_eap_sec_mgr" />
--  </ind:textfilecontent54_test>
--
--  <ind:textfilecontent54_object id="obj_eap_sec_mgr" version="1">
--    <ind:path var_ref="local_var_eap_sec_mgr_path"/>
--    <ind:filename>standalone.conf</ind:filename>
--    <ind:pattern operation="pattern match">^SECMGR="(.*)"</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_state id="state_eap_sec_mgr" version="1">
--    <ind:subexpression operation="pattern match">true</ind:subexpression>
--  </ind:textfilecontent54_state>
--
--  <local_variable id="local_var_eap_sec_mgr_path" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_eap_sec_mgr_home" item_field="value" />
--      <literal_component>/bin/</literal_component>
--    </concat>
--  </local_variable>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml b/eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml
-deleted file mode 100644
-index 65a676e55b..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_security_manager/rule.yml
-+++ /dev/null
-@@ -1,94 +0,0 @@
--documentation_complete: true
--
--title: 'Enable the Java Security Manager'
--
--description: |-
--    For a domain installation:
--    Enable the respective JAVA_OPTS flag in both the
--    domain.conf and the domain.conf.bat files.
--    <br /><br />
--    For a standalone installation:
--    Enable the respective JAVA_OPTS flag in both the standalone.conf and the
--    standalone.conf.bat files.
--
--rationale: |-
--    The Java Security Manager is a java class that manages the external boundary of
--    the Java Virtual Machine (JVM) sandbox, controlling how code executing within
--    the JVM can interact with resources outside the JVM.
--    <br /><br />
--    The Java Security Manager
--    uses a security policy to determine whether a given action will be
--    permitted or
--    denied.
--    <br /><br />
--    To protect the host system, the JBoss application server must be run
--    within the Java Security Manager.
--
--severity: high
--
--identifiers:
--    cce: CCE-80453-4
--
--references:
--    disa: CCI-000213
--    srg: SRG-APP-000033-AS-000024
--    stigid: JBOS-AS-000030
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    To determine if the Java Security Manager is enabled for JBoss, you must
--    examine the startup commands. JBoss can be configured to run in either
--    <tt>domain</tt> or a <tt>standalone</tt> mode. <i>JBOSS_HOME</i> is the variable
--    home directory for the JBoss installation. Use relevant OS commands to navigate
--    the file system.
--    <br /><br />
--    A. For a managed domain installation, review the domain.conf
--    and domain.conf.bat files:
--    <br /><br />
--    <pre>JBOSS_HOME/bin/domain.conf
--    JBOSS_HOME/bin/domain.conf.bat</pre>
--    <br /><br />
--    In domain.conf file, ensure there is a JAVA_OPTS
--    flag that loads the Java Security Manager as well as a relevant Java Security
--    policy.  The following is an example:
--    <br /><br />
--    <pre>JAVA_OPTS="$JAVA_OPTS
--    -Djava.security.manager -Djava.security.policy==$PWD/server.policy
--    -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-
--    permissions=true"</pre>
--    <br /><br />
--    In domain.conf.bat file, ensure JAVA_OPTS flag is set.
--    The following is an example:
--    <br /><br />
--    set <pre>JAVA_OPTS="%JAVA_OPTS%
--    -Djava.security.manager -Djava.security.policy==/path/to/server.policy
--    -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-
--    permissions=true"</pre>
--    <br /><br />
--    B. For a standalone installation, review the
--    standalone.conf and standalone.conf.bat files:
--    <br /><br />
--    <pre>
--    JBOSS_HOME/bin/standalone.conf
--    JBOSS_HOME/bin/standalone.conf.bat
--    </pre>
--    <br /><br />
--    In the standalone.conf file, ensure the
--    JAVA_OPTS flag is set. The following is an example:
--    <br /><br />
--    <pre>
--    JAVA_OPTS="$JAVA_OPTS
--    -Djava.security.manager -Djava.security.policy==$PWD/server.policy
--    -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"</pre>
--    <br /><br />
--    In
--    the standalone.conf.bat file, ensure the JAVA_OPTS flag is set. The following
--    is an example:
--    <br /><br />
--    set <pre>JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager
--    -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME%
--    -Djboss.modules.policy-permissions=true"</pre>
--    <br /><br />
--    If the security manager is not
--    enabled and a security policy not defined, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml b/eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml
-deleted file mode 100644
-index 3c52dbe107..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_security_realm/rule.yml
-+++ /dev/null
-@@ -1,67 +0,0 @@
--documentation_complete: true
--
--title: 'Secure the JBoss Management Interfaces'
--
--description: |-
--    Identify the security realm used for management of the system. By default,
--    this is called <tt>Management Realm</tt>.
--    <br /><br />
--    If a management security realm is not
--    already available, reference the Jboss EAP 6.3 system administration guide for
--    instructions on how to create a security realm for management purposes. Create
--    the management realm, and assign authentication and authorization access
--    restrictions to the management realm.
--    <br /><br />
--    Assign the management interfaces to the management realm.
--
--rationale: |-
--    JBoss utilizes the concept of security realms to secure the management
--    interfaces used for JBoss server administration. If the security realm
--    attribute is omitted or removed from the management interface definition, access
--    to that interface is no longer secure. The JBoss management interfaces must be
--    secured.
--
--severity: high
--
--identifiers:
--    cce: CCE-80458-3
--
--references:
--    disa: CCI-000213
--    srg: SRG-APP-000033-AS-000024
--    stigid: JBOS-AS-000075
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <pre>&lt;JBOSS_HOME&gt;/bin/</pre>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Identify the management interfaces. To identity the management interfaces, run
--    the following command:
--    <br /><br />
--    For standalone servers:
--    <pre>ls /core-service=management/management-interface=</pre>
--    <br /><br />
--    For managed domain installations:
--    <pre>ls /host=HOST_NAME/core-service=management/management-interface=</pre>
--    <br /><br />
--    By default,
--    JBoss provides two management interfaces; they are named <tt>NATIVE-INTERFACE</tt>
--    and <tt>HTTP-INTERFACE</tt>. The system may or may not have both
--    interfaces enabled. For each management interface listed as a result of the
--    previous command, append the name of the management interface to the end of the
--    following command.
--    <br /><br />
--    For a standalone system:
--    <br /><br />
--    <pre>ls /core-service=management/management-interface=&lt;MANAGEMENT INTERFACE NAME&gt;</pre>
--    <br /><br />
--    For a managed domain:
--    <pre>ls /host=HOST_NAME/core-service=management/management-interface=&lt;MANAGEMENT INTERFACE NAME&gt;</pre>
--    <br /><br />
--    If the <pre>security-realm=</pre> attribute is not
--    associated with a management realm, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml
-deleted file mode 100644
-index 782c16f4e2..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_syslog/oval/eap6.xml
-+++ /dev/null
-@@ -1,45 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_configure_syslog">
--    <metadata>
--      <title>Configure JBoss to Use Syslog</title>
--      <description>EAP should be configured to export logs to syslog</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_jboss_eap_configure_syslog" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_configure_syslog" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_configure_syslog_jboss_home" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_configure_syslog" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_syslog" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_jboss_eap_configure_syslog" version="1" check="all" comment="Check EAP for ">
--    <ind:object object_ref="obj_jboss_eap_configure_syslog_logs" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_jboss_eap_configure_syslog_logs" version="1">
--    <ind:path var_ref="local_var_configure_syslog_jboss_home"/>
--    <ind:filename var_ref="local_var_profile_syslog" />
--    <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='syslog-handler']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml b/eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml
-deleted file mode 100644
-index bc0e1a4822..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_syslog/rule.yml
-+++ /dev/null
-@@ -1,69 +0,0 @@
--documentation_complete: true
--
--title: 'Enable Logging to syslog'
--
--description: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run
--    the command:
--    <br /><br />
--    Standalone configuration:
--    <pre>ls /subsystem=logging/syslog-handler=</pre>
--    <br /><br />
--    Domain configuration:
--    <pre>ls /profile=default/subsystem=logging/syslog-handler=</pre>
--    <br /><br />
--    If no values are returned, this is a finding.
--
--rationale: |-
--    Information system logging capability is critical for accurate forensic
--    analysis. Log record content that may be necessary to satisfy the requirement of
--    this control includes, but is not limited to, time stamps, source and
--    destination IP addresses, user/process identifiers, event descriptions,
--    application-specific events, success/fail indications, filenames involved,
--    access control or flow control rules invoked.
--    <br /><br />
--    Off-loading is a common process
--    in information systems with limited log storage capacity.
--    <br /><br />
--    Centralized
--    management of log records provides for efficiency in maintenance and management
--    of records, as well as the backup and archiving of those records. Application
--    servers and their related components are required to off-load log records onto a
--    different system or media than the system being logged.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80488-0
--
--references:
--    disa: CCI-001851
--    srg: SRG-APP-000358-AS-000064
--    stigid: JBOS-AS-000505
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    Standalone configuration:
--    <pre>ls /subsystem=logging/syslog-handler=</pre>
--    <br /><br />
--    Domain configuration:
--    <pre>ls /profile=<i>specify</i>/subsystem=logging/syslog-handler=</pre>
--    Where <i>specify</i> = the
--    selected application server profile of; default,full, full-ha or ha.
--    <br /><br />
--    If no values are returned, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml
-deleted file mode 100644
-index 69839b549f..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_user_permissions/rule.yml
-+++ /dev/null
-@@ -1,50 +0,0 @@
--documentation_complete: true
--
--title: 'Configure mgmt-users.properties File Permissions'
--
--description: "Configure the file permissions to allow access to authorized users only.\nOwner can be full access. Group can be full access. \nAll others must have execute\npermissions only."
--
--rationale: |-
--    The mgmt-users.properties file contains the password hashes of all users who
--    are in a management role and must be protected. Application servers have the
--    ability to specify that the hosted applications utilize shared libraries. The
--    application server must have a capability to divide roles based upon duties
--    wherein one project user (such as a developer) cannot modify the shared library
--    code of another project user. The application server must also be able to
--    specify that non-privileged users cannot modify any shared library code at
--    all.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80464-1
--
--references:
--    disa: CCI-001499
--    srg: SRG-APP-000133-AS-000092
--    stigid: JBOS-AS-000210
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    The mgmt-users.properties files are located in the standalone or domain
--    configuration folder.
--    <br /><br />
--    <pre>
--    &lt;JBOSS_HOME&gt;/domain/configuration/mgmt-users.properties.
--    &lt;JBOSS_HOME&gt;/standalone/configuration/mgmt-users.properties.
--    </pre>
--    <br /><br />
--    Identify users who
--    have access to the files using relevant OS commands.
--    <br /><br />
--    Obtain documentation from
--    system admin identifying authorized users.
--    <br /><br />
--    Owner can be full access. Group can be full access.
--    All others must have execute permissions only.
--    <br /><br />
--    If the file
--    permissions are not configured so as to restrict access to only authorized
--    users, or if documentation that identifies authorized users is missing, this is
--    a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml b/eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml
-deleted file mode 100644
-index 32793dbc69..0000000000
---- a/eap6/guide/eap6/jboss_eap_configure_user_roles/rule.yml
-+++ /dev/null
-@@ -1,56 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss User Roles'
--
--description: |-
--    Document approved management users and their roles. Configure the application
--    server to use RBAC and ensure users are placed into the appropriate roles.
--
--rationale: |-
--    Security realms are a series of mappings between users and passwords and users
--    and roles. There are 2 JBoss security realms provided by default; they are
--    <tt>management realm</tt> and <tt>application realm</tt>.
--    <br /><br />
--    Management realm
--    stores authentication information for the management API, which provides
--    functionality for the web-based management console and the management command
--    line interface (CLI).
--    <br /><br />
--    mgmt-groups.properties stores user to group mapping for
--    the ManagementRealm but only when role-based access controls (RBAC) is enabled.
--    If management users are not in the appropriate role, unauthorized access to
--    JBoss resources can occur.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80455-9
--
--references:
--    disa: CCI-000213
--    srg: SRG-APP-000033-AS-000024
--    stigid: JBOS-AS-000040
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Review the <tt>mgmt-users.properties</tt> file.  Also review the <tt>&lt;management /&gt;</tt> section
--    in the standalone.xml or domain.xml configuration files. The relevant xml file
--    will depend on if the JBoss server is configured in standalone or domain mode.
--    Ensure all users listed in these files are approved for management access to the
--    JBoss server and are in the appropriate role.
--    <br /><br />
--    For domain configurations:
--    <pre>
--    &lt;JBOSS_HOME&gt;/domain/configuration/mgmt-users.properties.
--    &lt;JBOSS_HOME&gt;/domain/configuration/domain.xml
--    </pre>
--    <br /><br />
--    For standalone configurations:
--    <pre>
--    &lt;JBOSS_HOME&gt;/standalone/configuration/mgmt-users.properties.
--    &lt;JBOSS_HOME&gt;/standalone/configuration/standalone.xml
--    </pre>
--    <br /><br />
--    If the users listed are
--    not in the appropriate role, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml b/eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml
-deleted file mode 100644
-index 863824afa4..0000000000
---- a/eap6/guide/eap6/jboss_eap_disable_analytics/rule.yml
-+++ /dev/null
-@@ -1,40 +0,0 @@
--documentation_complete: true
--
--title: 'Disable Google Analytics'
--
--description: |-
--    Using the EAP web console, log on using admin credentials.
--    On the bottom right-hand side of the screen, select <tt>Settings</tt>,
--    uncheck the <tt>Enable Data Usage Collection</tt> box, and save the
--    configuration.
--
--rationale: |-
--    The Google Analytics feature aims to help Red Hat EAP team understand how
--    customers are using the console and which parts of the console matter the most
--    to the customers. This information will, in turn, help the team to adapt the
--    console design, features, and content to the immediate needs of the customers.
--    Sending analytical data to the vendor introduces risk of unauthorized data
--    exfiltration. This capability must be disabled.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80466-6
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000225
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Open the EAP web console by pointing a web browser to
--    <pre>HTTPS://<i>SERVERNAME</i>:9443</pre>
--    or <pre>HTTP://<i>SERVERNAME</i>:9990</pre>
--    <br /><br />
--    Log on to the admin console using admin
--    credentials.
--    On the bottom right-hand side of the screen, select <tt>Settings</tt>.
--    If the <tt>Enable Data Usage Collection</tt> box is checked, this is a
--    finding.
-diff --git a/eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml b/eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml
-deleted file mode 100644
-index 1d52804bca..0000000000
---- a/eap6/guide/eap6/jboss_eap_disable_automatic_deployment/rule.yml
-+++ /dev/null
-@@ -1,55 +0,0 @@
--documentation_complete: true
--
--title: 'Disable Automatic Deployment'
--
--description: |-
--    Determine the JBoss server configuration as being either standalone or domain.
--    Launch the relevant jboss-cli management interface substituting standalone or
--    domain for <i>CONFIG</i>
--    <br /><br />
--    <pre>&lt;JBOSS_HOME&gt;/<i>CONFIG</i>/bin/jboss-cli</pre>
--    <br /><br />
--    connect to the server and run the command:
--    <pre>/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value.)</pre>
--
--rationale: |-
--    When dealing with access restrictions pertaining to change control, it should
--    be noted that any changes to the software and/or application server
--    configuration can potentially have significant effects on the overall security
--    of the system.
--    <br /><br />
--    Access restrictions for changes also include application
--    software libraries.
--    <br /><br />
--    If the application server provides automatic code
--    deployment capability, (where updates to applications hosted on the application
--    server are automatically performed, usually by the developers' IDE tool), it
--    must also provide a capability to restrict the use of automatic application
--    deployment. Automatic code deployments are allowable in a development
--    environment, but not in production.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80489-8
--
--references:
--    disa: CCI-001813
--    srg: SRG-APP-000380-AS-000088
--    stigid: JBOS-AS-000545
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run
--    the command:
--    <br /><br />
--    <pre>ls /subsystem=deployment-scanner/scanner=default</pre>
--    <br /><br />
--    If <pre>"scan-enabled"=true</pre>, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml b/eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml
-deleted file mode 100644
-index 2bc97d9cba..0000000000
---- a/eap6/guide/eap6/jboss_eap_disable_domain_admin_console/rule.yml
-+++ /dev/null
-@@ -1,51 +0,0 @@
--documentation_complete: true
--
--title: 'Disable Network Access to the Admin Console'
--
--description: |-
--    Run the <pre>&lt;JBOSS_HOME&gt;/bin/jboss-clii</pre> command line interface utility.
--    Connect to
--    the JBoss server and run the following command.
--    <pre>/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value.)</pre>
--    <br /><br />
--    Successful command execution returns
--    <pre>{"outcome" =&gt; success"}</pre>,
--    and future attempts to access the management console via web
--    browser at <tt><i>SERVERNAME</i>:9990</tt> will result in no access to the admin console.
--
--rationale: |-
--    When configuring JBoss application servers into a domain configuration, HTTP
--    management capabilities are not required on domain member servers as management
--    is done via the server that has been designated as the domain controller.
--    Leaving HTTP management capabilities enabled on domain member servers increases
--    the attack surfaces; therefore, management services on domain member servers
--    must be disabled and management services performed via the domain
--    controller.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80486-4
--
--references:
--    disa: CCI-002322
--    srg: SRG-APP-000316-AS-000199
--    stigid: JBOS-AS-000470
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to each of the JBoss domain member servers.
--    <br /><br />
--    Note: Sites that manage
--    systems using the JBoss Operations Network client require HTTP interface access.
--    It is acceptable that the management console alone be disabled rather than
--    disabling the entire interface itself.
--    <br /><br />
--    Run the <pre>&lt;JBOSS_HOME&gt;/bin/jboss-cli</pre>
--    command line interface utility and connect to the JBoss server.
--    Run the
--    following command:
--    <pre>ls /core-service=management/management-interface=httpinterface/</pre>
--    <br /><br />
--    If <pre>console-enabled=true</pre>, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml b/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml
-deleted file mode 100644
-index 1ac7ad45a8..0000000000
---- a/eap6/guide/eap6/jboss_eap_disable_replace_welcome_page/rule.yml
-+++ /dev/null
-@@ -1,48 +0,0 @@
--documentation_complete: true
--
--title: 'Disable or Replace the JBoss Welcome Page'
--
--description: |-
--    Use the Management CLI script <pre>$JBOSS_HOME/bin/jboss-cli.sh</pre> to run the following
--    command. You may need to change the profile to modify a different managed domain
--    profile, or remove the <pre>/profile=default</pre> portion of the command for a
--    standalone server.
--    <br /><br />
--    <pre>/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value.)</pre>
--    <br /><br />
--    To configure
--    your web application to use the root context (/) as its URL address, modify the
--    applications jboss-web.xml, which is located in the applications <tt>META-INF/</tt> or
--    <tt>WEB-INF/</tt> directory. Replace its <tt>&lt;context-root&gt;</tt> directive with one that looks
--    like the following:
--    <br /><br />
--    <pre>
--    <jboss-web>
--        <context-root>/</context-root>
--    </jboss-web>
--    </pre>
--
--rationale: |-
--    The Welcome to JBoss web page provides a redirect to the JBoss admin console,
--    which, by default, runs on TCP 9990 as well as redirects to the Online User
--    Guide and Online User Groups hosted at locations on the Internet. The welcome
--    page is unnecessary and should be disabled or replaced with a valid web
--    page.
--
--severity: low
--
--identifiers:
--    cce: CCE-80470-8
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000245
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Use a web browser and browse to <pre>HTTP://JBOSS SERVER IP ADDRESS:8080</pre>
--    <br /><br />
--    If the
--    JBoss Welcome page is displayed, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml b/eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml
-deleted file mode 100644
-index b1f33d2c8f..0000000000
---- a/eap6/guide/eap6/jboss_eap_enable_rbac/rule.yml
-+++ /dev/null
-@@ -1,55 +0,0 @@
--documentation_complete: true
--
--title: 'Enable Role Based Access Control (RBAC)'
--
--description: |-
--    Run the following command.
--    <pre>&lt;JBOSS_HOME&gt;/bin/jboss-cli.sh -c -&gt; connect -&gt; cd
--    /core-service=management/access-authorization :write-attribute(name=provider,
--    value=rbac)</pre>
--    <br /><br />
--    Restart JBoss.
--    <br /><br />
--    Map users to roles by running the following
--    command. Upper-case words are variables.
--    <br /><br />
--    <pre>role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)</pre>
--
--rationale: |-
--    By default, the JBoss server is not configured to utilize role based access
--    controls (RBAC). RBAC provides the capability to restrict user access to their
--    designated management role, thereby limiting access to only the JBoss
--    functionality that they are supposed to have. Without RBAC, the JBoss server is
--    not able to enforce authorized access according to role.
--
--severity: high
--
--identifiers:
--    cce: CCE-80454-2
--
--references:
--    disa: CCI-000213,CCI-002235
--    srg: SRG-APP-000033-AS-000024,SRG-APP-000340-AS-000185
--    stigid: JBOS-AS-000035
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the
--    <pre>&lt;JBOSS_HOME&gt;/bin/</pre>
--    folder. Run the jboss-cli script.
--    Connect to the server and authenticate.
--    <br /><br />
--    Run the following command:
--    <br /><br />
--    For standalone servers:
--    <pre>ls /core-service=management/access=authorization/</pre>
--    <br /><br />
--    For managed domain
--    installations:
--    <pre>ls /host=master/core-service=management/access=authorization/</pre>
--    <br /><br />
--    If the <tt>provider</tt>
--    attribute is not set to <tt>rbac</tt>, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml b/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml
-deleted file mode 100644
-index aba5971d7d..0000000000
---- a/eap6/guide/eap6/jboss_eap_encrypt_keystore_passwords/rule.yml
-+++ /dev/null
-@@ -1,46 +0,0 @@
--documentation_complete: true
--
--title: 'Encrypt JBoss Keystore Passwords'
--
--description: |-
--    Configure the application server to mask the java keystore password as per the
--    procedure described in section 11.13.3 -Password Vault System in the
--    JBoss_Enterprise_Application_Platform-6.3
--    -Administration_and_Configuration_Guide-en-US document.
--
--rationale: |-
--    Access to the JBoss Password Vault must be secured, and the password used to
--    access must be encrypted. There is a specific process used to generate the
--    encrypted password hash. This process must be followed in order to store the
--    password in an encrypted format.
--    <br /><br />
--    The admin must utilize this process in order
--    to ensure the Keystore password is encrypted.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80479-9
--
--references:
--    disa: CCI-000196
--    srg: SRG-APP-000171-AS-000119
--    stigid: JBOS-AS-000300
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    The default location for the keystore used by the JBoss vault is the
--    <tt>&lt;JBOSS_HOME&gt;/vault/</tt> folder.
--    <br /><br />
--    If a vault keystore has been created, by default it
--    will be in the file: <tt>&lt;JBOSS_HOME&gt;/vault/vault.keystore</tt>. The file stores a
--    single key, with the default alias vault, which will be used to store encrypted
--    strings, such as passwords, for JBoss EAP.
--    <br /><br />
--    Have the system admin provide the
--    procedure used to encrypt the keystore password that unlocks the keystore.
--    <br /><br />
--    If
--    the system administrator is unable to demonstrate or provide written process
--    documentation on how to encrypt the keystore password, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml
-deleted file mode 100644
-index 1fb3ab2d7f..0000000000
---- a/eap6/guide/eap6/jboss_eap_file_permissions/oval/eap6.xml
-+++ /dev/null
-@@ -1,45 +0,0 @@
--<def-group>
--  <definition class="compliance" id="jboss_eap_file_permissions" version="2">
--    <metadata>
--      <title>Configure JBoss Directory Permissions</title>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--      <description>File permissions for JBOSS_HOME should be set correctly.</description>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_jboss_eap_file_permissions" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_jboss_eap_file_permissions" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_jboss_eap_file_permissions" version="1" datatype="string" comment="JBOSS_HOME location">
--    <concat>
--      <object_component object_ref="obj_env_jboss_eap_file_permissions" item_field="value" />
--      <literal_component datatype="string">/</literal_component>
--    </concat>
--  </local_variable>
--
--  <!-- check folders -->
--  <unix:file_test check="all" check_existence="all_exist" id="test_jboss_eap_file_permissions" version="1" comment="testing that the all files have the required permissions">
--    <unix:object object_ref="object_jboss_eap_file_permissions" />
--    <unix:state state_ref="state_jboss_eap_file_permissions" />
--  </unix:file_test>
--
--  <unix:file_object id="object_jboss_eap_file_permissions" version="1" comment="JBOSS_HOME">
--    <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" /> <!-- recurse, don't just test that folder -->
--    <unix:path var_ref="local_var_jboss_eap_file_permissions" />
--    <unix:filename operation="pattern match">.+</unix:filename>
--  </unix:file_object>
--
--  <!-- single shared condition -->
--  <unix:file_state id="state_jboss_eap_file_permissions" version="1" comment="checks for o-rw">
--    <unix:oread datatype="boolean">false</unix:oread>
--    <unix:owrite datatype="boolean">false</unix:owrite>
--  </unix:file_state> 
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_file_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_file_permissions/rule.yml
-deleted file mode 100644
-index f8837501f4..0000000000
---- a/eap6/guide/eap6/jboss_eap_file_permissions/rule.yml
-+++ /dev/null
-@@ -1,55 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Application File Permissions'
--
--description: |-
--    Configure file permissions on the JBoss folder to protect from unauthorized
--    access.
--
--rationale: |-
--    The JBoss EAP Application Server is a Java-based AS. It is installed on the OS
--    file system and depends upon file system access controls to protect application
--    data at rest. The file permissions set on the JBoss EAP home folder must be
--    configured so as to limit access to only authorized people and processes. The
--    account used for operating the JBoss server and any designated administrative or
--    operational accounts are the only accounts that should have access.
--    <br /><br />
--    When data
--    is written to digital media such as hard drives, mobile computers,
--    external/removable hard drives, personal digital assistants, flash/thumb drives,
--    etc., there is risk of data loss and data compromise. Steps must be taken to
--    ensure data stored on the device is protected.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80484-9
--
--references:
--    disa: CCI-001199
--    srg: SRG-APP-000231-AS-000133
--    stigid: JBOS-AS-000400
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    By default, JBoss installs its files into a folder called <tt>jboss-eap-6.3</tt>.
--    This folder by default is stored within the home folder of the JBoss user
--    account. The installation process, however, allows for the override of default
--    values to obtain folder and user account information from the system admin.
--    <br /><br />
--    Log
--    on with a user account with JBoss access and permissions.
--    <br /><br />
--    Navigate to the <tt>Jboss-eap-6.3</tt>
--    folder using the relevant OS commands for either a UNIX-
--    like OS or a Windows OS.
--    <br /><br />
--    Examine the permissions of the JBoss folder.
--    <br /><br />
--    Owner can be full access. Group can be full access.
--    All others must be restricted to
--    execute access or no permission.
--    <br /><br />
--    If the JBoss folder is world readable or world
--    writeable, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_log_deployments/rule.yml b/eap6/guide/eap6/jboss_eap_log_deployments/rule.yml
-deleted file mode 100644
-index 9a0d46809e..0000000000
---- a/eap6/guide/eap6/jboss_eap_log_deployments/rule.yml
-+++ /dev/null
-@@ -1,53 +0,0 @@
--documentation_complete: true
--
--title: 'Log Application Deployments'
--
--description: |-
--    Launch the jboss-cli management interface substituting standalone or domain for
--    <i>CONFIG</i> based upon the server installation.
--    <br /><br />
--    <pre>&lt;JBOSS_HOME&gt;/<i>CONFIG</i>/bin/jboss-cli</pre>
--    <br /><br />
--    connect to the server and run the following command:
--    <br /><br />
--    <pre>/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</pre>
--
--rationale: |-
--    Without logging the enforcement of access restrictions against changes to the
--    application server configuration, it will be difficult to identify attempted
--    attacks, and a log trail will not be available for forensic investigation for
--    after-the-fact actions. Configuration changes may occur to any of the modules
--    within the application server through the management interface, but logging of
--    actions to the configuration of a module outside the application server is not
--    logged.
--    <br /><br />
--    Enforcement actions are the methods or mechanisms used to prevent
--    unauthorized changes to configuration settings. Enforcement action methods may
--    be as simple as denying access to a file based on the application of file
--    permissions (access restriction). Log items may consist of lists of actions
--    blocked by access restrictions or changes identified after the fact.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80490-6
--
--references:
--    disa: CCI-001814
--    srg: SRG-APP-000381-AS-000089
--    stigid: JBOS-AS-000550
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    <pre>ls /core-service=management/access=audit/logger=audit-log</pre>
--    <br /><br />
--    If <pre>"enabled" =.</pre>, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml
-deleted file mode 100644
-index 7ac1bc5df5..0000000000
---- a/eap6/guide/eap6/jboss_eap_logs_permissions/oval/eap6.xml
-+++ /dev/null
-@@ -1,60 +0,0 @@
--<def-group>
--  <definition class="compliance" id="jboss_eap_logs_permissions" version="2">
--    <metadata>
--      <title>Configure JBoss Log Directory Permissions</title>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--      <description>File permissions for JBOSS_HOME/standalone/log should be set correctly.</description>
--    </metadata>
--    <criteria operator="AND">
--      <criterion test_ref="test_jboss_eap_logs_permissions_folder" />
--      <criterion test_ref="test_jboss_eap_logs_permissions_files" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_jboss_eap_logs_permissions" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_jboss_eap_logs_permissions_folder" version="1" datatype="string" comment="configuration location">
--    <concat>
--      <object_component object_ref="obj_env_jboss_eap_logs_permissions" item_field="value" />
--      <literal_component datatype="string">/standalone/log</literal_component>
--    </concat>
--  </local_variable>
--
--  <!-- check folders -->
--  <unix:file_test check="all" check_existence="all_exist" id="test_jboss_eap_logs_permissions_folder" version="1" comment="testing that the folder has the required permissions">
--    <unix:object object_ref="object_jboss_eap_logs_permissions_folder" />
--    <unix:state state_ref="state_jboss_eap_logs_permissions" />
--  </unix:file_test>
--
--  <unix:file_object id="object_jboss_eap_logs_permissions_folder" version="1" comment="JBOSS_HOME/standalone/log">
--    <unix:path var_ref="local_var_jboss_eap_logs_permissions_folder" />
--    <unix:filename xsi:nil="true"/> <!-- xsi:nil tests the folder -->
--  </unix:file_object>
--
--  <!-- check files -->
--  <unix:file_test check="all" check_existence="all_exist" id="test_jboss_eap_logs_permissions_files" version="1" comment="testing that the folder has the required permissions">
--    <unix:object object_ref="object_jboss_eap_logs_permissions_files" />
--    <unix:state state_ref="state_jboss_eap_logs_permissions" />
--  </unix:file_test>
--
--  <unix:file_object id="object_jboss_eap_logs_permissions_files" version="1" comment="JBOSS_HOME/standalone/log/*.log">
--    <unix:path var_ref="local_var_jboss_eap_logs_permissions_folder" />
--    <unix:filename operation="pattern match">.*\.log$</unix:filename>
--  </unix:file_object>  
--
--  <!-- single shared condition -->
--  <unix:file_state id="state_jboss_eap_logs_permissions" version="1" comment="checks for g-rwo,o-rwo">
--    <unix:gread datatype="boolean">false</unix:gread>
--    <unix:gwrite datatype="boolean">false</unix:gwrite>
--    <unix:gexec datatype="boolean">false</unix:gexec>
--    <unix:oread datatype="boolean">false</unix:oread>
--    <unix:owrite datatype="boolean">false</unix:owrite>
--    <unix:oexec datatype="boolean">false</unix:oexec>
--  </unix:file_state> 
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml
-deleted file mode 100644
-index ace2e17d57..0000000000
---- a/eap6/guide/eap6/jboss_eap_logs_permissions/rule.yml
-+++ /dev/null
-@@ -1,80 +0,0 @@
--documentation_complete: true
--
--title: 'Configure JBoss Log Directory Permissions'
--
--description: |-
--    Configure file permissions on the JBoss log folder to protect from unauthorized
--    access.
--
--rationale: |-
--    If the application provides too much information in error logs and
--    administrative messages to the screen, this could lead to compromise. The
--    structure and content of error messages need to be carefully considered by the
--    organization and development team. The extent to which the information system is
--    able to identify and handle error conditions is guided by organizational policy
--    and operational requirements.
--    <br /><br />
--    Application servers must protect the error
--    messages that are created by the application server. All application server
--    users' accounts are used for the management of the server and the applications
--    residing on the application server. All accounts are assigned to a certain role
--    with corresponding access rights. The application server must restrict access to
--    error messages so only authorized users may view them. Error messages are
--    usually written to logs contained on the file system. The application server
--    will usually create new log files as needed and must take steps to ensure that
--    the proper file permissions are utilized when the log files are created.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80485-6
--
--references:
--    disa: CCI-001314
--    srg: SRG-APP-000267-AS-000170
--    stigid: JBOS-AS-000425
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    If the JBoss log folder is installed in the default location and
--    AS-000133-JBOSS-00079 is not a finding, the log folders are protected and this
--    requirement is not a finding.
--    <br /><br />
--    By default, JBoss installs its log files into a
--    sub-folder of the <pre>jboss-eap-6.3</pre> home folder.
--    Using a UNIX like OS
--    example, the default location for log files is:
--    <br /><br />
--    <pre>
--    JBOSS_HOME/standalone/log
--    JBOSS_HOME/domain/log
--    </pre>
--    <br /><br />
--    For a standalone configuration:
--    <tt>JBOSS_HOME/standalone/log/server.log</tt> Contains all server log messages,
--    including server startup messages.
--    <br /><br />
--    For a domain configuration:
--    <tt>JBOSS_HOME/domain/log/hostcontroller.log</tt>
--    Host Controller boot log. Contains log
--    messages related to the startup of the host controller.
--    <tt>JBOSS_HOME/domain/log/processcontroller.log</tt>
--    Process controller boot log.
--    Contains log messages related to the startup of the process controller.
--    <tt>JBOSS_HOME/domain/servers/SERVERNAME/log/server.log</tt>
--    The server log for the named
--    server. Contains all log messages for that server, including server startup
--    messages.
--    <br /><br />
--    Log on with an OS user account with JBoss access and permissions.
--    Navigate to the <tt>Jboss-eap-6.3</tt> folder using the relevant OS commands
--    for either a UNIX like OS or a Windows OS.
--    <br /><br />
--    Examine the permissions of the JBoss logs folders.
--    <br /><br />
--    Owner can be full access. Group can be full access.
--    All others must be restricted.
--    <br /><br />
--    If the JBoss log folder is world readable or world
--    writeable, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml b/eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml
-deleted file mode 100644
-index 0e4bb929cf..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_group_accounts/rule.yml
-+++ /dev/null
-@@ -1,75 +0,0 @@
--documentation_complete: true
--
--title: 'Remove JBoss Group Acount Access'
--
--description: |-
--    Configure the application server so required users are individually
--    authenticated by creating individual user accounts. Utilize an LDAP server that
--    is configured according to DOD policy.
--
--rationale: |-
--    To assure individual accountability and prevent unauthorized access,
--    application server users (and any processes acting on behalf of application
--    server users) must be individually identified and authenticated.
--    <br /><br />
--    A group
--    authenticator is a generic account used by multiple individuals. Use of a group
--    authenticator alone does not uniquely identify individual users.
--    <br /><br />
--    Application
--    servers must ensure that individual users are authenticated prior to
--    authenticating via role or group authentication. This is to ensure that there is
--    non-repudiation for actions taken.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80475-7
--
--references:
--    disa: CCI-000770
--    srg: SRG-APP-000153-AS-000104
--    stigid: JBOS-AS-000275
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    If the application server management interface is configured to use LDAP
--    authentication this requirement is NA.
--    <br /><br />
--    Determine the mode in which the JBoss
--    server is operating by authenticating to the OS, changing to the
--    <tt>&lt;JBOSS_HOME&gt;/bin/</tt> folder and executing the <pre>jboss-cli</pre> script.
--    Connect to the
--    server and authenticate.
--    Run the command: <pre>ls</pre> and examine the <tt>launch-type</tt> setting.
--    <br /><br />
--    User account information is stored in the following
--    files for a JBoss server configured in standalone mode. The command line flags
--    passed to the <tt>standalone</tt> startup script determine the standalone
--    operating mode:
--    <pre>
--    &lt;JBOSS_HOME&gt;/standalone/configuration/standalone.xml
--    &lt;JBOSS_HOME&gt;/standalone/configuration/standalone-full.xml
--    &lt;JBOSS_HOME&gt;/standalone/configuration/standalone.-full-ha.xml
--    &lt;JBOSS_HOME&gt;/standalone/configuration/standalone.ha.xml
--    </pre>
--    <br /><br />
--    For a Managed Domain:
--    <pre>
--    &lt;JBOSS_HOME&gt;/domain/configuration/domain.xml
--    </pre>
--    <br /><br />
--    Review both files for generic or
--    shared user accounts.
--    <br /><br />
--    Open each xml file with a text editor and locate the
--    &lt;management-interfaces&gt; section.
--    Review the <pre>&lt;user name = "xxxxx"&gt;</pre> sub-
--    section where <pre>xxxxx</pre> will be a user name.
--    <br /><br />
--    Have the system
--    administrator identify the user of each user account.
--    <br /><br />
--    If user accounts are not
--    assigned to individual users, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml
-deleted file mode 100644
-index 78693c4790..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_jmx/oval/eap6.xml
-+++ /dev/null
-@@ -1,45 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_remove_jmx">
--    <metadata>
--      <title>Remove JMX Subsystem</title>
--      <description>EAP should be configured to remove the JMX subsystem</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_jboss_eap_jmx_installed" negate="true" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_remove_jmx" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_remove_jmx_jboss_home" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_remove_jmx" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_remove_jmx" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_jboss_eap_jmx_installed" version="1" check="all" comment="Check EAP for ">
--    <ind:object object_ref="obj_jboss_eap_remove_jmx" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_jboss_eap_remove_jmx" version="1">
--    <ind:path var_ref="local_var_remove_jmx_jboss_home"/>
--    <ind:filename var_ref="local_var_profile_remove_jmx"/>
--    <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='remoting-connector']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml b/eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml
-deleted file mode 100644
-index abcf97f88e..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_jmx/rule.yml
-+++ /dev/null
-@@ -1,57 +0,0 @@
--documentation_complete: true
--
--title: 'Remove the JMX Subsystem'
--
--description: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
--    Connect to the server and authenticate.
--    <br /><br />
--    For a Managed Domain configuration you
--    must check each profile name:
--    <br /><br />
--    For each PROFILE NAME, run the command:
--    <pre>/profile=<i>PROFILE NAME</i>/subsystem=jmx/remoting-connector=jmx:remove</pre>
--    For a Standalone configuration:
--    <pre>/subsystem=jmx/remoting-connector=jmx:remove</pre>
--
--rationale: |-
--    The JMX subsystem allows you to trigger JDK and application management
--    operations remotely. In a managed domain configuration, the JMX subsystem is
--    removed by default. For a standalone configuration, it is enabled by default and
--    must be removed.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80469-0
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000240
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script to start the Command Line Interface (CLI).
--    Connect to the server and authenticate.
--    <br /><br />
--    For a Managed Domain configuration, you
--    must check each profile name:
--    <br /><br />
--    For each <i>PROFILE NAME</i>, run the command:
--    <pre>ls /profile=<i>PROFILE NAME</i>/subsystem=jmx/remoting-connector</pre>
--    <br /><br />
--    For a Standalone
--    configuration:
--    <pre>ls /subsystem=jmx/remoting-connector</pre>
--    <br /><br />
--    If <tt>jmx</tt> is returned, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml
-deleted file mode 100644
-index 3c2fb9cfcb..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_quickstarts/oval/eap6.xml
-+++ /dev/null
-@@ -1,35 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_remove_quickstarts">
--    <metadata>
--      <title>JBoss Enterprise Application Platform 6 Security Manager Remove Quickstarts</title>
--      <description>Quickstarts must be removed</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_quickstarts" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_eap_quickstarts_home" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <unix:file_test id="test_eap_quickstarts" version="1" check="all" check_existence="none_exist" comment="Check EAP for Quickstarts">
--    <unix:object object_ref="obj_eap_quickstarts" />
--  </unix:file_test>
--  <unix:file_object id="obj_eap_quickstarts" version="1">
--    <unix:path operation="pattern match" var_ref="local_var_eap_quickstart_path"/>
--    <unix:filename operation="pattern match">*</unix:filename>
--  </unix:file_object>
--
--  <local_variable id="local_var_eap_quickstart_path" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_eap_quickstarts_home" item_field="value" />
--      <literal_component>/.*quickstart.*</literal_component>
--    </concat>
--  </local_variable>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml b/eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml
-deleted file mode 100644
-index 19f7a86979..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_quickstarts/rule.yml
-+++ /dev/null
-@@ -1,26 +0,0 @@
--documentation_complete: true
--
--title: 'Remove JBoss Quickstarts'
--
--description: 'Delete the QuickStarts folder.'
--
--rationale: |-
--    JBoss QuickStarts are demo applications that can be deployed quickly. Demo
--    applications are not written with security in mind and often open new attack
--    vectors. QuickStarts must be removed.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80468-2
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000235
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Examine the <tt>&lt;JBOSS_HOME&gt;</tt> folder. If a <tt>jboss-eap-6.3.0-GA-quickstarts</tt> folder
--    exits, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml
-deleted file mode 100644
-index c2ad4fe12b..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/oval/eap6.xml
-+++ /dev/null
-@@ -1,36 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_remove_unnecessary_apps">
--    <metadata>
--      <title>JBoss Enterprise Application Platform 6 Security Manager Remove Unnecessary Applications</title>
--      <description>Unnecessary apps must be removed</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_remove_apps" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_eap_remove_apps_home" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <unix:file_test id="test_eap_remove_apps" version="1" check="all" check_existence="none_exist" comment="Check EAP for installed apps">
--    <unix:object object_ref="obj_eap_remove_apps" />
--  </unix:file_test>
--  <unix:file_object id="obj_eap_remove_apps" version="1">
--    <unix:behaviors recurse_direction="down"/>
--    <unix:path var_ref="local_var_eap_remove_apps_path"/>
--    <unix:filename operation="pattern match">^((?!(README.txt|.*\.rar|.*\.deployed|.*\.undeployed)|.*\.dodeploy).)*$</unix:filename>
--  </unix:file_object>
--
--  <local_variable id="local_var_eap_remove_apps_path" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_eap_remove_apps_home" item_field="value" />
--      <literal_component>/standalone/deployments</literal_component>
--    </concat>
--  </local_variable>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml b/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml
-deleted file mode 100644
-index 2f5834ce67..0000000000
---- a/eap6/guide/eap6/jboss_eap_remove_unnecessary_apps/rule.yml
-+++ /dev/null
-@@ -1,43 +0,0 @@
--documentation_complete: true
--
--title: 'Remove Unnecessary Applications'
--
--description: |-
--    Identify, authorize, and document all applications that are deployed to the
--    application server. Remove unauthorized applications.
--
--rationale: |-
--    Extraneous services and applications running on an application server expands
--    the attack surface and increases risk to the application server. Securing any
--    server involves identifying and removing any unnecessary services and, in the
--    case of an application server, unnecessary and/or unapproved applications.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80471-6
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000250
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    <pre>ls /deployment</pre>
--    <br /><br />
--    The list of deployed applications is displayed.
--    Have the system admin identify the applications listed and confirm they are
--    approved applications.
--    <br /><br />
--    If the system admin cannot provide documentation proving
--    their authorization for deployed applications, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_require_password_access/rule.yml b/eap6/guide/eap6/jboss_eap_require_password_access/rule.yml
-deleted file mode 100644
-index dab739e326..0000000000
---- a/eap6/guide/eap6/jboss_eap_require_password_access/rule.yml
-+++ /dev/null
-@@ -1,43 +0,0 @@
--documentation_complete: true
--
--title: 'Require Password Authentication'
--
--description: |-
--    Configure the LDAP Security Realm using default settings that sets <tt>allow-empty-values</tt>
--    to <tt>..</tt> LDAP Security Realm creation is described in
--    section 11.9 -Add an LDAP Security Realm in the
--    JBoss_Enterprise_Application_Platform-6.3
--    -Administration_and_Configuration_Guide-en-US document.
--
--rationale: |-
--    Passwords need to be protected at all times, and encryption is the standard
--    method for protecting passwords during transmission. If passwords are not
--    encrypted, they can be plainly read (i.e., clear text) and easily compromised.
--    Application servers have the capability to utilize either certificates (tokens)
--    or user IDs and passwords in order to authenticate. When the application server
--    transmits or receives passwords, the passwords must be encrypted.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80480-7
--
--references:
--    disa: CCI-000197
--    srg: SRG-APP-000172-AS-000120
--    stigid: JBOS-AS-000305
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Run the command:
--    <br /><br />
--    <pre>ls /core-service=management/security-realm=ldap_security_realm/authentication=ldap</pre>
--    <br /><br />
--    If <pre>allow-empty-passwords=true</pre>, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml b/eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml
-deleted file mode 100644
-index 9c58850fce..0000000000
---- a/eap6/guide/eap6/jboss_eap_restrict_jboss_account/rule.yml
-+++ /dev/null
-@@ -1,39 +0,0 @@
--documentation_complete: true
--
--title: 'Restrict the JBoss Account'
--
--description: |-
--    Use the relevant OS commands to restrict JBoss user account from interactively
--    logging on to the console of the JBoss system.
--    <br /><br />
--    For Windows systems, use GPO.
--    For UNIX like systems using ssh DenyUsers <i>account id</i> or follow established
--    procedure for restricting access.
--
--rationale: |-
--    JBoss does not require admin rights to operate and should be run as a regular
--    user. In addition, if the user account was to be compromised and the account
--    was allowed interactive logon rights, this would increase the risk and attack
--    surface against the JBoss system. The right to interactively log on to the
--    system using the JBoss account should be limited according to the OS
--    capabilities.
--
--severity: high
--
--identifiers:
--    cce: CCE-80465-8
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000220
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Identify the user account used to run the JBoss server. Use relevant OS
--    commands to determine logon rights to the system. This account should not have
--    full shell/interactive access to the system.
--    <br /><br />
--    If the user account used to
--    operate JBoss can log on interactively, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml
-deleted file mode 100644
-index 073c561202..0000000000
---- a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/oval/eap6.xml
-+++ /dev/null
-@@ -1,45 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_roll_over_transfer_logs">
--    <metadata>
--      <title>Configure Logs to Rollover</title>
--      <description>Logger should be configured to rollover log files</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <criterion test_ref="test_eap_roll_over_transfer_logs" />
--    </criteria>
--  </definition>
--
--  <ind:environmentvariable58_object id="obj_env_rollover_log" version="1">
--    <ind:pid xsi:nil="true" datatype="int" />
--    <ind:name>JBOSS_HOME</ind:name>
--  </ind:environmentvariable58_object>
--
--  <local_variable id="local_var_rollover_jboss_home" version="1" datatype="string" comment="version location">
--    <concat>
--      <object_component object_ref="obj_env_rollover_log" item_field="value" />
--      <literal_component datatype="string">/standalone/configuration/</literal_component>
--    </concat>
--  </local_variable>
--
--  <local_variable id="local_var_profile_transfer_logs" version="1" datatype="string" comment="configuration profile">
--    <concat>
--      <variable_component var_ref="var_jboss_profile" />
--      <literal_component datatype="string">.xml</literal_component>
--    </concat>
--  </local_variable>
--
--  <external_variable comment="external variable for Jboss profile" datatype="string" id="var_jboss_profile" version="1" />
--
--  <ind:xmlfilecontent_test id="test_eap_roll_over_transfer_logs" version="1" check="all" comment="Check EAP roll over transfer logs">
--    <ind:object object_ref="obj_eap_roll_over_transfer_logs" />
--  </ind:xmlfilecontent_test>
--  <ind:xmlfilecontent_object id="obj_eap_roll_over_transfer_logs" version="1">
--    <ind:path var_ref="local_var_rollover_jboss_home"/>
--    <ind:filename var_ref="local_var_profile_transfer_logs" />
--    <ind:xpath>//*[name()='server']/*[name()='profile']/*[name()='subsystem']/*[name()='periodic-rotating-file-handler'][@name='FILE']</ind:xpath>
--  </ind:xmlfilecontent_object>
--
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml b/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml
-deleted file mode 100644
-index c35a9791c6..0000000000
---- a/eap6/guide/eap6/jboss_eap_roll_over_transfer_logs/rule.yml
-+++ /dev/null
-@@ -1,75 +0,0 @@
--documentation_complete: true
--
--title: 'Roll Over and Transfer JBoss Logs'
--
--description: |-
--    Open the web-based management interface by opening a browser and pointing it to
--    <tt>HTTPS://<i>EAP_SERVER</i>:9990/</tt>
--    <br /><br />
--    Authenticate as a user with Admin rights.
--    Navigate
--    to the <tt>Configuration</tt> tab.
--    Expand <tt>+</tt> Subsystems.
--    Expand <tt>+</tt> Core.
--    Select
--    <tt>Logging</tt>.
--    Select the <tt>Handler</tt> tab.
--    Select <tt>Periodic</tt>.
--    <br /><br />
--    If a
--    periodic file handler does not exist, reference JBoss admin guide for
--    instructions on how to create a file handler that will rotate logs on a daily
--    basis.
--    Create scripts that package and off-load log data at least weekly.
--
--rationale: |-
--    Information stored in one location is vulnerable to accidental or incidental
--    deletion or alteration. Protecting log data is important during a forensic
--    investigation to ensure investigators can track and understand what may have
--    occurred. Off-loading should be set up as a scheduled task but can be
--    configured to be run manually, if other processes during the off-loading are
--    manual.
--    <br /><br />
--    Off-loading is a common process in information systems with limited log
--    storage capacity.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80498-9
--
--references:
--    disa: CCI-001851
--    srg: SRG-APP-000515-AS-000203
--    stigid: JBOS-AS-000735
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    If the JBoss server is configured to use a Syslog Handler, this is not a
--    finding.
--    <br /><br />
--    Log on to the OS of the JBoss server with OS permissions that allow
--    access to JBoss.
--    Using the relevant OS commands and syntax, cd to the
--    <tt>&lt;JBOSS_HOME&gt;/bin/</tt> folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    <br /><br />
--    Determine if there is a periodic rotating file handler.
--    <br /><br />
--    For a
--    domain configuration run the following command; where <i>SERVERNAME</i> is a variable
--    for all of the servers in the domain. Usually <tt>server-one</tt>, <tt>server-two</tt>, etc.:
--    <br /><br />
--    <pre>ls /host=master/server=<i>SERVERNAME</i>/subsystem=logging/periodic-rotating-file-handler=</pre>
--    <br /><br />
--    For a standalone configuration run the command:
--    <pre>ls /subsystem=logging/periodic-rotating-file-handler=</pre>
--    <br /><br />
--    If the command does not return <tt>FILE</tt>, this is a finding.
--    <br /><br />
--    Review the
--    <tt>&lt;JBOSS_HOME&gt;/standalone/log</tt> folder for the existence of rotated logs, and ask
--    the admin to demonstrate how rotated logs are packaged and transferred to
--    another system on at least a weekly basis.
-diff --git a/eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml b/eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml
-deleted file mode 100644
-index a924976020..0000000000
---- a/eap6/guide/eap6/jboss_eap_secure_keystore_permissions/rule.yml
-+++ /dev/null
-@@ -1,56 +0,0 @@
--documentation_complete: true
--
--title: 'Restrict Access to the JBoss Keystore'
--
--description: |-
--    Configure the application server OS file permissions on the corresponding
--    private key to restrict access to authorized accounts or roles.
--
--rationale: |-
--    The cornerstone of the PKI is the private key used to encrypt or digitally sign
--    information.
--    <br /><br />
--    If the private key is stolen, this will lead to the compromise of
--    the authentication and non-repudiation gained through PKI because the attacker
--    can use the private key to digitally sign documents and can pretend to be the
--    authorized user.
--    <br /><br />
--    Both the holders of a digital certificate and the issuing
--    authority must protect the computers, storage devices, or whatever they use to
--    keep the private keys. Java-based application servers utilize the Java keystore,
--    which provides storage for cryptographic keys and certificates. The keystore is
--    usually maintained in a file stored on the file system.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80482-3
--
--references:
--    disa: CCI-000186
--    srg: SRG-APP-000176-AS-000125
--    stigid: JBOS-AS-000320
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    The default location for the keystore used by the JBoss vault is the
--    <tt>&lt;JBOSS_HOME&gt;/vault/</tt> folder.
--    <br /><br />
--    If a vault keystore has been created, by default it
--    will be in the file: <tt>&lt;JBOSS_HOME&gt;/vault/vault.keystore</tt>. The file stores a
--    single key, with the default alias vault, which will be used to store encrypted
--    strings, such as passwords, for JBoss EAP.
--    <br /><br />
--    Browse to the JBoss vault folder
--    using the relevant OS commands.
--    Review the file permissions and ensure only
--    system administrators and JBoss users are allowed access.
--    <br /><br />
--    Owner can be full access. Group can be full access.
--    All others must be restricted to execute access
--    or no permission.
--    <br /><br />
--    If non-system administrators are allowed to access the
--    <tt>&lt;JBOSS_HOME&gt;/vault/</tt>
--    folder, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml b/eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml
-deleted file mode 100644
-index 3b679c17ac..0000000000
---- a/eap6/guide/eap6/jboss_eap_service_separate_networks/rule.yml
-+++ /dev/null
-@@ -1,76 +0,0 @@
--documentation_complete: true
--
--title: 'Use Separate Management and Application Networks'
--
--description: |-
--    Start the application server with a <tt>-bmanagement</tt> and a <tt>-b</tt> flag so that admin
--    management functionality and hosted applications are separated.
--    <br /><br />
--    Refer to
--    section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on
--    how to start the JBoss server as a service.
--
--rationale: |-
--    The application server consists of the management interface and hosted
--    applications. By separating the management interface from hosted applications,
--    the user must authenticate as a privileged user to the management interface
--    before being presented with management functionality. This prevents non-
--    privileged users from having visibility to functions not available to the user.
--    By limiting visibility, a compromised non-privileged account does not offer
--    information to the attacker or functionality and information needed to further
--    the attack on the application server.
--    <br /><br />
--    JBoss is designed to operate with
--    separate application and management interfaces.
--    The JBoss server is started via
--    a script. To start the JBoss server in domain mode, the admin will execute the
--    /bin/domain.sh or domain.bat script.
--    <br /><br />
--    To start the JBoss server in standalone
--    mode, the admin will execute /bin/standalone.bat or standalone.sh.
--    <br /><br />
--    Command line
--    flags are used to specify which network address is used for management and which
--    address is used for public/application access.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80483-1
--
--references:
--    disa: CCI-001082
--    srg: SRG-APP-000211-AS-000146
--    stigid: JBOS-AS-000355
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    If JBoss is not started with separate management and public interfaces, this is
--    a finding.
--    <br /><br />
--    Review the network design documents to identify the IP address space
--    for the management network.
--    <br /><br />
--    Use relevant OS commands and administrative
--    techniques to determine how the system administrator starts the JBoss server.
--    This includes interviewing the system admin, using the <pre>ps -ef|grep</pre>
--    command for UNIX like systems or checking command line flags and properties on
--    batch scripts for Windows systems.
--    <br /><br />
--    Ensure the startup syntax used to start
--    JBoss specifies a management network address and a public network address.
--    <br /><br />
--    The
--    <tt>-b</tt> flag specifies the public address space.
--    The
--    <tt>-bmanagement</tt> flag specifies the management address space.
--    <br /><br />
--    Example:
--    <pre>
--    &lt;JBOSS_HOME&gt;/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25
--    </pre>
--    <br /><br />
--    If
--    JBoss is not started with separate management and public interfaces, this is a
--    finding.
-diff --git a/eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml b/eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml
-deleted file mode 100644
-index 1f4ba3eb89..0000000000
---- a/eap6/guide/eap6/jboss_eap_system_up_to_date/rule.yml
-+++ /dev/null
-@@ -1,35 +0,0 @@
--documentation_complete: true
--
--title: 'JBoss System Is Patched'
--
--description: |-
--    Configure the operating system and the application server to use a patch
--    management system or process that ensures security-relevant updates are
--    installed within the time period directed by the ISSM.
--
--rationale: |-
--    The JBoss product is available as Open Source; however, the Red Hat vendor
--    provides updates, patches and support for the JBoss product. It is imperative
--    that patches and updates be applied to JBoss in a timely manner as many attacks
--    against JBoss focus on unpatched systems. It is critical that support be
--    obtained and made available.
--
--severity: high
--
--identifiers:
--    cce: CCE-80496-3
--
--references:
--    disa: CCI-002605
--    srg: SRG-APP-000456-AS-000266
--    stigid: JBOS-AS-000685
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Interview the system admin and obtain details on their patch management
--    processes as it relates to the OS and the Application Server.
--    <br /><br />
--    If there is no
--    active, documented patch management process in use for these components, this is
--    a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml b/eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml
-deleted file mode 100644
-index 48cbd575c6..0000000000
---- a/eap6/guide/eap6/jboss_eap_unprivileged_mode/rule.yml
-+++ /dev/null
-@@ -1,58 +0,0 @@
--documentation_complete: true
--
--title: 'Restrict JBoss Account'
--
--description: 'Run the JBoss server with non-admin rights.'
--
--rationale: |-
--    JBoss EAP application server can be run as the OS admin, which is not advised.
--    Running the application server with admin privileges increases the attack
--    surface by granting the application server more rights than it requires in order
--    to operate. If the server is compromised, the attacker will have the same
--    rights as the application server, which in that case would be admin rights. The
--    JBoss EAP server must not be run as the admin user.
--
--severity: high
--
--identifiers:
--    cce: CCE-80467-4
--
--references:
--    disa: CCI-000381
--    srg: SRG-APP-000141-AS-000095
--    stigid: JBOS-AS-000230
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    The script that is used to start JBoss determines the mode in which JBoss will
--    operate, which will be in either in standalone mode or domain mode. Both
--    scripts are installed by default in the <tt>&lt;JBOSS_HOME&gt;/bin/</tt> folder.
--    <br /><br />
--    In addition
--    to running the JBoss server as an interactive script launched from the command
--    line, JBoss can also be started as a service.
--    <br /><br />
--    The scripts used to start JBoss are:
--    Red Hat:
--    <pre>
--    standalone.sh
--    domain.sh
--    </pre>
--    <br /><br />
--    Windows:
--    <pre>
--    standalone.bat
--    domain.bat
--    </pre>
--    <br /><br />
--    Use the relevant OS commands to determine JBoss ownership.
--    <br /><br />
--    When running as a process:
--    Red Hat: <pre>ps -ef|grep -i jboss</pre>.
--    Windows: <pre>services.msc</pre>.
--    Search for the JBoss process, which by default is named <tt>JBOSSEAP6</tt>.
--    <br /><br />
--    If
--    the user account used to launch the JBoss script or start the JBoss process has
--    admin rights on the system, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml b/eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml
-deleted file mode 100644
-index b304e49b52..0000000000
---- a/eap6/guide/eap6/jboss_eap_use_approved_ca_cert/rule.yml
-+++ /dev/null
-@@ -1,49 +0,0 @@
--documentation_complete: true
--
--title: 'Use Approved DoD Certificate Authorities'
--
--description: |-
--    Locate the cacerts file for the JVM. This can be done using the appropriate
--    find command for the OS and change to the directory where the cacerts file is
--    located.
--    <br /><br />
--    Remove the certificates that have a CA that is non-DoD approved, and
--    import DoD CA-approved certificates.
--
--rationale: |-
--    Untrusted Certificate Authorities (CA) can issue certificates, but they may be
--    issued by organizations or individuals that seek to compromise DoD systems or by
--    organizations with insufficient security controls. If the CA used for verifying
--    the certificate is not a DoD-approved CA, trust of this CA has not been
--    established.
--    <br /><br />
--    The DoD will only accept PKI certificates obtained from a DoD-
--    approved internal or external certificate authority. Reliance on CAs for the
--    establishment of secure sessions includes, for example, the use of SSL/TLS
--    certificates. The application server must only allow the use of DoD PKI-
--    established certificate authorities for verification.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80491-4
--
--references:
--    disa: CCI-002470
--    srg: SRG-APP-000427-AS-000264
--    stigid: JBOS-AS-000625
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Locate the cacerts file for the JVM. This can be done using the appropriate
--    find command for the OS and change to the directory where the cacerts file is
--    located.
--    <br /><br />
--    To view the certificates stored within this file, execute the java
--    command <pre>keytool -list -v -keystore ./cacerts</pre>.
--    Verify that the Certificate
--    Authority (CA) for each certificate is DoD-approved.
--    <br /><br />
--    If any certificates have a
--    CA that are not DoD-approved, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml b/eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml
-deleted file mode 100644
-index 89dc6278bb..0000000000
---- a/eap6/guide/eap6/jboss_eap_use_approved_ciphers/rule.yml
-+++ /dev/null
-@@ -1,72 +0,0 @@
--documentation_complete: true
--
--title: 'Use Approved Ciphers'
--
--description: |-
--    Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red
--    Hat vendor's website for step-by-step instructions on establishing SSL
--    encryption on JBoss.
--    <br /><br />
--    The overall steps include:
--    <br /><br />
--    1. Add an HTTPS connector.
--    2. Configure the SSL encryption certificate and keys.
--    3. Set the Cipher to an approved algorithm.
--
--rationale: |-
--    Preventing the disclosure or modification of transmitted information requires
--    that application servers take measures to employ approved cryptography in order
--    to protect the information during transmission over the network. This is usually
--    achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec
--    tunnel.
--    <br /><br />
--    If data in transit is unencrypted, it is vulnerable to disclosure and
--    modification. If approved cryptographic algorithms are not used, encryption
--    strength cannot be assured.
--    <br /><br />
--    FIPS 140-2 approved TLS versions include TLS V1.0
--    or greater.
--    <br /><br />
--    TLS must be enabled, and non-FIPS-approved SSL versions must be
--    disabled. NIST SP 800-52 specifies the preferred configurations for government
--    systems.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80494-8
--
--references:
--    disa: CCI-002421
--    srg: SRG-APP-000440-AS-000167
--    stigid: JBOS-AS-000655
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Validate that the TLS protocol is used for HTTPS connections.
--    Run the command:
--    <pre>ls /subsystem=web/connector=https/ssl=configuration</pre>
--    <br /><br />
--    Review the
--    cipher suites. The following suites are acceptable as per NIST 800-52r1 section
--    3.3.1 - Cipher Suites. Refer to the NIST document for a complete list of
--    acceptable cipher suites. The source NIST document and approved encryption
--    algorithms/cipher suites are subject to change and should be referenced.
--    <pre>
--    AES_128_CBC
--    AES_256_CBC
--    AES_128_GCM
--    AES_128_CCM
--    AES_256_CCM
--    </pre>
--    <br /><br />
--    If the cipher
--    suites utilized by the TLS server are not approved by NIST as per 800-52r1, this
--    is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml b/eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml
-deleted file mode 100644
-index 98c78cbba5..0000000000
---- a/eap6/guide/eap6/jboss_eap_use_dod_approved_certs/rule.yml
-+++ /dev/null
-@@ -1,49 +0,0 @@
--documentation_complete: true
--
--title: 'Use DoD Approved Certificates'
--
--description: |-
--    Configure the application server to use DoD- or CNSS-approved Class 3 or Class
--    4 PKI certificates.
--
--rationale: |-
--    Class 3 PKI certificates are used for servers and software signing rather than
--    for identifying individuals. Class 4 certificates are used for business-to-
--    business transactions. Utilizing unapproved certificates not issued or approved
--    by DoD or CNS creates an integrity risk. The application server must utilize
--    approved DoD or CNS Class 3 or Class 4 certificates for software signing and
--    business-to-business transactions.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80497-1
--
--references:
--    disa: CCI-002450
--    srg: SRG-APP-000514-AS-000137
--    stigid: JBOS-AS-000730
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Interview the administrator to determine if JBoss is using certificates for
--    PKI. If JBoss is not performing any PKI functions, this finding is NA.
--    <br /><br />
--    The CA
--    certs are usually stored in a file called cacerts located in the directory
--    <tt>$JAVA_HOME/lib/security</tt>. If the file is not in this location, use a search
--    command to locate the file, or ask the administrator where the certificate store
--    is located.
--    <br /><br />
--    Open a dos shell or terminal window and change to the location of
--    the certificate store. To view the certificates within the certificate store,
--    run the command (in this example, the keystore file is cacerts.):
--    <pre>keytool -list -v -keystore ./cacerts</pre>
--    <br /><br />
--    Locate the <pre>OU</pre> field for each certificate
--    within the keystore. The field should contain either <pre>DoD</pre> or
--    <pre>CNSS</pre> as the Organizational Unit (OU).
--    <br /><br />
--    If the OU does not show that
--    the certificates are DoD or CNSS supplied, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml b/eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml
-deleted file mode 100644
-index 51da42a453..0000000000
---- a/eap6/guide/eap6/jboss_eap_use_secure_ldap_port/rule.yml
-+++ /dev/null
-@@ -1,54 +0,0 @@
--documentation_complete: true
--
--title: 'Use Secure Standard LDAP Port'
--
--description: |-
--    Follow steps in section 11.8 - Management Interface Security in the
--    JBoss_Enterprise_Application_Platform-6.3
--    -Administration_and_Configuration_Guide-en-US document.
--    <br /><br />
--    1. Create an outbound connection to the LDAP server.
--    2. Create an LDAP-enabled security realm.
--    3. Reference the new security domain in the Management Interface.
--
--rationale: |-
--    Passwords need to be protected at all times, and encryption is the standard
--    method for protecting passwords during transmission.
--    <br /><br />
--    Application servers have
--    the capability to utilize LDAP directories for authentication. If LDAP
--    connections are not protected during transmission, sensitive authentication
--    credentials can be stolen. When the application server utilizes LDAP, the LDAP
--    traffic must be encrypted.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80481-5
--
--references:
--    disa: CCI-000197
--    srg: SRG-APP-000172-AS-000121
--    stigid: JBOS-AS-000310
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    <br /><br />
--    Run the following command:
--    <br /><br />
--    For standalone servers:
--    <pre>ls /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection</pre>
--    <br /><br />
--    For managed domain installations:
--    <pre>ls /socket-binding-group=<i>PROFILE</i>/remote-destination-outbound-socket-binding=</pre>
--    <br /><br />
--    The default port for secure LDAP is 636.
--    <br /><br />
--    If 636 or secure LDAP protocol is not utilized, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_use_tls/rule.yml b/eap6/guide/eap6/jboss_eap_use_tls/rule.yml
-deleted file mode 100644
-index 65d638c415..0000000000
---- a/eap6/guide/eap6/jboss_eap_use_tls/rule.yml
-+++ /dev/null
-@@ -1,59 +0,0 @@
--documentation_complete: true
--
--title: 'Use Approves TLS version'
--
--description: |-
--    Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red
--    Hat vendor's web site for step-by-step instructions on establishing SSL
--    encryption on JBoss.
--    <br /><br />
--    The overall steps include:
--    <br /><br />
--    1. Add an HTTPS connector.
--    2. Configure the SSL encryption certificate and keys.
--    3. Set the protocol to TLS V1.1 or V1.2.
--
--rationale: |-
--    Preventing the disclosure of transmitted information requires that the
--    application server take measures to employ some form of cryptographic mechanism
--    in order to protect the information during transmission. This is usually
--    achieved through the use of Transport Layer Security (TLS).
--    <br /><br />
--    JBoss relies on
--    the underlying SSL implementation running on the OS. This can be either Java
--    based or OpenSSL. The SSL protocol setting determines which SSL protocol is
--    used. SSL has known security vulnerabilities, so TLS should be used instead.
--    If data is transmitted unencrypted, the data then becomes vulnerable to
--    disclosure. The disclosure may reveal user identifier/password combinations,
--    website code revealing business logic, or other user personal information.
--    <br /><br />
--    FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
--    <br /><br />
--    TLS must be enabled,
--    and non-FIPS-approved SSL versions must be disabled. NIST SP 800-52 specifies
--    the preferred configurations for government systems.
--
--severity: medium
--
--identifiers:
--    cce: CCE-80493-0
--
--references:
--    disa: CCI-002418
--    srg: SRG-APP-000439-AS-000155
--    stigid: JBOS-AS-000650
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Log on to the OS of the JBoss server with OS permissions that allow access to
--    JBoss.
--    Using the relevant OS commands and syntax, cd to the <tt>&lt;JBOSS_HOME&gt;/bin/</tt>
--    folder.
--    Run the <pre>jboss-cli</pre> script.
--    Connect to the server and authenticate.
--    Validate that the TLS protocol is used for HTTPS connections.
--    Run the command:
--    <pre>ls /subsystem=web/connector=https/ssl=configuration</pre>
--    <br /><br />
--    If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.
-diff --git a/eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml b/eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml
-deleted file mode 100644
-index f27aea41a4..0000000000
---- a/eap6/guide/eap6/jboss_eap_vendor_supported/oval/eap6.xml
-+++ /dev/null
-@@ -1,14 +0,0 @@
--<def-group>
--  <definition version="1" class="compliance" id="jboss_eap_vendor_supported">
--    <metadata>
--      <title>JBoss Enterprise Application Platform Supported Version</title>
--      <description>Installed version of JBoss is a vendor supported version.</description>
--      <affected family="undefined">
--        <platform>JBoss Enterprise Application Platform 6</platform>
--      </affected>
--    </metadata>
--    <criteria>
--      <extend_definition comment="EAP supported version" definition_ref="installed_app_is_eap6" />
--    </criteria>
--  </definition>
--</def-group>
-diff --git a/eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml b/eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml
-deleted file mode 100644
-index 372aa87792..0000000000
---- a/eap6/guide/eap6/jboss_eap_vendor_supported/rule.yml
-+++ /dev/null
-@@ -1,35 +0,0 @@
--documentation_complete: true
--
--title: 'JBoss Version Is Vendor Supported'
--
--description: 'Obtain vendor support from Red Hat.'
--
--rationale: |-
--    The JBoss product is available as Open Source; however, the Red Hat vendor
--    provides updates, patches and support for the JBoss product. It is imperative
--    that patches and updates be applied to JBoss in a timely manner as many attacks
--    against JBoss focus on unpatched systems. It is critical that support be
--    obtained and made available.
--
--severity: high
--
--identifiers:
--    cce: CCE-80495-5
--
--references:
--    disa: CCI-002605
--    srg: SRG-APP-000456-AS-000266
--    stigid: JBOS-AS-000680
--
--ocil_clause: 'it is not'
--
--ocil: |-
--    Interview the system admin and have them either show documented proof of
--    current support, or have them demonstrate their ability to access the Red Hat
--    Enterprise Support portal.
--    <br /><br />
--    Verify Red Hat support includes coverage for the
--    JBoss product.
--    <br /><br />
--    If there is no current and active support from the vendor, this
--    is a finding.
-diff --git a/eap6/guide/eap6/var_jboss_profile.var b/eap6/guide/eap6/var_jboss_profile.var
-deleted file mode 100644
-index 51779c7798..0000000000
---- a/eap6/guide/eap6/var_jboss_profile.var
-+++ /dev/null
-@@ -1,15 +0,0 @@
--documentation_complete: true
--
--title: 'JBoss Configuration Profile'
--
--description: 'Choose JBoss configuration name (string)'
--
--type: string
--
--operator: equals
--
--interactive: false
--
--options:
--    default: standalone
--    openshift: standalone-openshift
-diff --git a/eap6/overlays/srg_support.xml b/eap6/overlays/srg_support.xml
-deleted file mode 100644
-index e69de29bb2..0000000000
-diff --git a/eap6/overlays/stig_overlay.xml b/eap6/overlays/stig_overlay.xml
-deleted file mode 100644
-index 9ea7d66b1d..0000000000
---- a/eap6/overlays/stig_overlay.xml
-+++ /dev/null
-@@ -1,271 +0,0 @@
--<?xml version='1.0' encoding='UTF-8'?>
--<overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
--  <overlay disa="68" owner="disastig" ownerid="JBOS-AS-000010" ruleid="jboss_eap_configure_secure_management_access" severity="medium">
--    <VMSinfo SVKey="76563" VKey="62073" VRelease="1"/>
--    <title>HTTP management session traffic must be encrypted.</title>
--  </overlay>
--  <overlay disa="1453" owner="disastig" ownerid="JBOS-AS-000015" ruleid="jboss_eap_configure_https" severity="medium">
--    <VMSinfo SVKey="76705" VKey="62215" VRelease="1"/>
--    <title>HTTPS must be enabled for JBoss web interfaces.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000025" ruleid="jboss_eap_configure_host_access_restrictions" severity="high">
--    <VMSinfo SVKey="76707" VKey="62217" VRelease="1"/>
--    <title>Java permissions must be set for hosted applications.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000030" ruleid="jboss_eap_configure_security_manager" severity="high">
--    <VMSinfo SVKey="76715" VKey="62225" VRelease="1"/>
--    <title>The Java Security Manager must be enabled for the JBoss application server.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000035" ruleid="jboss_eap_enable_rbac" severity="high">
--    <VMSinfo SVKey="76717" VKey="62227" VRelease="1"/>
--    <title>The JBoss server must be configured with Role Based Access Controls.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000040" ruleid="jboss_eap_configure_user_roles" severity="medium">
--    <VMSinfo SVKey="76709" VKey="62219" VRelease="1"/>
--    <title>Users in JBoss Management Security Realms must be in the appropriate role.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000045" ruleid="jboss_eap_configure_application_authentication" severity="high">
--    <VMSinfo SVKey="76711" VKey="62221" VRelease="1"/>
--    <title>Silent Authentication must be removed from the Default Application Security Realm.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000050" ruleid="jboss_eap_configure_management_authentication" severity="high">
--    <VMSinfo SVKey="76713" VKey="62223" VRelease="1"/>
--    <title>Silent Authentication must be removed from the Default Management Security Realm.</title>
--  </overlay>
--  <overlay disa="213" owner="disastig" ownerid="JBOS-AS-000075" ruleid="jboss_eap_configure_security_realm" severity="high">
--    <VMSinfo SVKey="76719" VKey="62229" VRelease="1"/>
--    <title>JBoss management interfaces must be secured.</title>
--  </overlay>
--  <overlay disa="169" owner="disastig" ownerid="JBOS-AS-000080" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76721" VKey="62231" VRelease="1"/>
--    <title>The JBoss server must generate log records for access and authentication events to the management interface.</title>
--  </overlay>
--  <overlay disa="171" owner="disastig" ownerid="JBOS-AS-000085" ruleid="jboss_eap_configure_auditor_roles" severity="medium">
--    <VMSinfo SVKey="76723" VKey="62233" VRelease="1"/>
--    <title>JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.</title>
--  </overlay>
--  <overlay disa="1464" owner="disastig" ownerid="JBOS-AS-000095" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76725" VKey="62235" VRelease="1"/>
--    <title>JBoss must be configured to initiate session logging upon startup.</title>
--  </overlay>
--  <overlay disa="130" owner="disastig" ownerid="JBOS-AS-000105" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76727" VKey="62237" VRelease="1"/>
--    <title>JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.</title>
--  </overlay>
--  <overlay disa="130" owner="disastig" ownerid="JBOS-AS-000110" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76729" VKey="62239" VRelease="1"/>
--    <title>JBoss must be configured to produce log records containing information to establish what type of events occurred.</title>
--  </overlay>
--  <overlay disa="131" owner="disastig" ownerid="JBOS-AS-000115" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76731" VKey="62241" VRelease="1"/>
--    <title>JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.</title>
--  </overlay>
--  <overlay disa="132" owner="disastig" ownerid="JBOS-AS-000120" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76733" VKey="62243" VRelease="1"/>
--    <title>JBoss must be configured to produce log records that establish which hosted application triggered the events.</title>
--  </overlay>
--  <overlay disa="133" owner="disastig" ownerid="JBOS-AS-000125" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76735" VKey="62245" VRelease="1"/>
--    <title>JBoss must be configured to record the IP address and port information used by management interface network traffic.</title>
--  </overlay>
--  <overlay disa="134" owner="disastig" ownerid="JBOS-AS-000130" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76737" VKey="62247" VRelease="1"/>
--    <title>The application server must produce log records that contain sufficient information to establish the outcome of events.</title>
--  </overlay>
--  <overlay disa="1487" owner="disastig" ownerid="JBOS-AS-000135" ruleid="jboss_eap_configure_logging_level" severity="medium">
--    <VMSinfo SVKey="76739" VKey="62249" VRelease="1"/>
--    <title>JBoss ROOT logger must be configured to utilize the appropriate logging level.</title>
--  </overlay>
--  <overlay disa="162" owner="disastig" ownerid="JBOS-AS-000165" ruleid="jboss_eap_configure_log_permissions" severity="medium">
--    <VMSinfo SVKey="76741" VKey="62251" VRelease="1"/>
--    <title>File permissions must be configured to protect log information from any type of unauthorized read access.</title>
--  </overlay>
--  <overlay disa="163" owner="disastig" ownerid="JBOS-AS-000170" ruleid="jboss_eap_configure_log_permissions" severity="medium">
--    <VMSinfo SVKey="76743" VKey="62253" VRelease="1"/>
--    <title>File permissions must be configured to protect log information from unauthorized modification.</title>
--  </overlay>
--  <overlay disa="164" owner="disastig" ownerid="JBOS-AS-000175" ruleid="jboss_eap_configure_log_permissions" severity="medium">
--    <VMSinfo SVKey="76745" VKey="62255" VRelease="1"/>
--    <title>File permissions must be configured to protect log information from unauthorized deletion.</title>
--  </overlay>
--  <overlay disa="1348" owner="disastig" ownerid="JBOS-AS-000195" ruleid="jboss_eap_configure_offloading_max" severity="medium">
--    <VMSinfo SVKey="76747" VKey="62257" VRelease="1"/>
--    <title>JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.</title>
--  </overlay>
--  <overlay disa="1499" owner="disastig" ownerid="JBOS-AS-000210" ruleid="jboss_eap_configure_user_permissions" severity="medium">
--    <VMSinfo SVKey="76749" VKey="62259" VRelease="1"/>
--    <title>mgmt-users.properties file permissions must be set to allow access to authorized users only.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000220" ruleid="jboss_eap_restrict_jboss_account" severity="high">
--    <VMSinfo SVKey="76751" VKey="62261" VRelease="1"/>
--    <title>JBoss process owner interactive access must be restricted.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000225" ruleid="jboss_eap_disable_analytics" severity="medium">
--    <VMSinfo SVKey="76753" VKey="62263" VRelease="1"/>
--    <title>Google Analytics must be disabled in EAP Console.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000230" ruleid="jboss_eap_unprivileged_mode" severity="high">
--    <VMSinfo SVKey="76755" VKey="62265" VRelease="1"/>
--    <title>JBoss process owner execution permissions must be limited.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000235" ruleid="jboss_eap_remove_quickstarts" severity="medium">
--    <VMSinfo SVKey="76757" VKey="62267" VRelease="1"/>
--    <title>JBoss QuickStarts must be removed.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000240" ruleid="jboss_eap_remove_jmx" severity="medium">
--    <VMSinfo SVKey="76759" VKey="62269" VRelease="1"/>
--    <title>Remote access to JMX subsystem must be disabled.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000245" ruleid="jboss_eap_disable_replace_welcome_page" severity="low">
--    <VMSinfo SVKey="76761" VKey="62271" VRelease="1"/>
--    <title>Welcome Web Application must be disabled.</title>
--  </overlay>
--  <overlay disa="381" owner="disastig" ownerid="JBOS-AS-000250" ruleid="jboss_eap_remove_unnecessary_apps" severity="medium">
--    <VMSinfo SVKey="76763" VKey="62273" VRelease="1"/>
--    <title>Any unapproved applications must be removed.</title>
--  </overlay>
--  <overlay disa="382" owner="disastig" ownerid="JBOS-AS-000255" ruleid="jboss_eap_configure_ports" severity="medium">
--    <VMSinfo SVKey="76765" VKey="62275" VRelease="1"/>
--    <title>JBoss application and management ports must be approved by the PPSM CAL.</title>
--  </overlay>
--  <overlay disa="764" owner="disastig" ownerid="JBOS-AS-000260" ruleid="jboss_eap_configure_ldap" severity="medium">
--    <VMSinfo SVKey="76767" VKey="62277" VRelease="1"/>
--    <title>The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.</title>
--  </overlay>
--  <overlay disa="765" owner="disastig" ownerid="JBOS-AS-000265" ruleid="jboss_eap_configure_multifactor_authentication" severity="medium">
--    <VMSinfo SVKey="76769" VKey="62279" VRelease="1"/>
--    <title>The JBoss Server must be configured to use certificates to authenticate admins.</title>
--  </overlay>
--  <overlay disa="770" owner="disastig" ownerid="JBOS-AS-000275" ruleid="jboss_eap_remove_group_accounts" severity="medium">
--    <VMSinfo SVKey="76771" VKey="62281" VRelease="1"/>
--    <title>The JBoss server must be configured to use individual accounts and not generic or shared accounts.</title>
--  </overlay>
--  <overlay disa="778" owner="disastig" ownerid="JBOS-AS-000285" ruleid="jboss_eap_configure_management_network" severity="medium">
--    <VMSinfo SVKey="76773" VKey="62283" VRelease="1"/>
--    <title>The JBoss server must be configured to bind the management interfaces to only management networks.</title>
--  </overlay>
--  <overlay disa="795" owner="disastig" ownerid="JBOS-AS-000290" ruleid="jboss_eap_configure_management_ldap" severity="medium">
--    <VMSinfo SVKey="76775" VKey="62285" VRelease="1"/>
--    <title>JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.</title>
--  </overlay>
--  <overlay disa="196" owner="disastig" ownerid="JBOS-AS-000295" ruleid="jboss_eap_configure_keystore" severity="medium">
--    <VMSinfo SVKey="76777" VKey="62287" VRelease="1"/>
--    <title>The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.</title>
--  </overlay>
--  <overlay disa="196" owner="disastig" ownerid="JBOS-AS-000300" ruleid="jboss_eap_encrypt_keystore_passwords" severity="medium">
--    <VMSinfo SVKey="76779" VKey="62289" VRelease="1"/>
--    <title>JBoss KeyStore and Truststore passwords must not be stored in clear text.</title>
--  </overlay>
--  <overlay disa="197" owner="disastig" ownerid="JBOS-AS-000305" ruleid="jboss_eap_require_password_access" severity="medium">
--    <VMSinfo SVKey="76781" VKey="62291" VRelease="1"/>
--    <title>LDAP enabled security realm value allow-empty-passwords must be set to false.</title>
--  </overlay>
--  <overlay disa="197" owner="disastig" ownerid="JBOS-AS-000310" ruleid="jboss_eap_use_secure_ldap_port" severity="medium">
--    <VMSinfo SVKey="76783" VKey="62293" VRelease="1"/>
--    <title>JBoss must utilize encryption when using LDAP for authentication.</title>
--  </overlay>
--  <overlay disa="186" owner="disastig" ownerid="JBOS-AS-000320" ruleid="jboss_eap_secure_keystore_permissions" severity="medium">
--    <VMSinfo SVKey="76785" VKey="62295" VRelease="1"/>
--    <title>The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.</title>
--  </overlay>
--  <overlay disa="1082" owner="disastig" ownerid="JBOS-AS-000355" ruleid="jboss_eap_service_separate_networks" severity="medium">
--    <VMSinfo SVKey="76787" VKey="62297" VRelease="1"/>
--    <title>The JBoss server must separate hosted application functionality from application server management functionality.</title>
--  </overlay>
--  <overlay disa="1199" owner="disastig" ownerid="JBOS-AS-000400" ruleid="jboss_eap_file_permissions" severity="medium">
--    <VMSinfo SVKey="76789" VKey="62299" VRelease="1"/>
--    <title>JBoss file permissions must be configured to protect the confidentiality and integrity of application files.</title>
--  </overlay>
--  <overlay disa="1314" owner="disastig" ownerid="JBOS-AS-000425" ruleid="jboss_eap_logs_permissions" severity="medium">
--    <VMSinfo SVKey="76791" VKey="62301" VRelease="1"/>
--    <title>Access to JBoss log files must be restricted to authorized users.</title>
--  </overlay>
--  <overlay disa="2322" owner="disastig" ownerid="JBOS-AS-000470" ruleid="jboss_eap_disable_domain_admin_console" severity="medium">
--    <VMSinfo SVKey="76793" VKey="62303" VRelease="1"/>
--    <title>Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.</title>
--  </overlay>
--  <overlay disa="2235" owner="disastig" ownerid="JBOS-AS-000475" ruleid="jboss_eap_enable_rbac" severity="medium">
--    <VMSinfo SVKey="76795" VKey="62305" VRelease="1"/>
--    <title>The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title>
--  </overlay>
--  <overlay disa="2234" owner="disastig" ownerid="JBOS-AS-000480" ruleid="jboss_eap_audit_privileged_actions" severity="medium">
--    <VMSinfo SVKey="76797" VKey="62307" VRelease="1"/>
--    <title>The JBoss server must be configured to log all admin activity.</title>
--  </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="JBOS-AS-000505" ruleid="jboss_eap_configure_syslog" severity="medium">
--    <VMSinfo SVKey="76799" VKey="62309" VRelease="1"/>
--    <title>The JBoss server must be configured to utilize syslog logging.</title>
--  </overlay>
--  <overlay disa="1813" owner="disastig" ownerid="JBOS-AS-000545" ruleid="jboss_eap_disable_automatic_deployment" severity="medium">
--    <VMSinfo SVKey="76801" VKey="62311" VRelease="1"/>
--    <title>Production JBoss servers must not allow automatic application deployment.</title>
--  </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="JBOS-AS-000550" ruleid="jboss_eap_log_deployments" severity="medium">
--    <VMSinfo SVKey="76803" VKey="62313" VRelease="1"/>
--    <title>Production JBoss servers must log when failed application deployments occur.</title>
--  </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="JBOS-AS-000555" ruleid="jboss_eap_log_deployments" severity="medium">
--    <VMSinfo SVKey="76805" VKey="62315" VRelease="1"/>
--    <title>Production JBoss servers must log when successful application deployments occur.</title>
--  </overlay>
--  <overlay disa="2470" owner="disastig" ownerid="JBOS-AS-000625" ruleid="jboss_eap_use_approved_ca_cert" severity="medium">
--    <VMSinfo SVKey="76807" VKey="62317" VRelease="1"/>
--    <title>JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.</title>
--  </overlay>
--  <overlay disa="2385" owner="disastig" ownerid="JBOS-AS-000640" ruleid="jboss_eap_configure_ha_lb" severity="medium">
--    <VMSinfo SVKey="76809" VKey="62319" VRelease="1"/>
--    <title>The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.</title>
--  </overlay>
--  <overlay disa="2418" owner="disastig" ownerid="JBOS-AS-000650" ruleid="jboss_eap_use_tls" severity="medium">
--    <VMSinfo SVKey="76811" VKey="62321" VRelease="2"/>
--    <title>JBoss must be configured to use an approved TLS version.</title>
--  </overlay>
--  <overlay disa="2421" owner="disastig" ownerid="JBOS-AS-000655" ruleid="jboss_eap_use_approved_ciphers" severity="medium">
--    <VMSinfo SVKey="76813" VKey="62323" VRelease="2"/>
--    <title>JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.</title>
--  </overlay>
--  <overlay disa="2605" owner="disastig" ownerid="JBOS-AS-000680" ruleid="jboss_eap_vendor_supported" severity="high">
--    <VMSinfo SVKey="76815" VKey="62325" VRelease="1"/>
--    <title>Production JBoss servers must be supported by the vendor.</title>
--  </overlay>
--  <overlay disa="2605" owner="disastig" ownerid="JBOS-AS-000685" ruleid="jboss_eap_system_up_to_date" severity="high">
--    <VMSinfo SVKey="76817" VKey="62327" VRelease="1"/>
--    <title>The JRE installed on the JBoss server must be kept up to date.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000690" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76819" VKey="62329" VRelease="1"/>
--    <title>JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000695" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76821" VKey="62331" VRelease="1"/>
--    <title>JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000700" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76823" VKey="62333" VRelease="1"/>
--    <title>JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000705" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76825" VKey="62335" VRelease="1"/>
--    <title>JBoss must be configured to generate log records for privileged activities.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000710" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76827" VKey="62337" VRelease="1"/>
--    <title>JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000715" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76829" VKey="62339" VRelease="1"/>
--    <title>JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.</title>
--  </overlay>
--  <overlay disa="172" owner="disastig" ownerid="JBOS-AS-000720" ruleid="jboss_eap_configure_auditing" severity="medium">
--    <VMSinfo SVKey="76831" VKey="62341" VRelease="1"/>
--    <title>JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.</title>
--  </overlay>
--  <overlay disa="2450" owner="disastig" ownerid="JBOS-AS-000730" ruleid="jboss_eap_use_dod_approved_certs" severity="medium">
--    <VMSinfo SVKey="76833" VKey="62343" VRelease="1"/>
--    <title>The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.</title>
--  </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="JBOS-AS-000735" ruleid="jboss_eap_roll_over_transfer_logs" severity="medium">
--    <VMSinfo SVKey="76835" VKey="62345" VRelease="1"/>
--    <title>JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.</title>
--  </overlay>
--</overlays>
-diff --git a/eap6/product.yml b/eap6/product.yml
-deleted file mode 100644
-index edc8a0878c..0000000000
---- a/eap6/product.yml
-+++ /dev/null
-@@ -1,7 +0,0 @@
--product: eap6
--full_name: JBoss EAP 6
--type: product
--
--benchmark_root: "./guide"
--
--profiles_root: "./profiles"
-diff --git a/eap6/profiles/stig.profile b/eap6/profiles/stig.profile
-deleted file mode 100644
-index 8cd8e3235c..0000000000
---- a/eap6/profiles/stig.profile
-+++ /dev/null
-@@ -1,57 +0,0 @@
--documentation_complete: true
--
--title: 'STIG for JBoss Enterprise Application Platform 6'
--
--description: 'This is a *draft* profile for STIG. This profile is being developed under the DoD consensus model to become
--    a STIG in coordination with DISA FSO.'
--
--selections:
--    - jboss_eap_configure_secure_management_access
--    - jboss_eap_configure_https
--    - jboss_eap_configure_host_access_restrictions
--    - jboss_eap_configure_security_manager
--    - jboss_eap_enable_rbac
--    - jboss_eap_configure_user_roles
--    - jboss_eap_configure_application_authentication
--    - jboss_eap_configure_management_authentication
--    - jboss_eap_configure_security_realm
--    - jboss_eap_configure_auditing
--    - jboss_eap_configure_auditor_roles
--    - jboss_eap_configure_logging_level
--    - jboss_eap_configure_log_permissions
--    - jboss_eap_configure_offloading_max
--    - jboss_eap_configure_user_permissions
--    - jboss_eap_restrict_jboss_account
--    - jboss_eap_disable_analytics
--    - jboss_eap_unprivileged_mode
--    - jboss_eap_remove_quickstarts
--    - jboss_eap_remove_jmx
--    - jboss_eap_disable_replace_welcome_page
--    - jboss_eap_remove_unnecessary_apps
--    - jboss_eap_configure_ports
--    - jboss_eap_configure_ldap
--    - jboss_eap_configure_multifactor_authentication
--    - jboss_eap_remove_group_accounts
--    - jboss_eap_configure_management_network
--    - jboss_eap_configure_management_ldap
--    - jboss_eap_configure_keystore
--    - jboss_eap_encrypt_keystore_passwords
--    - jboss_eap_require_password_access
--    - jboss_eap_use_secure_ldap_port
--    - jboss_eap_secure_keystore_permissions
--    - jboss_eap_service_separate_networks
--    - jboss_eap_file_permissions
--    - jboss_eap_logs_permissions
--    - jboss_eap_disable_domain_admin_console
--    - jboss_eap_audit_privileged_actions
--    - jboss_eap_configure_syslog
--    - jboss_eap_disable_automatic_deployment
--    - jboss_eap_log_deployments
--    - jboss_eap_use_approved_ca_cert
--    - jboss_eap_configure_ha_lb
--    - jboss_eap_use_tls
--    - jboss_eap_use_approved_ciphers
--    - jboss_eap_vendor_supported
--    - jboss_eap_system_up_to_date
--    - jboss_eap_use_dod_approved_certs
--    - jboss_eap_roll_over_transfer_logs
-diff --git a/eap6/transforms/cci2html.xsl b/eap6/transforms/cci2html.xsl
-deleted file mode 100644
-index af9e4e5778..0000000000
---- a/eap6/transforms/cci2html.xsl
-+++ /dev/null
-@@ -1,6 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cci="https://public.cyber.mil/stigs/cci">
--
--<xsl:include href="../../shared/transforms/shared_cci2html.xsl"/>
--	
--</xsl:stylesheet>
-diff --git a/eap6/transforms/constants.xslt b/eap6/transforms/constants.xslt
-deleted file mode 100644
-index 336c2f8ed8..0000000000
---- a/eap6/transforms/constants.xslt
-+++ /dev/null
-@@ -1,21 +0,0 @@
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
--
--<xsl:include href="../../shared/transforms/shared_constants.xslt"/>
--
--<xsl:variable name="product_long_name">JBoss EAP 6</xsl:variable>
--<xsl:variable name="product_short_name">EAP 6</xsl:variable>
--<xsl:variable name="product_stig_id_name">EAP_6_STIG</xsl:variable>
--<xsl:variable name="prod_type">eap6</xsl:variable>
--
--<xsl:variable name="cisuri">empty</xsl:variable>
--<xsl:variable name="product_guide_id_name">Jboss-EAP-6</xsl:variable>
--<xsl:variable name="disa-stigs-uri" select="$disa-stigs-apps-appserver-uri"/>
--<xsl:variable name="disa-srguri" select="$disa-appsrguri"/>
--
--<!-- Define URI for custom CCE identifier which can be used for mapping to corporate policy -->
--<!--xsl:variable name="custom-cce-uri">https://www.example.org</xsl:variable-->
--
--<!-- Define URI for custom policy reference which can be used for linking to corporate policy -->
--<!--xsl:variable name="custom-ref-uri">https://www.example.org</xsl:variable-->
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/shorthand2xccdf.xslt b/eap6/transforms/shorthand2xccdf.xslt
-deleted file mode 100644
-index de809d5f57..0000000000
---- a/eap6/transforms/shorthand2xccdf.xslt
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
--
--<xsl:import href="../../shared/transforms/shared_shorthand2xccdf.xslt"/>
--
--<xsl:include href="constants.xslt"/>
--<xsl:param name="ssg_version">unknown</xsl:param>
--<xsl:variable name="ovalfile">unlinked-eap6-oval.xml</xsl:variable>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/table-add-srgitems.xslt b/eap6/transforms/table-add-srgitems.xslt
-deleted file mode 100644
-index f55b9a54f8..0000000000
---- a/eap6/transforms/table-add-srgitems.xslt
-+++ /dev/null
-@@ -1,7 +0,0 @@
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:cci="https://public.cyber.mil/stigs/cci">
--
--<xsl:include href="../../shared/transforms/shared_table-add-srgitems.xslt"/>
--<xsl:variable name="srgtable" select="document('../output/table-eap6-srgmap-flat.xhtml')/html/body/table" />
--<xsl:variable name="cci_list" select="document('../../shared/references/disa-cci-list.xml')/cci:cci_list" />
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/table-sortbyref.xslt b/eap6/transforms/table-sortbyref.xslt
-deleted file mode 100644
-index bd97ee1cab..0000000000
---- a/eap6/transforms/table-sortbyref.xslt
-+++ /dev/null
-@@ -1,6 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:import href="../../shared/transforms/shared_table-sortbyref.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/table-srgmap.xslt b/eap6/transforms/table-srgmap.xslt
-deleted file mode 100644
-index 23c2f60a2c..0000000000
---- a/eap6/transforms/table-srgmap.xslt
-+++ /dev/null
-@@ -1,11 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:include href="../../shared/transforms/shared_table-srgmap.xslt"/>
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--<xsl:variable name="items" select="document($map-to-items)//*[cdf:reference]" />
--<xsl:variable name="title" select="document($map-to-items)/cdf:Benchmark/cdf:title" />
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/table-style.xslt b/eap6/transforms/table-style.xslt
-deleted file mode 100644
-index 218d0f7542..0000000000
---- a/eap6/transforms/table-style.xslt
-+++ /dev/null
-@@ -1,5 +0,0 @@
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
--
--<xsl:import href="../../shared/transforms/shared_table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf-apply-overlay-stig.xslt b/eap6/transforms/xccdf-apply-overlay-stig.xslt
-deleted file mode 100644
-index 38b354afb8..0000000000
---- a/eap6/transforms/xccdf-apply-overlay-stig.xslt
-+++ /dev/null
-@@ -1,8 +0,0 @@
--<?xml version="1.0"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" exclude-result-prefixes="xccdf">
--
--<xsl:include href="../../shared/transforms/shared_xccdf-apply-overlay-stig.xslt"/>
--<xsl:include href="constants.xslt"/>
--<xsl:variable name="overlays" select="document($overlay)/xccdf:overlays" />
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2stigformat.xslt b/eap6/transforms/xccdf2stigformat.xslt
-deleted file mode 100644
-index 5421604fa3..0000000000
---- a/eap6/transforms/xccdf2stigformat.xslt
-+++ /dev/null
-@@ -1,7 +0,0 @@
--<?xml version="1.0"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://checklists.nist.gov/xccdf/1.1" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" exclude-result-prefixes="cdf">
--
--<xsl:include href="../../shared/transforms/shared_xccdf2stigformat.xslt"/>
--<xsl:include href="constants.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2table-byref.xslt b/eap6/transforms/xccdf2table-byref.xslt
-deleted file mode 100644
-index 88a53f50ab..0000000000
---- a/eap6/transforms/xccdf2table-byref.xslt
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:import href="../../shared/transforms/shared_xccdf2table-byref.xslt"/>
--
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2table-cce.xslt b/eap6/transforms/xccdf2table-cce.xslt
-deleted file mode 100644
-index 1ffb22215c..0000000000
---- a/eap6/transforms/xccdf2table-cce.xslt
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:cce="http://cce.mitre.org" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:import href="../../shared/transforms/shared_xccdf2table-cce.xslt"/>
--
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2table-profileccirefs.xslt b/eap6/transforms/xccdf2table-profileccirefs.xslt
-deleted file mode 100644
-index 5a104d956f..0000000000
---- a/eap6/transforms/xccdf2table-profileccirefs.xslt
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:cci="https://public.cyber.mil/stigs/cci" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:ovalns="http://oval.mitre.org/XMLSchema/oval-definitions-5">
--
--<xsl:import href="../../shared/transforms/shared_xccdf2table-profileccirefs.xslt"/>
--
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2table-profilecisrefs.xslt b/eap6/transforms/xccdf2table-profilecisrefs.xslt
-deleted file mode 100644
-index 92cbdf9b45..0000000000
---- a/eap6/transforms/xccdf2table-profilecisrefs.xslt
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:import href="../../shared/transforms/shared_xccdf2table-profilecisrefs.xslt"/>
--
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2table-profilenistrefs.xslt b/eap6/transforms/xccdf2table-profilenistrefs.xslt
-deleted file mode 100644
-index 8e97c33344..0000000000
---- a/eap6/transforms/xccdf2table-profilenistrefs.xslt
-+++ /dev/null
-@@ -1,8 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:import href="../../shared/transforms/shared_xccdf2table-profilenistrefs.xslt"/>
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/eap6/transforms/xccdf2table-stig.xslt b/eap6/transforms/xccdf2table-stig.xslt
-deleted file mode 100644
-index 2fb56fa7d0..0000000000
---- a/eap6/transforms/xccdf2table-stig.xslt
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<?xml version="1.0" encoding="utf-8" standalone="yes"?>
--<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cdf="http://checklists.nist.gov/xccdf/1.1" xmlns:xhtml="http://www.w3.org/1999/xhtml">
--
--<xsl:import href="../../shared/transforms/shared_xccdf2table-stig.xslt"/>
--
--<xsl:include href="constants.xslt"/>
--<xsl:include href="table-style.xslt"/>
--
--</xsl:stylesheet>
-diff --git a/shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml b/shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml
-deleted file mode 100644
-index 74aef4df7d..0000000000
---- a/shared/references/disa-stig-eap6-v1r2-xccdf-manual.xml
-+++ /dev/null
-@@ -1,1275 +0,0 @@
--<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="JBoss_EAP_6-3_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2017-03-20">accepted</status><title>JBoss EAP 6.3 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="http://iase.disa.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 2 Benchmark Date: 28 Apr 2017</plain-text><version>1</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-62073" selected="true" /><select idref="V-62215" selected="true" /><select idref="V-62217" selected="true" /><select idref="V-62219" selected="true" /><select idref="V-62221" selected="true" /><select idref="V-62223" selected="true" /><select idref="V-62225" selected="true" /><select idref="V-62227" selected="true" /><select idref="V-62229" selected="true" /><select idref="V-62231" selected="true" /><select idref="V-62233" selected="true" /><select idref="V-62235" selected="true" /><select idref="V-62237" selected="true" /><select idref="V-62239" selected="true" /><select idref="V-62241" selected="true" /><select idref="V-62243" selected="true" /><select idref="V-62245" selected="true" /><select idref="V-62247" selected="true" /><select idref="V-62249" selected="true" /><select idref="V-62251" selected="true" /><select idref="V-62253" selected="true" /><select idref="V-62255" selected="true" /><select idref="V-62257" selected="true" /><select idref="V-62259" selected="true" /><select idref="V-62261" selected="true" /><select idref="V-62263" selected="true" /><select idref="V-62265" selected="true" /><select idref="V-62267" selected="true" /><select idref="V-62269" selected="true" /><select idref="V-62271" selected="true" /><select idref="V-62273" selected="true" /><select idref="V-62275" selected="true" /><select idref="V-62277" selected="true" /><select idref="V-62279" selected="true" /><select idref="V-62281" selected="true" /><select idref="V-62283" selected="true" /><select idref="V-62285" selected="true" /><select idref="V-62287" selected="true" /><select idref="V-62289" selected="true" /><select idref="V-62291" selected="true" /><select idref="V-62293" selected="true" /><select idref="V-62295" selected="true" /><select idref="V-62297" selected="true" /><select idref="V-62299" selected="true" /><select idref="V-62301" selected="true" /><select idref="V-62303" selected="true" /><select idref="V-62305" selected="true" /><select idref="V-62307" selected="true" /><select idref="V-62309" selected="true" /><select idref="V-62311" selected="true" /><select idref="V-62313" selected="true" /><select idref="V-62315" selected="true" /><select idref="V-62317" selected="true" /><select idref="V-62319" selected="true" /><select idref="V-62321" selected="true" /><select idref="V-62323" selected="true" /><select idref="V-62325" selected="true" /><select idref="V-62327" selected="true" /><select idref="V-62329" selected="true" /><select idref="V-62331" selected="true" /><select idref="V-62333" selected="true" /><select idref="V-62335" selected="true" /><select idref="V-62337" selected="true" /><select idref="V-62339" selected="true" /><select idref="V-62341" selected="true" /><select idref="V-62343" selected="true" /><select idref="V-62345" selected="true" /></Profile><Group id="V-62073"><title>SRG-APP-000014-AS-000009</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76563r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000010</version><title>HTTP management session traffic must be encrypted.</title><description>&lt;VulnDiscussion&gt;Types of management interfaces utilized by the JBoss EAP application server include web-based HTTP interfaces as well as command line-based management interfaces.  In the event remote HTTP management is required, the access must be via HTTPS.
--
--This requirement is in conjunction with the requirement to isolate all management access to a restricted network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000068</ident><fixtext fixref="F-67993r1_fix">Follow the specific instructions in the Red Hat Security Guide for EAP version 6.3 to configure the management console for HTTPS.
--
--This involves the following steps.
--1. Create a keystore in JKS format.
--2. Ensure the management console binds to HTTPS.
--3. Create a new Security Realm.
--4. Configure Management Interface to use new security realm.
--5. Configure the management console to use the keystore.
--6. Restart the EAP server.</fixtext><fix id="F-67993r1_fix" /><check system="C-62877r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script. Connect to the server and authenticate. 
--
--For a standalone configuration run the following command:
--"ls /core-service=management/management-interface=http-interface"
--
--If "secure-socket-binding"=undefined, this is a finding.
--
--For a domain configuration run the following command:
--"ls /host=master/core-service=management/management-interface=http-interface"
--
--If "secure-port" is undefined, this is a finding.</check-content></check></Rule></Group><Group id="V-62215"><title>SRG-APP-000015-AS-000010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76705r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000015</version><title>HTTPS must be enabled for JBoss web interfaces.</title><description>&lt;VulnDiscussion&gt;Encryption is critical for protection of remote access sessions. If encryption is not being used for integrity, malicious users may gain the ability to modify the application server configuration. The use of cryptography for ensuring integrity of remote access sessions mitigates that risk.
--
--Application servers utilize a web management interface and scripted commands when allowing remote access. Web access requires the use of TLS, and scripted access requires using ssh or some other form of approved cryptography. Application servers must have a capability to enable a secure remote admin capability.
--
--FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
--
--FIPS 140-2 approved TLS versions must be enabled, and non-FIPS-approved SSL versions must be disabled.
--
--NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001453</ident><fixtext fixref="F-68135r1_fix">Follow procedure "4.4.  Configure the JBoss Web Server to use HTTPS."  The detailed procedure is found in the JBoss EAP 6.3 Security Guide available at the vendor's site, RedHat.com.  An overview of steps is provided here.
--
--1. Obtain or generate DoD-approved SSL certificates.
--2. Configure the SSL certificate using your certificate values.
--3. Set the SSL protocol to TLS V1.1 or V1.2.</fixtext><fix id="F-68135r1_fix" /><check system="C-63019r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
-- 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script. 
--Connect to the server and authenticate. 
--
--Review the web subsystem and ensure that HTTPS is enabled.
--Run the command:
--
--For a managed domain:
--"ls /profile=&lt;PROFILE_NAME&gt;/subsystem=web/connector="
--
--For a standalone system:
--"ls /subsystem=web/connector="
--
--If "https" is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62217"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76707r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000025</version><title>Java permissions must be set for hosted applications.</title><description>&lt;VulnDiscussion&gt;The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.
--
--The JVM requires a security policy in order to restrict application access.  A properly configured security policy will define what rights the application has to the underlying system.  For example, rights to make changes to files on the host system or to initiate network sockets in order to connect to another system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68137r1_fix">Configure the Java security manager to enforce access restrictions to the host system resources in accordance with application design and resource requirements.</fixtext><fix id="F-68137r1_fix" /><check system="C-63021r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Obtain documentation from the admin that identifies the applications hosted on the JBoss server as well as the corresponding rights the application requires.  For example, if the application requires network socket permissions and file write permissions, those requirements should be documented.
--
--1. Identify the JBoss installation as either domain or standalone and review the relevant configuration file.
--For domain installs: JBOSS_HOME/bin/domain.conf
--For standalone installs: JBOSS_HOME/bin/standalone.conf
--
--2. Identify the location and name of the security policy by reading the JAVA_OPTS flag -Djava.security.policy=&lt;file name&gt; where &lt;file name&gt; will indicate name and location of security policy.  If the application uses a policy URL, obtain URL and policy file from system admin.
--
--3. Review security policy and ensure hosted applications have the appropriate restrictions placed on them as per documented application functionality requirements.
--
--If the security policy does not restrict application access to host resources as per documented requirements, this is a finding.</check-content></check></Rule></Group><Group id="V-62219"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76709r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000040</version><title>Users in JBoss Management Security Realms must be in the appropriate role.</title><description>&lt;VulnDiscussion&gt;Security realms are a series of mappings between users and passwords and users and roles.  There are 2 JBoss security realms provided by default; they are "management realm" and "application realm".
--
--Management realm stores authentication information for the management API, which provides functionality for the web-based management console and the management command line interface (CLI).
--
--mgmt-groups.properties stores user to group mapping for the ManagementRealm but only when role-based access controls  (RBAC) is enabled.
--
--If management users are not in the appropriate role, unauthorized access to JBoss resources can occur.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68139r1_fix">Document approved management users and their roles.  Configure the application server to use RBAC and ensure users are placed into the appropriate roles.</fixtext><fix id="F-68139r1_fix" /><check system="C-63023r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Review the mgmt-users.properties file.   Also review the &lt;management /&gt; section in the standalone.xml or domain.xml configuration files.  The relevant xml file will depend on if the JBoss server is configured in standalone or domain mode.
--
--Ensure all users listed in these files are approved for management access to the JBoss server and are in the appropriate role.
--
--For domain configurations:
--&lt;JBOSS_HOME&gt;/domain/configuration/mgmt-users.properties.  
--&lt;JBOSS_HOME&gt;/domain/configuration/domain.xml
--
--For standalone configurations:
--&lt;JBOSS_HOME&gt;/standalone/configuration/mgmt-users.properties.
--&lt;JBOSS_HOME&gt;/standalone/configuration/standalone.xml
--
--If the users listed are not in the appropriate role, this is a finding.</check-content></check></Rule></Group><Group id="V-62221"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76711r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000045</version><title>Silent Authentication must be removed from the Default Application Security Realm.</title><description>&lt;VulnDiscussion&gt;Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis.  By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68141r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Remove the local element from the Application Realm.
--For standalone servers, run the following command:
--/core-service=management/securityrealm=
--ApplicationRealm/authentication=local:remove
--
--For managed domain installations, run the following command:
--/host=HOST_NAME/core-service=management/securityrealm=
--ApplicationRealm/authentication=local:remove</fixtext><fix id="F-68141r1_fix" /><check system="C-63025r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Verify that Silent Authentication has been removed from the default Application security realm.
--Run the following command.
--
--For standalone servers, run the following command:
--"ls /core-service=management/securityrealm=ApplicationRealm/authentication"
--
--For managed domain installations, run the following command:
--"ls /host=HOST_NAME/core-service=management/securityrealm=ApplicationRealm/authentication"
--
--If "local" is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62223"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76713r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000050</version><title>Silent Authentication must be removed from the Default Management Security Realm.</title><description>&lt;VulnDiscussion&gt;Silent Authentication is a configuration setting that allows local OS users access to the JBoss server and a wide range of operations without specifically authenticating on an individual user basis.  By default $localuser is a Superuser. This introduces an integrity and availability vulnerability and violates best practice requirements regarding accountability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68143r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script. 
--Connect to the server and authenticate. 
--
--Remove the local element from the Management Realm.
--For standalone servers run the following command:
--/core-service=management/securityrealm=
--ManagementRealm/authentication=local:remove
--
--For managed domain installations run the following command:
--/host=HOST_NAME/core-service=management/securityrealm=
--ManagementRealm/authentication=local:remove</fixtext><fix id="F-68143r1_fix" /><check system="C-63027r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script. 
--Connect to the server and authenticate. 
--
--Verify that Silent Authentication has been removed from the default Management security realm.
--Run the following command. 
--
--For standalone servers run the following command:
--"ls /core-service=management/securityrealm=ManagementRealm/authentication"
--
--For managed domain installations run the following command:
--"ls /host=HOST_NAME/core-service=management/securityrealm=ManagementRealm/authentication"
--
--If "local" is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62225"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76715r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000030</version><title>The Java Security Manager must be enabled for the JBoss application server.</title><description>&lt;VulnDiscussion&gt;The Java Security Manager is a java class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM.
--
--The Java Security Manager uses a security policy to determine whether a given action will be
--permitted or denied.
--
--To protect the host system, the JBoss application server must be run within the Java Security Manager.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68145r1_fix">For a domain installation:
--Enable the respective JAVA_OPTS flag in both the domain.conf and the domain.conf.bat files.
--
--For a standalone installation:
--Enable the respective JAVA_OPTS flag in both the standalone.conf and the standalone.conf.bat files.</fixtext><fix id="F-68145r1_fix" /><check system="C-63029r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>To determine if the Java Security Manager is enabled for JBoss, you must examine the startup commands.  JBoss can be configured to run in either "domain" or a "standalone" mode.  JBOSS_HOME is the variable home directory for the JBoss installation.  Use relevant OS commands to navigate the file system.
--
--A. For a managed domain installation, review the domain.conf and domain.conf.bat files:
--
--JBOSS_HOME/bin/domain.conf
--JBOSS_HOME/bin/domain.conf.bat
--
--In domain.conf file, ensure there is a JAVA_OPTS flag that loads the Java Security Manager as well as a relevant Java Security policy.   The following is an example:
--
--JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"
--
--In domain.conf.bat file, ensure JAVA_OPTS flag is set.  The following is an example:
--
--set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=/path/to/JBOSS_HOME -Djboss.modules.policy-permissions=true"
--
--B. For a standalone installation, review the standalone.conf and standalone.conf.bat files:
--
--JBOSS_HOME/bin/standalone.conf
--JBOSS_HOME/bin/standalone.conf.bat
--
--In the standalone.conf file, ensure the JAVA_OPTS flag is set.  The following is an example:
--
--JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$PWD/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"
--
--In the standalone.conf.bat file, ensure the JAVA_OPTS flag is set.  The following is an example:
--
--set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.manager -Djava.security.policy==/path/to/server.policy -Djboss.home.dir=%JBOSS_HOME% -Djboss.modules.policy-permissions=true"  
--
--If the security manager is not enabled and a security policy not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-62227"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76717r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000035</version><title>The JBoss server must be configured with Role Based Access Controls.</title><description>&lt;VulnDiscussion&gt;By default, the JBoss server is not configured to utilize role based access controls (RBAC).  RBAC provides the capability to restrict user access to their designated management role, thereby limiting access to only the JBoss functionality that they are supposed to have.  Without RBAC, the JBoss server is not able to enforce authorized access according to role.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68147r1_fix">Run the following command.
--&lt;JBOSS_HOME&gt;/bin/jboss-cli.sh -c -&gt; connect -&gt; cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)
--
--Restart JBoss.
--
--Map users to roles by running the following command.  Upper-case words  are variables.
--
--role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)</fixtext><fix id="F-68147r1_fix" /><check system="C-63031r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Run the following command:
--
--For standalone servers:
--"ls /core-service=management/access=authorization/"
--
--For managed domain installations:
--"ls /host=master/core-service=management/access=authorization/"
--
--If the "provider" attribute is not set to "rbac", this is a finding.</check-content></check></Rule></Group><Group id="V-62229"><title>SRG-APP-000033-AS-000024</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76719r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000075</version><title>JBoss management interfaces must be secured.</title><description>&lt;VulnDiscussion&gt;JBoss utilizes the concept of security realms to secure the management interfaces used for JBoss server administration.  If the security realm attribute is omitted or removed from the management interface definition, access to that interface is no longer secure.  The JBoss management interfaces must be secured.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-68149r1_fix">Identify the security realm used for management of the system.  By default, this is called "Management Realm".
--
--If a management security realm is not already available, reference the Jboss EAP 6.3 system administration guide for instructions on how to create a security realm for management purposes.  Create the management realm, and assign authentication and authorization access restrictions to the management realm.
--
--Assign the management interfaces to the management realm.</fixtext><fix id="F-68149r1_fix" /><check system="C-63033r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Identify the management interfaces.  To identity the management interfaces, run the following command:
--
--For standalone servers:
--"ls /core-service=management/management-interface="
--
--For managed domain installations:
--"ls /host=HOST_NAME/core-service=management/management-interface="
--
--By default, JBoss provides two management interfaces; they are named "NATIVE-INTERFACE" and "HTTP-INTERFACE".  The system may or may not have both interfaces enabled.  For each management interface listed as a result of the previous command, append the name of the management interface to the end of the following command.
--
--For a standalone system:
--
--"ls /core-service=management/management-interface=&lt;MANAGEMENT INTERFACE NAME&gt;"
--
--For a managed domain:
--
--"ls /host=HOST_NAME/core-service=management/management-interface=&lt;MANAGEMENT INTERFACE NAME&gt;"
--
--If the "security-realm=" attribute is not associated with a management realm, this is a finding.</check-content></check></Rule></Group><Group id="V-62231"><title>SRG-APP-000089-AS-000050</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76721r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000080</version><title>The JBoss server must generate log records for access and authentication events to the management interface.</title><description>&lt;VulnDiscussion&gt;Log records can be generated from various components within the JBoss application server.  The minimum list of logged events should be those pertaining to access and authentication events to the management interface as well as system startup and shutdown events.
--
--By default, JBoss does not log management interface access but does provide a default file handler.  This handler needs to be enabled.  Configuring this setting meets several STIG auditing requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000169</ident><fixtext fixref="F-68151r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68151r1_fix" /><check system="C-63035r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62233"><title>SRG-APP-000090-AS-000051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76723r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000085</version><title>JBoss must be configured to allow only the ISSM (or individuals or roles appointed by the ISSM) to select which loggable events are to be logged.</title><description>&lt;VulnDiscussion&gt;The JBoss server must be configured to select which personnel are assigned the role of selecting which loggable events are to be logged.
--In JBoss, the role designated for selecting auditable events is the "Auditor" role.
--The personnel or roles that can select loggable events are only the ISSM (or individuals or roles appointed by the ISSM).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000171</ident><fixtext fixref="F-68153r1_fix">Obtain documented approvals from ISSM, and assign the appropriate personnel into the "Auditor" role.</fixtext><fix id="F-68153r1_fix" /><check system="C-63037r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=authorization/role-mapping=Auditor/include="
--
--For a Standalone configuration:
--"ls /core-service=management/access=authorization/role-mapping=Auditor/include="
--
--If the list of users in the Auditors group is not approved by the ISSM, this is a finding.</check-content></check></Rule></Group><Group id="V-62235"><title>SRG-APP-000092-AS-000053</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76725r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000095</version><title>JBoss must be configured to initiate session logging upon startup.</title><description>&lt;VulnDiscussion&gt;Session logging activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001464</ident><fixtext fixref="F-68155r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68155r1_fix" /><check system="C-63039r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62237"><title>SRG-APP-000095-AS-000056</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76727r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000105</version><title>JBoss must be configured to log the IP address of the remote system connecting to the JBoss system/cluster.</title><description>&lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis.  Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible.
--
--Log record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
--
--Application servers must log all relevant log data that pertains to the application server.  Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-68157r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68157r1_fix" /><check system="C-63041r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62239"><title>SRG-APP-000095-AS-000056</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76729r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000110</version><title>JBoss must be configured to produce log records containing information to establish what type of events occurred.</title><description>&lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis.  Without being able to establish what type of event occurred, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible. 
--
--Log record content that may be necessary to satisfy the requirement of this control includes time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
--
--Application servers must log all relevant log data that pertains to the application server.  Examples of relevant data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD/Web server activity, and application server-related system process activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><fixtext fixref="F-68159r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68159r1_fix" /><check system="C-63043r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62241"><title>SRG-APP-000096-AS-000059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76731r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000115</version><title>JBoss Log Formatter must be configured to produce log records that establish the date and time the events occurred.</title><description>&lt;VulnDiscussion&gt;Application server logging capability is critical for accurate forensic analysis.  Without sufficient and accurate information, a correct replay of the events cannot be determined.
--
--Ascertaining the correct order of the events that occurred is important during forensic analysis.  Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence.  By also establishing the event date and time, an event can be properly viewed with an enterprise tool to fully see a possible threat in its entirety.
--
--Without sufficient information establishing when the log event occurred, investigation into the cause of event is severely hindered.  Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control, or flow control rules invoked.
--
--In addition to logging event information, application servers must also log the corresponding dates and times of these events. Examples of event data include, but are not limited to, Java Virtual Machine (JVM) activity, HTTPD activity, and application server-related system process activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000131</ident><fixtext fixref="F-68161r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68161r1_fix" /><check system="C-63045r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62243"><title>SRG-APP-000097-AS-000060</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76733r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000120</version><title>JBoss must be configured to produce log records that establish which hosted application triggered the events.</title><description>&lt;VulnDiscussion&gt;Application server logging capability is critical for accurate forensic analysis.  Without sufficient and accurate information, a correct replay of the events cannot be determined. 
--
--By default, no web logging is enabled in JBoss.  Logging can be configured per web application or by virtual server.  If web application logging is not set up, application activity will not be logged.
--
--Ascertaining the correct location or process within the application server where the events occurred is important during forensic analysis.  To determine where an event occurred, the log data must contain data containing the application identity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000132</ident><fixtext fixref="F-68163r1_fix">Configure log formatter to audit application activity so individual application activity can be identified.</fixtext><fix id="F-68163r1_fix" /><check system="C-63047r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Application logs are a configurable variable.  Interview the system admin, and have them identify the applications that are running on the application server.  Have the system admin identify the log files/location where application activity is stored.
--
--Review the log files to ensure each application is uniquely identified within the logs or each application has its own unique log file.
--
--Generate application activity by either authenticating to the application or generating an auditable event, and ensure the application activity is recorded in the log file.  Recently time stamped application events are suitable evidence of compliance.
--
--If the log records do not indicate which application hosted on the application server generated the event, or if no events are recorded related to application activity, this is a finding.</check-content></check></Rule></Group><Group id="V-62245"><title>SRG-APP-000098-AS-000061</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76735r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000125</version><title>JBoss must be configured to record the IP address and port information used by management interface network traffic.</title><description>&lt;VulnDiscussion&gt;Application server logging capability is critical for accurate forensic analysis.  Without sufficient and accurate information, a correct replay of the events cannot be determined.
--
--Ascertaining the correct source, e.g., source IP, of the events is important during forensic analysis.  Correctly determining the source will add information to the overall reconstruction of the loggable event.  By determining the source of the event correctly, analysis of the enterprise can be undertaken to determine if the event compromised other assets within the enterprise.
--
--Without sufficient information establishing the source of the logged event, investigation into the cause of event is severely hindered.  Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control, or flow control rules invoked.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000133</ident><fixtext fixref="F-68165r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68165r1_fix" /><check system="C-63049r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62247"><title>SRG-APP-000099-AS-000062</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76737r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000130</version><title>The application server must produce log records that contain sufficient information to establish the outcome of events.</title><description>&lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.
--
--Success and failure indicators ascertain the outcome of a particular application server event or function. As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.  Event outcome may also include event-specific results (e.g., the security state of the information system after the event occurred).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000134</ident><fixtext fixref="F-68167r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68167r1_fix" /><check system="C-63051r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62249"><title>SRG-APP-000100-AS-000063</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76739r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000135</version><title>JBoss ROOT logger must be configured to utilize the appropriate logging level.</title><description>&lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes: time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. 
--
--See Chapter 14, Section 14.1.9, Table 14.4 of the Red Hat JBoss EAP Administration and Configuration Guide version 6.3 for specific details on log levels and log level values.
--
--The JBOSS application server ROOT logger captures all messages not captured by a log category and sends them to a log handler (FILE, CONSOLE, SYSLOG, ETC.).  By default, the ROOT logger level is set to INFO, which is a value of 800.  This will capture most events adequately.  Any level numerically higher than INFO (&gt; 800) records less data and may result in an insufficient amount of information being logged by the ROOT logger.  This can result in failed forensic investigations.  The ROOT logger level must be INFO level or lower to provide adequate log information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001487</ident><fixtext fixref="F-68169r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--
--The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
--"default", "full", "full-ha" or "ha"
--For a Managed Domain configuration, you must check each profile name:
--
--For each PROFILE NAME, run the command:
--"/profile=&lt;PROFILE NAME&gt;/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)"
--
--For a Standalone configuration:
--"/subsystem=logging/root-logger=ROOT:write-attribute(name=level,value=INFO)"</fixtext><fix id="F-68169r1_fix" /><check system="C-63053r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--
--The PROFILE NAMEs included with a Managed Domain JBoss configuration are:
--"default", "full", "full-ha" or "ha"
--For a Managed Domain configuration, you must check each profile name:
--
--For each PROFILE NAME, run the command:
--"ls /profile=&lt;PROFILE NAME&gt;/subsystem=logging/root-logger=ROOT"
--
--If ROOT logger "level" is not set to INFO, DEBUG or TRACE
--This is a finding for each &lt;PROFILE NAME&gt; (default, full, full-ha and ha)
--
--For a Standalone configuration:
--"ls /subsystem=logging/root-logger=ROOT"
--
--If "level" not = INFO, DEBUG or TRACE, this is a finding.</check-content></check></Rule></Group><Group id="V-62251"><title>SRG-APP-000118-AS-000078</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76741r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000165</version><title>File permissions must be configured to protect log information from any type of unauthorized read access.</title><description>&lt;VulnDiscussion&gt;If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. 
--
--When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict access.
--
--Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000162</ident><fixtext fixref="F-68171r1_fix">Configure the OS file permissions on the application server to protect log information from unauthorized read access.</fixtext><fix id="F-68171r1_fix" /><check system="C-63055r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the log file locations and inspect the file permissions.  Interview the system admin to determine log file locations. The default location for the log files is:
--
--Standalone configuration:
--&lt;JBOSS_HOME&gt;/standalone/log/
--
--Managed Domain configuration:
--&lt;JBOSS_HOME&gt;/domain/servers/&lt;servername&gt;/log/
--&lt;JBOSS_HOME&gt;/domain/log/
--
--Review the file permissions for the log file directories.  The method used for identifying file permissions will be based upon the OS the EAP server is installed on.
--
--Identify all users with file permissions that allow them to read log files.
--
--Request documentation from system admin that identifies the users who are authorized to read log files.
--
--If unauthorized users are allowed to read log files, or if documentation that identifies the users who are authorized to read log files is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62253"><title>SRG-APP-000119-AS-000079</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76743r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000170</version><title>File permissions must be configured to protect log information from unauthorized modification.</title><description>&lt;VulnDiscussion&gt;If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. 
--
--When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS; appropriate file permissions must be used to restrict modification.
--
--Log information includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized modification.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000163</ident><fixtext fixref="F-68173r1_fix">Configure the OS file permissions on the application server to protect log information from unauthorized modification.</fixtext><fix id="F-68173r1_fix" /><check system="C-63057r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the log file locations and inspect the file permissions.  Interview the system admin to determine log file locations. The default location for the log files is:
--
--Standalone configuration:
--&lt;JBOSS_HOME&gt;/standalone/log/
--
--Managed Domain configuration:
--&lt;JBOSS_HOME&gt;/domain/servers/&lt;servername&gt;/log/
--&lt;JBOSS_HOME&gt;/domain/log/
--
--Review the file permissions for the log file directories.  The method used for identifying file permissions will be based upon the OS the EAP server is installed on.
--
--Identify all users with file permissions that allow them to modify log files.
--
--Request documentation from system admin that identifies the users who are authorized to modify log files.
--
--If unauthorized users are allowed to modify log files, or if documentation that identifies the users who are authorized to modify log files is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62255"><title>SRG-APP-000120-AS-000080</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76745r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000175</version><title>File permissions must be configured to protect log information from unauthorized deletion.</title><description>&lt;VulnDiscussion&gt;If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.
--
--When not configured to use a centralized logging solution like a syslog server, the JBoss EAP application server writes log data to log files that are stored on the OS, appropriate file permissions must be used to restrict deletion.
--
--Logon formation includes all information (e.g., log records, log settings, transaction logs, and log reports) needed to successfully log information system activity. Application servers must protect log information from unauthorized deletion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000164</ident><fixtext fixref="F-68175r1_fix">Configure the OS file permissions on the application server to protect log information from unauthorized deletion.</fixtext><fix id="F-68175r1_fix" /><check system="C-63059r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the log file locations and inspect the file permissions.  Interview the system admin to determine log file locations. The default location for the log files is:
--
--Standalone configuration:
--&lt;JBOSS_HOME&gt;/standalone/log/
--
--Managed Domain configuration:
--&lt;JBOSS_HOME&gt;/domain/servers/&lt;servername&gt;/log/
--&lt;JBOSS_HOME&gt;/domain/log/
--
--Review the file permissions for the log file directories.  The method used for identifying file permissions will be based upon the OS the EAP server is installed on.
--
--Identify all users with file permissions that allow them to delete log files.
--
--Request documentation from system admin that identifies the users who are authorized to delete log files.
--
--If unauthorized users are allowed to delete log files, or if documentation that identifies the users who are authorized to delete log files is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62257"><title>SRG-APP-000125-AS-000084</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76747r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000195</version><title>JBoss log records must be off-loaded onto a different system or system component a minimum of every seven days.</title><description>&lt;VulnDiscussion&gt;JBoss logs by default are written to the local file system.  A centralized logging solution like syslog should be used whenever possible; however, any log data stored to the file system needs to be off-loaded.  JBoss EAP does not provide an automated backup capability.  Instead, reliance is placed on OS or third-party tools to back up or off-load the log files.
--
--Protection of log data includes assuring log data is not accidentally lost or deleted. Off-loading log records to a different system or onto separate media from the system the application server is actually running on helps to assure that, in the event of a catastrophic system failure, the log records will be retained.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001348</ident><fixtext fixref="F-68177r1_fix">Configure the application server to off-load log records every seven days onto a different system or media from the system being logged.</fixtext><fix id="F-68177r1_fix" /><check system="C-63061r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and obtain details on how the log files are being off-loaded to a different system or media.
--
--If the log files are not off-loaded a minimum of every 7 days, this is a finding.</check-content></check></Rule></Group><Group id="V-62259"><title>SRG-APP-000133-AS-000092</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76749r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000210</version><title>mgmt-users.properties file permissions must be set to allow access to authorized users only.</title><description>&lt;VulnDiscussion&gt;The mgmt-users.properties file contains the password hashes of all users who are in a management role and must be protected.  Application servers have the ability to specify that the hosted applications utilize shared libraries. The application server must have a capability to divide roles based upon duties wherein one project user (such as a developer) cannot modify the shared library code of another project user. The application server must also be able to specify that non-privileged users cannot modify any shared library code at all.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001499</ident><fixtext fixref="F-68179r1_fix">Configure the file permissions to allow access to authorized users only.
--Owner can be full access.
--Group can be full access.
--All others must have execute permissions only.</fixtext><fix id="F-68179r1_fix" /><check system="C-63063r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The mgmt-users.properties files are located in the standalone or domain configuration folder.
--
--&lt;JBOSS_HOME&gt;/domain/configuration/mgmt-users.properties.
--&lt;JBOSS_HOME&gt;/standalone/configuration/mgmt-users.properties.
--
--Identify users who have access to the files using relevant OS commands.
--
--Obtain documentation from system admin identifying authorized users.
--
--Owner can be full access.
--Group can be full access.
--All others must have execute permissions only.
--
--If the file permissions are not configured so as to restrict access to only authorized users, or if documentation that identifies authorized users is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-62261"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76751r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000220</version><title>JBoss process owner interactive access must be restricted.</title><description>&lt;VulnDiscussion&gt;JBoss does not require admin rights to operate and should be run as a regular user.  In addition, if the user account was to be compromised and the account was allowed interactive logon rights, this would increase the risk and attack surface against the JBoss system.  The right to interactively log on to the system using the JBoss account should be limited according to the OS capabilities.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68181r1_fix">Use the relevant OS commands to restrict JBoss user account from interactively logging on to the console of the JBoss system.
--
--For Windows systems, use GPO.
--
--For UNIX like systems using ssh DenyUsers &lt;account id&gt; or follow established procedure for restricting access.</fixtext><fix id="F-68181r1_fix" /><check system="C-63065r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Identify the user account used to run the JBoss server.  Use relevant OS commands to determine logon rights to the system. This account should not have full shell/interactive access to the system.
--
--If the user account used to operate JBoss can log on interactively, this is a finding.</check-content></check></Rule></Group><Group id="V-62263"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76753r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000225</version><title>Google Analytics must be disabled in EAP Console.</title><description>&lt;VulnDiscussion&gt;The Google Analytics feature aims to help Red Hat EAP team understand how customers are using the console and which parts of the console matter the most to the customers. This information will, in turn, help the team to adapt the console design, features, and content to the immediate needs of the customers.
--
--Sending analytical data to the vendor introduces risk of unauthorized data exfiltration.  This capability must be disabled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68183r1_fix">Using the EAP web console, log on using admin credentials.
--On the bottom right-hand side of the screen, select "Settings",
--uncheck the "Enable Data Usage Collection" box, and save the configuration.</fixtext><fix id="F-68183r1_fix" /><check system="C-63067r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Open the EAP web console by pointing a web browser to HTTPS://&lt;SERVERNAME&gt;:9443 or HTTP://&lt;SERVERNAME&gt;:9990
--
--Log on to the admin console using admin credentials.
--On the bottom right-hand side of the screen, select "Settings".
--
--If the "Enable Data Usage Collection" box is checked, this is a finding.</check-content></check></Rule></Group><Group id="V-62265"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76755r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000230</version><title>JBoss process owner execution permissions must be limited.</title><description>&lt;VulnDiscussion&gt;JBoss EAP application server can be run as the OS admin, which is not advised.  Running the application server with admin privileges increases the attack surface by granting the application server more rights than it requires in order to operate.  If the server is compromised, the attacker will have the same rights as the application server, which in that case would be admin rights.  The JBoss EAP server must not be run as the admin user.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68185r1_fix">Run the JBoss server with non-admin rights.</fixtext><fix id="F-68185r1_fix" /><check system="C-63069r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The script that is used to start JBoss determines the mode in which JBoss will operate, which will be in either in standalone mode or domain mode.  Both scripts are installed by default in the &lt;JBOSS_HOME&gt;/bin/ folder.
--
--In addition to running the JBoss server as an interactive script launched from the command line, JBoss can also be started as a service.
--
--The scripts used to start JBoss are:
--Red Hat: 
--standalone.sh
--domain.sh
--
--Windows: 
--standalone.bat
--domain.bat
--
--Use the relevant OS commands to determine JBoss ownership.
--
--When running as a process: 
--Red Hat: "ps -ef|grep -i jboss".
--Windows: "services.msc".
--
--Search for the JBoss process, which by default is named "JBOSSEAP6". 
--
--If the user account used to launch the JBoss script or start the JBoss process has admin rights on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-62267"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76757r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000235</version><title>JBoss QuickStarts must be removed.</title><description>&lt;VulnDiscussion&gt;JBoss QuickStarts are demo applications that can be deployed quickly.  Demo applications are not written with security in mind and often open new attack vectors.  QuickStarts must be removed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68187r1_fix">Delete the QuickStarts folder.</fixtext><fix id="F-68187r1_fix" /><check system="C-63071r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Examine the &lt;JBOSS_HOME&gt; folder.  If a jboss-eap-6.3.0-GA-quickstarts folder exits, this is a finding.</check-content></check></Rule></Group><Group id="V-62269"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76759r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000240</version><title>Remote access to JMX subsystem must be disabled.</title><description>&lt;VulnDiscussion&gt;The JMX subsystem allows you to trigger JDK and application management operations remotely.  In a managed domain configuration, the JMX subsystem is removed by default. For a standalone configuration, it is enabled by default and must be removed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68189r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--
--For a Managed Domain configuration you must check each profile name:
--
--For each PROFILE NAME, run the command:
--"/profile=&lt;PROFILE NAME&gt;/subsystem=jmx/remoting-connector=jmx:remove"
--
--For a Standalone configuration:
--"/subsystem=jmx/remoting-connector=jmx:remove"</fixtext><fix id="F-68189r1_fix" /><check system="C-63073r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--
--For a Managed Domain configuration, you must check each profile name:
--
--For each PROFILE NAME, run the command:
--"ls /profile=&lt;PROFILE NAME&gt;/subsystem=jmx/remoting-connector"
--
--For a Standalone configuration:
--"ls /subsystem=jmx/remoting-connector"
--
--If "jmx" is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62271"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76761r1_rule" severity="low" weight="10.0"><version>JBOS-AS-000245</version><title>Welcome Web Application must be disabled.</title><description>&lt;VulnDiscussion&gt;The Welcome to JBoss web page provides a redirect to the JBoss admin console, which, by default, runs on TCP 9990 as well as redirects to the Online User Guide and Online User Groups hosted at locations on the Internet.  The welcome page is unnecessary and should be disabled or replaced with a valid web page.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68191r1_fix">Use the Management CLI script JBOSS_HOME/bin/jboss-cli.sh to run the following command. You may need to change the profile to modify a different managed domain profile, or remove the "/profile=default" portion of the command for a standalone server.
--
--"/profile=default/subsystem=web/virtual-server=default-host:writeattribute(name=enable-welcome-root,value=false)"
--
--To configure your web application to use the root context (/) as its URL address, modify the applications jboss-web.xml, which is located in the applications META-INF/ or WEB-INF/ directory. Replace its &lt;context-root&gt; directive with one that looks like the following:
--
--&lt;jboss-web&gt;
--         &lt;context-root&gt;/&lt;/context-root&gt;
--&lt;/jboss-web&gt;</fixtext><fix id="F-68191r1_fix" /><check system="C-63075r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Use a web browser and browse to HTTP://JBOSS SERVER IP ADDRESS:8080
--
--If the JBoss Welcome page is displayed, this is a finding.</check-content></check></Rule></Group><Group id="V-62273"><title>SRG-APP-000141-AS-000095</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76763r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000250</version><title>Any unapproved applications must be removed.</title><description>&lt;VulnDiscussion&gt;Extraneous services and applications running on an application server expands the attack surface and increases risk to the application server. Securing any server involves identifying and removing any unnecessary services and, in the case of an application server, unnecessary and/or unapproved applications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-68193r1_fix">Identify, authorize, and document all applications that are deployed to the application server.  Remove unauthorized applications.</fixtext><fix id="F-68193r1_fix" /><check system="C-63077r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script. 
--Connect to the server and authenticate. 
--Run the command:
--
--ls /deployment
--
--The list of deployed applications is displayed.  Have the system admin identify the applications listed and confirm they are approved applications.
--
--If the system admin cannot provide documentation proving their authorization for deployed applications, this is a finding.</check-content></check></Rule></Group><Group id="V-62275"><title>SRG-APP-000142-AS-000014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76765r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000255</version><title>JBoss application and management ports must be approved by the PPSM CAL.</title><description>&lt;VulnDiscussion&gt;Some networking protocols may not meet organizational security requirements to protect data and components.
--
--Application servers natively host a number of various features, such as management interfaces, httpd servers and message queues. These features all run on TCPIP ports. This creates the potential that the vendor may choose to utilize port numbers or network services that have been deemed unusable by the organization. The application server must have the capability to both reconfigure and disable the assigned ports without adversely impacting application server operation capabilities. For a list of approved ports and protocols, reference the DoD ports and protocols website at https://powhatan.iiie.disa.mil/ports/cal.html.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000382</ident><fixtext fixref="F-68195r1_fix">Open the EAP web console by pointing a web browser to HTTPS://&lt;Servername&gt;:9990
--
--Log on to the admin console using admin credentials
--Select the "Configuration" tab
--Expand the "General Configuration" sub system by clicking on the +
--Select "Socket Binding"
--Select the "View" option next to "standard-sockets"
--Select "Inbound"
--
--Select the port that needs to be reconfigured and select "Edit".</fixtext><fix id="F-68195r1_fix" /><check system="C-63079r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Open the EAP web console by pointing a web browser to HTTPS://&lt;Servername&gt;:9443 or HTTP://&lt;Servername&gt;:9990
--
--Log on to the admin console using admin credentials
--Select the "Configuration" tab
--Expand the "General Configuration" sub system by clicking on the +
--Select "Socket Binding"
--Select the "View" option next to "standard-sockets"
--Select "Inbound"
--
--Review the configured ports and determine if they are all approved by the PPSM CAL.
--
--If all the ports are not approved by the PPSM CAL, this is a finding.</check-content></check></Rule></Group><Group id="V-62277"><title>SRG-APP-000148-AS-000101</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76767r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000260</version><title>The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthorized access, application server users must be uniquely identified and authenticated.  This is typically accomplished via the use of a user store that is either local (OS-based) or centralized (Active Directory/LDAP) in nature.  It should be noted that JBoss does not specifically mention Active Directory since AD is LDAP aware.
--
--To ensure accountability and prevent unauthorized access, the JBoss Server must be configured to utilize a centralized authentication mechanism.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000764</ident><fixtext fixref="F-68197r1_fix">Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
--
--1. Create an outbound connection to the LDAP server.
--2. Create an LDAP-enabled security realm.
--3. Reference the new security domain in the Management Interface.</fixtext><fix id="F-68197r1_fix" /><check system="C-63081r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--To obtain the list of security realms run the command:
--"ls /core-service=management/security-realm="
--
--Review each security realm using the command:
--"ls /core-service=management/security-realm=&lt;SECURITY_REALM_NAME&gt;/authentication"
--
--If this command does not return a security realm that uses LDAP for authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-62279"><title>SRG-APP-000149-AS-000102</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76769r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000265</version><title>The JBoss Server must be configured to use certificates to authenticate admins.</title><description>&lt;VulnDiscussion&gt;Multifactor authentication creates a layered defense and makes it more difficult for an unauthorized person to access the application server.  If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.  Unlike a simple username/password scenario where the attacker could gain access by knowing both the username and password without the user knowing his account was compromised, multifactor authentication adds the requirement that the attacker must have something from the user, such as a token, or to biometrically be the user.
--
--Multifactor authentication is defined as: using two or more factors to achieve authentication.
--
--Factors include: 
--(i) something a user knows (e.g., password/PIN); 
--(ii) something a user has (e.g., cryptographic identification device, token); or 
--(iii) something a user is (e.g., biometric). A CAC or PKI Hardware Token meets this definition.
--
--A privileged account is defined as an information system account with authorizations of a privileged user.  These accounts would be capable of accessing the web management interface.
--
--When accessing the application server via a network connection, administrative access to the application server must be PKI Hardware Token enabled or a DoD-approved soft certificate.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000765</ident><fixtext fixref="F-68199r1_fix">Configure the application server to authenticate privileged users via multifactor/certificate-based authentication mechanisms when using network access to the management interface.</fixtext><fix id="F-68199r1_fix" /><check system="C-63083r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Follow these steps:
--1. Identify the security realm assigned to the management interfaces by using the following command:
--
--For standalone systems:
--"ls  /core-service=management/management-interface=&lt;INTERFACE-NAME&gt;"
--
--For managed domain systems:
--"ls  /host=master/core-service=management/management-interface=&lt;INTERFACE-NAME&gt;"
--
--Document the name of the security-realm associated with each management interface.
--
--2. Review the security realm using the command:
--
--For standalone systems:
--"ls /core-service=management/security-realm=&lt;SECURITY_REALM_NAME&gt;/authentication"
--
--For managed domains:
--"ls /host=master/core-service=management/security-realm=&lt;SECURITY_REALM_NAME&gt;/authentication"
--
--If the command in step 2 does not return a security realm that uses certificates for authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-62281"><title>SRG-APP-000153-AS-000104</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76771r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000275</version><title>The JBoss server must be configured to use individual accounts and not generic or shared accounts.</title><description>&lt;VulnDiscussion&gt;To assure individual accountability and prevent unauthorized access, application server users (and any processes acting on behalf of application server users) must be individually identified and authenticated.
--
--A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users.
--
--Application servers must ensure that individual users are authenticated prior to authenticating via role or group authentication. This is to ensure that there is non-repudiation for actions taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000770</ident><fixtext fixref="F-68201r1_fix">Configure the application server so required users are individually authenticated by creating individual user accounts.  Utilize an LDAP server that is configured according to DOD policy.</fixtext><fix id="F-68201r1_fix" /><check system="C-63085r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If the application server management interface is configured to use LDAP authentication this requirement is NA.
--
--Determine the mode in which the JBoss server is operating by authenticating to the OS, changing to the &lt;JBOSS_HOME&gt;/bin/ folder and executing the jboss-cli script.
--Connect to the server and authenticate.
--Run the command: "ls" and examine the "launch-type" setting.
--
--User account information is stored in the following files for a JBoss server configured in standalone mode.  The command line flags passed to the "standalone" startup script determine the standalone operating mode:
--&lt;JBOSS_HOME&gt;/standalone/configuration/standalone.xml
--&lt;JBOSS_HOME&gt;/standalone/configuration/standalone-full.xml
--&lt;JBOSS_HOME&gt;/standalone/configuration/standalone.-full-ha.xml
--&lt;JBOSS_HOME&gt;/standalone/configuration/standalone.ha.xml
--
--For a Managed Domain:
--&lt;JBOSS_HOME&gt;/domain/configuration/domain.xml.
--
--Review both files for generic or shared user accounts.
--
--Open each xml file with a text editor and locate the &lt;management-interfaces&gt; section.
--Review the &lt;user name = "xxxxx"&gt; sub-section where "xxxxx" will be a user name.
--
--Have the system administrator identify the user of each user account.
--
--If user accounts are not assigned to individual users, this is a finding.</check-content></check></Rule></Group><Group id="V-62283"><title>SRG-APP-000158-AS-000108</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76773r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000285</version><title>The JBoss server must be configured to bind the management interfaces to only management networks.</title><description>&lt;VulnDiscussion&gt; JBoss provides multiple interfaces for accessing the system.  By default, these are called "public" and "management".  Allowing non-management traffic to access the JBoss management interface increases the chances of a security compromise.  The JBoss server must be configured to bind the management interface to a network that controls access.  This is usually a network that has been designated as a management network and has restricted access.  Similarly, the public interface must be bound to a network that is not on the same segment as the management interface.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000778</ident><fixtext fixref="F-68203r1_fix">Refer to Section 4.9 of the JBoss EAP 6.3 Installation guide for detailed instructions on how to start JBoss as a service.
--
--Use the following command line parameters to assign the management interface to a specific management network.
--
--These command line flags must be added both when starting JBoss as a service and when starting from the command line.
--
--Substitute your actual network address for the 10.x.x.x addresses provided as an example below.
--
--For a standalone configuration:
--JBOSS_HOME/bin/standalone.sh -bmanagement=10.2.2.1 -b 10.1.1.1
--
--JBOSS_HOME/bin/domain.sh -bmanagement=10.2.2.1 -b 10.1.1.1
--
--If a management network is not available, you may substitute localhost/127.0.0.1 for management address.  This will force you to manage the JBoss server from the local host.</fixtext><fix id="F-68203r1_fix" /><check system="C-63087r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Obtain documentation and network drawings from system admin that shows the network interfaces on the JBoss server and the networks they are configured for.
--
--If a management network is not used, you may substitute localhost/127.0.0.1 for management address.  If localhost/127.0.0.1 is used for management interface, this is not a finding.
--
--From the JBoss server open the web-based admin console by pointing a browser to HTTP://127.0.0.1:9990.
--Log on to the management console with admin credentials.
--Select "RUNTIME". 
--Expand STATUS by clicking on +.
--Expand PLATFORM by clicking on +.
--In the "Environment" tab, click the &gt; arrow until you see the "jboss.bind.properties" and the "jboss.bind.properties.management" values.
--
--If the jboss.bind.properties and the jboss.bind.properties.management do not have different IP network addresses assigned, this is a finding.
--
--Review the network documentation.  If access to the management IP address is not restricted, this is a finding.</check-content></check></Rule></Group><Group id="V-62285"><title>SRG-APP-000163-AS-000111</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76775r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000290</version><title>JBoss management Interfaces must be integrated with a centralized authentication mechanism that is configured to manage accounts according to DoD policy.</title><description>&lt;VulnDiscussion&gt;JBoss EAP provides a security realm called ManagementRealm.  By default, this realm uses the mgmt-users.properties file for authentication.  Using file-based authentication does not allow the JBoss server to be in compliance with a wide range of user management requirements such as automatic disabling of inactive accounts as per DoD policy.  To address this issue, the management interfaces used to manage the JBoss server must be associated with a security realm that provides centralized authentication management.  Examples are AD or LDAP.
--
--Management of user identifiers is not applicable to shared information system accounts (e.g., guest and anonymous accounts). It is commonly the case that a user account is the name of an information system account associated with an individual.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000795</ident><fixtext fixref="F-68205r1_fix">Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
--
--1. Create an outbound connection to the LDAP server.
--2. Create an LDAP-enabled security realm.
--3. Reference the new security domain in the Management Interface.</fixtext><fix id="F-68205r1_fix" /><check system="C-63089r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Obtain the list of management interfaces by running the command:
--"ls /core-service=management/management-interface"
--
--Identify the security realm used by each management interface configuration by running the command:
--"ls /core-service=management/management-interface=&lt;MANAGEMENT-INTERFACE-NAME&gt;"
--
--Determine if the security realm assigned to the management interface uses LDAP for authentication by running the command:
--"ls /core-service=management/security-realm=&lt;SECURITY_REALM_NAME&gt;/authentication"
--
--If  the security realm assigned to the management interface does not utilize LDAP for authentication, this is a finding.</check-content></check></Rule></Group><Group id="V-62287"><title>SRG-APP-000171-AS-000119</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76777r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000295</version><title>The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.</title><description>&lt;VulnDiscussion&gt;JBoss EAP 6 has a Password Vault to encrypt sensitive strings, store them in an encrypted keystore, and decrypt them for applications and verification systems. Plain-text configuration files, such as XML deployment descriptors, need to specify passwords and other sensitive information. Use the JBoss EAP Password Vault to securely store sensitive strings in plain-text files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-68207r1_fix">Configure the application server to use the java keystore and JBoss vault as per section 11.13.1 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
--
--1. Create a java keystore.
--2. Mask the keystore password and initialize the password vault.
--3. Configure JBoss to use the password vault.</fixtext><fix id="F-68207r1_fix" /><check system="C-63091r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--"ls /core-service=vault"
--
--If "code=undefined" and "module=undefined",
--this is a finding.</check-content></check></Rule></Group><Group id="V-62289"><title>SRG-APP-000171-AS-000119</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76779r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000300</version><title>JBoss KeyStore and Truststore passwords must not be stored in clear text.</title><description>&lt;VulnDiscussion&gt;Access to the JBoss Password Vault must be secured, and the password used to access must be encrypted.  There is a specific process used to generate the encrypted password hash.  This process must be followed in order to store the password in an encrypted format.
--
--The admin must utilize this process in order to ensure the Keystore password is encrypted.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-68209r1_fix">Configure the application server to mask the java keystore password as per the procedure described in section 11.13.3 -Password Vault System in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.</fixtext><fix id="F-68209r1_fix" /><check system="C-63093r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The default location for the keystore used by the JBoss vault is the &lt;JBOSS_HOME&gt;/vault/ folder.
--
--If a vault keystore has been created, by default it will be in the file: &lt;JBOSS_HOME&gt;/vault/vault.keystore.  The file stores a single key, with the default alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP. 
--
--Have the system admin provide the procedure used to encrypt the keystore password that unlocks the keystore.
--
--If the system administrator is unable to demonstrate or provide written process documentation on how to encrypt the keystore password, this is a finding.</check-content></check></Rule></Group><Group id="V-62291"><title>SRG-APP-000172-AS-000120</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76781r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000305</version><title>LDAP enabled security realm value allow-empty-passwords must be set to false.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.  If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.
--
--Application servers have the capability to utilize either certificates (tokens) or user IDs and passwords in order to authenticate. When the application server transmits or receives passwords, the passwords must be encrypted.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000197</ident><fixtext fixref="F-68211r1_fix">Configure the LDAP Security Realm using default settings that sets "allow-empty-values" to false.  LDAP Security Realm creation is described in section 11.9 -Add an LDAP Security Realm in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.</fixtext><fix id="F-68211r1_fix" /><check system="C-63095r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--"ls /core-service=management/security-realm=ldap_security_realm/authentication=ldap"
--
--If "allow-empty-passwords=true", this is a finding.</check-content></check></Rule></Group><Group id="V-62293"><title>SRG-APP-000172-AS-000121</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76783r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000310</version><title>JBoss must utilize encryption when using LDAP for authentication.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission.
--
--Application servers have the capability to utilize LDAP directories for authentication. If LDAP connections are not protected during transmission, sensitive authentication credentials can be stolen. When the application server utilizes LDAP, the LDAP traffic must be encrypted.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000197</ident><fixtext fixref="F-68213r1_fix">Follow steps in section 11.8 - Management Interface Security in the JBoss_Enterprise_Application_Platform-6.3-Administration_and_Configuration_Guide-en-US document.
--
--1. Create an outbound connection to the LDAP server.
--2. Create an LDAP-enabled security realm.
--3. Reference the new security domain in the Management Interface.</fixtext><fix id="F-68213r1_fix" /><check system="C-63097r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Run the following command:
--
--For standalone servers:
--"ls /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ldap_connection"
--
--For managed domain installations:
--"ls /socket-binding-group=&lt;PROFILE&gt;/remote-destination-outbound-socket-binding="
--
--The default port for secure LDAP is 636.
--
--If 636 or secure LDAP protocol is not utilized, this is a finding.</check-content></check></Rule></Group><Group id="V-62295"><title>SRG-APP-000176-AS-000125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76785r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000320</version><title>The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.</title><description>&lt;VulnDiscussion&gt;The cornerstone of the PKI is the private key used to encrypt or digitally sign information.
--
--If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and can pretend to be the authorized user.
--
--Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys. Java-based application servers utilize the Java keystore, which provides storage for cryptographic keys and certificates. The keystore is usually maintained in a file stored on the file system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000186</ident><fixtext fixref="F-68215r1_fix">Configure the application server OS file permissions on the corresponding private key to restrict access to authorized accounts or roles.</fixtext><fix id="F-68215r1_fix" /><check system="C-63099r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>The default location for the keystore used by the JBoss vault is the &lt;JBOSS_HOME&gt;/vault/ folder.
--
--If a vault keystore has been created, by default it will be in the file: &lt;JBOSS_HOME&gt;/vault/vault.keystore.  The file stores a single key, with the default alias vault, which will be used to store encrypted strings, such as passwords, for JBoss EAP.
--
--Browse to the JBoss vault folder using the relevant OS commands.
--Review the file permissions and ensure only system administrators and JBoss users are allowed access.
--
--Owner can be full access
--Group can be full access
--All others must be restricted to execute access or no permission.
--
--If non-system administrators are allowed to access the &lt;JBOSS_HOME&gt;/vault/
--folder, this is a finding.</check-content></check></Rule></Group><Group id="V-62297"><title>SRG-APP-000211-AS-000146</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76787r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000355</version><title>The JBoss server must separate hosted application functionality from application server management functionality.</title><description>&lt;VulnDiscussion&gt;The application server consists of the management interface and hosted applications.  By separating the management interface from hosted applications, the user must authenticate as a privileged user to the management interface before being presented with management functionality.  This prevents non-privileged users from having visibility to functions not available to the user.  By limiting visibility, a compromised non-privileged account does not offer information to the attacker or functionality and information needed to further the attack on the application server.
--
--JBoss is designed to operate with separate application and management interfaces.
--The JBoss server is started via a script.  To start the JBoss server in domain mode, the admin will execute the &lt;JBOSS_HOME&gt;/bin/domain.sh or domain.bat script.
--
--To start the JBoss server in standalone mode, the admin will execute &lt;JBOSS_HOME&gt;/bin/standalone.bat or standalone.sh.
--
--Command line flags are used to specify which network address is used for management and which address is used for public/application access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001082</ident><fixtext fixref="F-68217r1_fix">Start the application server with a -bmanagement and a -b flag so that admin management functionality and hosted applications are separated.
--
--Refer to section 4.9 in the JBoss EAP 6.3 Installation Guide for specific instructions on how to start the JBoss server as a service.</fixtext><fix id="F-68217r1_fix" /><check system="C-63101r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If JBoss is not started with separate management and public interfaces, this is a finding.
--
--Review the network design documents to identify the IP address space for the management network.  
--
--Use relevant OS commands and administrative techniques to determine how the system administrator starts the JBoss server.  This includes interviewing the system admin, using the "ps -ef|grep" command for UNIX like systems or checking command line flags and properties on batch scripts for Windows systems.  
--
--Ensure the startup syntax used to start JBoss specifies a management network address and a public network address.
--
--The "-b" flag specifies the public address space.
--The "-bmanagement" flag specifies the management address space.
--
--Example:
--&lt;JBOSS_HOME&gt;/bin/standalone.sh -bmanagement 10.10.10.35 -b 192.168.10.25
--
--If JBoss is not started with separate management and public interfaces, this is a finding.</check-content></check></Rule></Group><Group id="V-62299"><title>SRG-APP-000231-AS-000133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76789r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000400</version><title>JBoss file permissions must be configured to protect the confidentiality and integrity of application files.</title><description>&lt;VulnDiscussion&gt;The JBoss EAP Application Server is a Java-based AS.  It is installed on the OS file system and depends upon file system access controls to protect application data at rest.  The file permissions set on the JBoss EAP home folder must be configured so as to limit access to only authorized people and processes.  The account used for operating the JBoss server and any designated administrative or operational accounts are the only accounts that should have access.
--
--When data is written to digital media such as hard drives, mobile computers, external/removable hard drives, personal digital assistants, flash/thumb drives, etc., there is risk of data loss and data compromise.  Steps must be taken to ensure data stored on the device is protected.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001199</ident><fixtext fixref="F-68219r1_fix">Configure file permissions on the JBoss folder to protect from unauthorized access.</fixtext><fix id="F-68219r1_fix" /><check system="C-63103r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>By default, JBoss installs its files into a folder called "jboss-eap-6.3".   This folder by default is stored within the home folder of the JBoss user account.  The installation process, however, allows for the override of default values to obtain folder and user account information from the system admin.
--
--Log on with a user account with JBoss access and permissions. 
--
--Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX-like OS or a Windows OS.
--
--Examine the permissions of the JBoss folder.
--
--Owner can be full access.
--Group can be full access.
--All others must be restricted to execute access or no permission.
--
--If the JBoss folder is world readable or world writeable, this is a finding.</check-content></check></Rule></Group><Group id="V-62301"><title>SRG-APP-000267-AS-000170</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76791r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000425</version><title>Access to JBoss log files must be restricted to authorized users.</title><description>&lt;VulnDiscussion&gt;If the application provides too much information in error logs and administrative messages to the screen, this could lead to compromise. The structure and content of error messages need to be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
--
--Application servers must protect the error messages that are created by the application server. All application server users' accounts are used for the management of the server and the applications residing on the application server. All accounts are assigned to a certain role with corresponding access rights. The application server must restrict access to error messages so only authorized users may view them. Error messages are usually written to logs contained on the file system. The application server will usually create new log files as needed and must take steps to ensure that the proper file permissions are utilized when the log files are created.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001314</ident><fixtext fixref="F-68221r1_fix">Configure file permissions on the JBoss log folder to protect from unauthorized access.</fixtext><fix id="F-68221r1_fix" /><check system="C-63105r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If the JBoss log folder is installed in the default location and AS-000133-JBOSS-00079 is not a finding, the log folders are protected and this requirement is not a finding.
--
--By default, JBoss installs its log files into a sub-folder of the "jboss-eap-6.3" home folder. 
--Using a UNIX like OS example, the default location for log files is:
--
--JBOSS_HOME/standalone/log
--JBOSS_HOME/domain/log
--
--For a standalone configuration:
--JBOSS_HOME/standalone/log/server.log"  Contains all server log messages, including server startup messages.
--
--For a domain configuration:
--JBOSS_HOME/domain/log/hostcontroller.log
--Host Controller boot log. Contains log messages related to the startup of the host controller.
--
--JBOSS_HOME/domain/log/processcontroller.log
--Process controller boot log. Contains log messages related to the startup of the process controller.
--
--JBOSS_HOME/domain/servers/SERVERNAME/log/server.log
--The server log for the named server. Contains all log messages for that server, including server startup messages.
--
--Log on with an OS user account with JBoss access and permissions.
--
--Navigate to the "Jboss-eap-6.3" folder using the relevant OS commands for either a UNIX like OS or a Windows OS.
--
--Examine the permissions of the JBoss logs folders.
--
--Owner can be full access.
--Group can be full access.
--All others must be restricted.
--
--If the JBoss log folder is world readable or world writeable, this is a finding.</check-content></check></Rule></Group><Group id="V-62303"><title>SRG-APP-000316-AS-000199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76793r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000470</version><title>Network access to HTTP management must be disabled on domain-enabled application servers not designated as the domain controller.</title><description>&lt;VulnDiscussion&gt;When configuring JBoss application servers into a domain configuration, HTTP management capabilities are not required on domain member servers as management is done via the server that has been designated as the domain controller. 
--
--Leaving HTTP management capabilities enabled on domain member servers increases the attack surfaces; therefore, management services on domain member servers must be disabled and management services performed via the domain controller.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002322</ident><fixtext fixref="F-68223r1_fix">Run the &lt;JBOSS_HOME&gt;/bin/jboss-cli command line interface utility. 
--Connect to the JBoss server and run the following command.
--/core-service=management/management-interface=httpinterface/:write-attribute(name=console-enabled,value=false)
--
--Successful command execution returns
--{"outcome" =&gt; "success"}, and future attempts to access the management console via web browser at &lt;SERVERNAME&gt;:9990 will result in no access to the admin console.</fixtext><fix id="F-68223r1_fix" /><check system="C-63107r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to each of the JBoss domain member servers.
--
--Note: Sites that manage systems using the JBoss Operations Network client require HTTP interface access.  It is acceptable that the management console alone be disabled rather than disabling the entire interface itself.
--
--Run the &lt;JBOSS_HOME&gt;/bin/jboss-cli command line interface utility and connect to the JBoss server.
--Run the following command:
--ls /core-service=management/management-interface=httpinterface/
--
--If "console-enabled=true", this is a finding.</check-content></check></Rule></Group><Group id="V-62305"><title>SRG-APP-000340-AS-000185</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76795r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000475</version><title>The application server must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
--
--Restricting non-privileged users also prevents an attacker who has gained access to a non-privileged account, from elevating privileges, creating accounts, and performing system checks and maintenance.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002235</ident><fixtext fixref="F-68225r1_fix">Run the following command.
--&lt;JBOSS_HOME&gt;/bin/jboss-cli.sh -c -&gt; connect -&gt; cd /core-service=management/access-authorization :write-attribute(name=provider, value=rbac)
--
--Restart JBoss.
--
--Map users to roles by running the following command.  Upper-case words are variables.
--
--role-mapping=ROLENAME/include=ALIAS:add(name-USERNAME, type=USER ROLE)</fixtext><fix id="F-68225r1_fix" /><check system="C-63109r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Run the following command:
--
--For standalone servers:
--"ls /core-service=management/access=authorization/"
--
--For managed domain installations:
--"ls /host=master/core-service=management/access=authorization/"
--
--If the "provider" attribute is not set to "rbac", this is a finding.</check-content></check></Rule></Group><Group id="V-62307"><title>SRG-APP-000343-AS-000030</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76797r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000480</version><title>The JBoss server must be configured to log all admin activity.</title><description>&lt;VulnDiscussion&gt;In order to be able to provide a forensic history of activity, the application server must ensure users who are granted a privileged role or those who utilize a separate distinct account when accessing privileged functions or data have their actions logged.
--
--If privileged activity is not logged, no forensic logs can be used to establish accountability for privileged actions that occur on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002234</ident><fixtext fixref="F-68227r1_fix">Launch the jboss-cli management interface substituting standalone or domain for &lt;CONFIG&gt; based upon the server installation.
--
--&lt;JBOSS_HOME&gt;/&lt;CONFIG&gt;/bin/jboss-cli
--
--connect to the server and run the following command:
--
--/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</fixtext><fix id="F-68227r1_fix" /><check system="C-63111r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--/core-service=management/access=audit:read-resource(recursive=true)
--
--Under the "logger" =&gt; {audit-log} section of the returned response:
--If "enabled" =&gt; false, this is a finding</check-content></check></Rule></Group><Group id="V-62309"><title>SRG-APP-000358-AS-000064</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76799r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000505</version><title>The JBoss server must be configured to utilize syslog logging.</title><description>&lt;VulnDiscussion&gt;Information system logging capability is critical for accurate forensic analysis. Log record content that may be necessary to satisfy the requirement of this control includes, but is not limited to, time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application-specific events, success/fail indications, filenames involved, access control or flow control rules invoked.
--
--Off-loading is a common process in information systems with limited log storage capacity.
--
--Centralized management of log records provides for efficiency in maintenance and management of records, as well as the backup and archiving of those records. Application servers and their related components are required to off-load log records onto a different system or media than the system being logged.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-68229r1_fix">Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--Standalone configuration:
--"ls /subsystem=logging/syslog-handler="
--
--Domain configuration:
--"ls /profile=default/subsystem=logging/syslog-handler="
--
--If no values are returned, this is a finding.</fixtext><fix id="F-68229r1_fix" /><check system="C-63113r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--Standalone configuration:
--"ls /subsystem=logging/syslog-handler="
--
--Domain configuration:
--"ls /profile=&lt;specify&gt;/subsystem=logging/syslog-handler="
--Where &lt;specify&gt; = the selected application server profile of; default,full, full-ha or ha.
--
--If no values are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62311"><title>SRG-APP-000380-AS-000088</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76801r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000545</version><title>Production JBoss servers must not allow automatic application deployment.</title><description>&lt;VulnDiscussion&gt;When dealing with access restrictions pertaining to change control, it should be noted that any changes to the software and/or application server configuration can potentially have significant effects on the overall security of the system.
--
--Access restrictions for changes also include application software libraries.
--
--If the application server provides automatic code deployment capability, (where updates to applications hosted on the application server are automatically performed, usually by the developers' IDE tool), it must also provide a capability to restrict the use of automatic application deployment. Automatic code deployments are allowable in a development environment, but not in production.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001813</ident><fixtext fixref="F-68231r1_fix">Determine the JBoss server configuration as being either standalone or domain.
--
--Launch the relevant jboss-cli management interface substituting standalone or domain for &lt;CONFIG&gt;
--
--&lt;JBOSS_HOME&gt;/&lt;CONFIG&gt;/bin/jboss-cli
--
--connect to the server and run the command:
--
--/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-enabled,value=false)</fixtext><fix id="F-68231r1_fix" /><check system="C-63115r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--ls /subsystem=deployment-scanner/scanner=default
--
--If "scan-enabled"=true, this is a finding.</check-content></check></Rule></Group><Group id="V-62313"><title>SRG-APP-000381-AS-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76803r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000550</version><title>Production JBoss servers must log when failed application deployments occur.</title><description>&lt;VulnDiscussion&gt;Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions.  Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.
--
--Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-68233r1_fix">Launch the jboss-cli management interface substituting standalone or domain for &lt;CONFIG&gt; based upon the server installation.
--
--&lt;JBOSS_HOME&gt;/&lt;CONFIG&gt;/bin/jboss-cli
--
--connect to the server and run the following command:
--
--/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</fixtext><fix id="F-68233r1_fix" /><check system="C-63117r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script. 
--Connect to the server and authenticate. 
--Run the command:
--
--ls /core-service=management/access=audit/logger=audit-log
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62315"><title>SRG-APP-000381-AS-000089</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76805r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000555</version><title>Production JBoss servers must log when successful application deployments occur.</title><description>&lt;VulnDiscussion&gt;Without logging the enforcement of access restrictions against changes to the application server configuration, it will be difficult to identify attempted attacks, and a log trail will not be available for forensic investigation for after-the-fact actions.  Configuration changes may occur to any of the modules within the application server through the management interface, but logging of actions to the configuration of a module outside the application server is not logged.
--
--Enforcement actions are the methods or mechanisms used to prevent unauthorized changes to configuration settings. Enforcement action methods may be as simple as denying access to a file based on the application of file permissions (access restriction). Log items may consist of lists of actions blocked by access restrictions or changes identified after the fact.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-68235r1_fix">Launch the jboss-cli management interface substituting standalone or domain for &lt;CONFIG&gt; based upon the server installation.
--
--&lt;JBOSS_HOME&gt;/&lt;CONFIG&gt;/bin/jboss-cli
--
--connect to the server and run the following command:
--
--/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)</fixtext><fix id="F-68235r1_fix" /><check system="C-63119r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--Run the command:
--
--ls /core-service=management/access=audit/logger=audit-log
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62317"><title>SRG-APP-000427-AS-000264</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76807r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000625</version><title>JBoss must be configured to use DoD PKI-established certificate authorities for verification of the establishment of protected sessions.</title><description>&lt;VulnDiscussion&gt;Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established.
--
--The DoD will only accept PKI certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.  The application server must only allow the use of DoD PKI-established certificate authorities for verification.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002470</ident><fixtext fixref="F-68237r1_fix">Locate the cacerts file for the JVM.  This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.
--
--Remove the certificates that have a CA that is non-DoD approved, and import DoD CA-approved certificates.</fixtext><fix id="F-68237r1_fix" /><check system="C-63121r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Locate the cacerts file for the JVM.  This can be done using the appropriate find command for the OS and change to the directory where the cacerts file is located.
--
--To view the certificates stored within this file, execute the java command "keytool -list -v -keystore ./cacerts".
--Verify that the Certificate Authority (CA) for each certificate is DoD-approved.
--
--If any certificates have a CA that are not DoD-approved, this is a finding.</check-content></check></Rule></Group><Group id="V-62319"><title>SRG-APP-000435-AS-000069</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76809r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000640</version><title>The JBoss server, when hosting mission critical applications, must be in a high-availability (HA) cluster.</title><description>&lt;VulnDiscussion&gt;A MAC I system is a system that handles data vital to the organization's operational readiness or effectiveness of deployed or contingency forces.  A MAC I system must maintain the highest level of integrity and availability.  By HA clustering the application server, the hosted application and data are given a platform that is load-balanced and provides high availability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002385</ident><fixtext fixref="F-68239r1_fix">Configure the application server to provide LB or HA services for the hosted application.</fixtext><fix id="F-68239r1_fix" /><check system="C-63123r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and determine if the applications hosted on the application server are mission critical and require load balancing (LB) or high availability (HA).
--
--If the applications do not require LB or HA, this requirement is NA.
--
--If the documentation shows the LB or HA services are being provided by another system other than the application server, this requirement is NA.
--
--If applications require LB or HA, request documentation from the system admin that identifies what type of LB or HA configuration has been implemented on the application server.
--
--Ask the system admin to identify the components that require protection.  Some options are included here as an example.  Bear in mind the examples provided are not complete and absolute and are only provided as examples.  The components being made redundant or HA by the application server will vary based upon application availability requirements.
--
--Examples are:
--Instances of the Application Server
--Web Applications
--Stateful, stateless and entity Enterprise Java Beans (EJBs)
--Single Sign On (SSO) mechanisms
--Distributed Cache
--HTTP sessions
--JMS and Message Services.
--
--If the hosted application requirements specify LB or HA and the JBoss server has not been configured to offer HA or LB, this is a finding.</check-content></check></Rule></Group><Group id="V-62321"><title>SRG-APP-000439-AS-000155</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76811r2_rule" severity="medium" weight="10.0"><version>JBOS-AS-000650</version><title>JBoss must be configured to use an approved TLS version.</title><description>&lt;VulnDiscussion&gt;Preventing the disclosure of transmitted information requires that the application server take measures to employ some form of cryptographic mechanism in order to protect the information during transmission.  This is usually achieved through the use of Transport Layer Security (TLS). 
--
--JBoss relies on the underlying SSL implementation running on the OS.  This can be either Java based or OpenSSL.  The SSL protocol setting determines which SSL protocol is used.  SSL has known security vulnerabilities, so TLS should be used instead. 
--
--If data is transmitted unencrypted, the data then becomes vulnerable to disclosure.  The disclosure may reveal user identifier/password combinations, website code revealing business logic, or other user personal information.
--
--FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
--
--TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.  NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002418</ident><fixtext fixref="F-68241r1_fix">Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's web site for step-by-step instructions on establishing SSL encryption on JBoss.
--
--The overall steps include:
--
--1. Add an HTTPS connector.
--2. Configure the SSL encryption certificate and keys.
--3. Set the protocol to TLS V1.1 or V1.2.</fixtext><fix id="F-68241r1_fix" /><check system="C-63125r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script.  
--Connect to the server and authenticate. 
--
--Validate that the TLS protocol is used for HTTPS connections.
--Run the command:
--
--"ls /subsystem=web/connector=https/ssl=configuration"
--
--If a TLS V1.1 or V1.2 protocol is not returned, this is a finding.</check-content></check></Rule></Group><Group id="V-62323"><title>SRG-APP-000440-AS-000167</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76813r2_rule" severity="medium" weight="10.0"><version>JBOS-AS-000655</version><title>JBoss must be configured to use an approved cryptographic algorithm in conjunction with TLS.</title><description>&lt;VulnDiscussion&gt;Preventing the disclosure or modification of transmitted information requires that application servers take measures to employ approved cryptography in order to protect the information during transmission over the network. This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSec tunnel.
--
--If data in transit is unencrypted, it is vulnerable to disclosure and modification. If approved cryptographic algorithms are not used, encryption strength cannot be assured.
--
--FIPS 140-2 approved TLS versions include TLS V1.0 or greater.
--
--TLS must be enabled, and non-FIPS-approved SSL versions must be disabled.  NIST SP 800-52 specifies the preferred configurations for government systems.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002421</ident><fixtext fixref="F-68243r1_fix">Reference section 4.6 of the JBoss EAP 6.3 Security Guide located on the Red Hat vendor's website for step-by-step instructions on establishing SSL encryption on JBoss.
--
--The overall steps include:
--
--1. Add an HTTPS connector.
--2. Configure the SSL encryption certificate and keys.
--3. Set the Cipher to an approved algorithm.</fixtext><fix id="F-68243r1_fix" /><check system="C-63127r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script.
--Connect to the server and authenticate.
--
--Validate that the TLS protocol is used for HTTPS connections.
--Run the command:
--
--"ls /subsystem=web/connector=https/ssl=configuration"
--
--Review the cipher suites.  The following suites are acceptable as per NIST 800-52r1 section 3.3.1 - Cipher Suites.  Refer to the NIST document for a complete list of acceptable cipher suites.  The source NIST document and approved encryption algorithms/cipher suites are subject to change and should be referenced.
--
--AES_128_CBC
--AES_256_CBC
--AES_128_GCM
--AES_128_CCM
--AES_256_CCM
--
--If the cipher suites utilized by the TLS server are not approved by NIST as per 800-52r1, this is a finding.</check-content></check></Rule></Group><Group id="V-62325"><title>SRG-APP-000456-AS-000266</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76815r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000680</version><title>Production JBoss servers must be supported by the vendor.</title><description>&lt;VulnDiscussion&gt;The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product.  It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems.  It is critical that support be obtained and made available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002605</ident><fixtext fixref="F-68245r1_fix">Obtain vendor support from Red Hat.</fixtext><fix id="F-68245r1_fix" /><check system="C-63129r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and have them either show documented proof of current support, or have them demonstrate their ability to access the Red Hat Enterprise Support portal.
--
--Verify Red Hat  support includes coverage for the JBoss product.
--
--If there is no current and active support from the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-62327"><title>SRG-APP-000456-AS-000266</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76817r1_rule" severity="high" weight="10.0"><version>JBOS-AS-000685</version><title>The JRE installed on the JBoss server must be kept up to date.</title><description>&lt;VulnDiscussion&gt;The JBoss product is available as Open Source; however, the Red Hat vendor provides updates, patches and support for the JBoss product.  It is imperative that patches and updates be applied to JBoss in a timely manner as many attacks against JBoss focus on unpatched systems.  It is critical that support be obtained and made available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002605</ident><fixtext fixref="F-68247r1_fix">Configure the operating system and the application server to use a patch management system or process that ensures security-relevant updates are installed within the time period directed by the ISSM.</fixtext><fix id="F-68247r1_fix" /><check system="C-63131r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the system admin and obtain details on their patch management processes as it relates to the OS and the Application Server.
--
--If there is no active, documented patch management process in use for these components, this is a finding.</check-content></check></Rule></Group><Group id="V-62329"><title>SRG-APP-000495-AS-000220</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76819r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000690</version><title>JBoss must be configured to generate log records when successful/unsuccessful attempts to modify privileges occur.</title><description>&lt;VulnDiscussion&gt;Changing privileges of a subject/object may cause a subject/object to gain or lose capabilities.  When successful/unsuccessful changes are made, the event needs to be logged.  By logging the event, the modification or attempted modification can be investigated to determine if it was performed inadvertently or maliciously.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68249r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68249r1_fix" /><check system="C-63133r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62331"><title>SRG-APP-000499-AS-000224</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76821r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000695</version><title>JBoss must be configured to generate log records when successful/unsuccessful attempts to delete privileges occur.</title><description>&lt;VulnDiscussion&gt;Deleting privileges of a subject/object may cause a subject/object to gain or lose capabilities.  When successful and unsuccessful privilege deletions are made, the events need to be logged.  By logging the event, the modification or attempted modification can be investigated to determine if it was performed inadvertently or maliciously.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68251r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68251r1_fix" /><check system="C-63135r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss.
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder.
--Run the jboss-cli script to start the Command Line Interface (CLI).
--Connect to the server and authenticate.
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62333"><title>SRG-APP-000503-AS-000228</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76823r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000700</version><title>JBoss must be configured to generate log records when successful/unsuccessful logon attempts occur.</title><description>&lt;VulnDiscussion&gt;Logging the access to the application server allows the system administrators to monitor user accounts.  By logging successful/unsuccessful logons, the system administrator can determine if an account is compromised (e.g., frequent logons) or is in the process of being compromised (e.g., frequent failed logons) and can take actions to thwart the attack.
--
--Logging successful logons can also be used to determine accounts that are no longer in use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68253r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68253r1_fix" /><check system="C-63137r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate. 
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62335"><title>SRG-APP-000504-AS-000229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76825r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000705</version><title>JBoss must be configured to generate log records for privileged activities.</title><description>&lt;VulnDiscussion&gt;Without generating log records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Privileged activities would occur through the management interface.  This interface can be web-based or can be command line utilities.  Whichever method is utilized by the application server, these activities must be logged.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68255r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68255r1_fix" /><check system="C-63139r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate. 
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62337"><title>SRG-APP-000505-AS-000230</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76827r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000710</version><title>JBoss must be configured to generate log records that show starting and ending times for access to the application server management interface.</title><description>&lt;VulnDiscussion&gt;Determining when a user has accessed the management interface is important to determine the timeline of events when a security incident occurs.  Generating these events, especially if the management interface is accessed via a stateless protocol like HTTP, the log events will be generated when the user performs a logon (start) and when the user performs a logoff (end).  Without these events, the user and later investigators cannot determine the sequence of events and therefore cannot determine what may have happened and by whom it may have been done.
--
--The generation of start and end times within log events allows the user to perform their due diligence in the event of a security breach.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68257r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68257r1_fix" /><check system="C-63141r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate. 
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62339"><title>SRG-APP-000506-AS-000231</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76829r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000715</version><title>JBoss must be configured to generate log records when concurrent logons from different workstations occur to the application server management interface.</title><description>&lt;VulnDiscussion&gt;Concurrent logons from different systems could possibly indicate a compromised account.  When concurrent logons are made from different workstations to the management interface, a log record needs to be generated.  This configuration setting provides forensic evidence that allows the system administrator to investigate access to the system and determine if the duplicate access was authorized or not.
--
--JBoss provides a multitude of different log formats, and API calls that log access to the system.  If the default format and location is not used, the system admin must provide the configuration documentation and settings that show that this requirement is being met.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68259r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68259r1_fix" /><check system="C-63143r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate. 
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62341"><title>SRG-APP-000509-AS-000234</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76831r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000720</version><title>JBoss must be configured to generate log records for all account creations, modifications, disabling, and termination events.</title><description>&lt;VulnDiscussion&gt;The maintenance of user accounts is a key activity within the system to determine access and privileges.  Through changes to accounts, an attacker can create an account for persistent access, modify an account to elevate privileges, or terminate/disable an account(s) to cause a DoS for user(s).  To be able to track and investigate these actions, log records must be generated for any account modification functions.
--
--Application servers either provide a local user store, or they can integrate with enterprise user stores like LDAP.  As such, the application server must be able to generate log records on account creation, modification, disabling, and termination.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-68261r1_fix">Launch the jboss-cli management interface.
--Connect to the server by typing "connect", authenticate as a user in the Superuser role, and run the following command:
--
--For a Managed Domain configuration:
--"host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"</fixtext><fix id="F-68261r1_fix" /><check system="C-63145r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script to start the Command Line Interface (CLI). 
--Connect to the server and authenticate. 
--Run the command:
--
--For a Managed Domain configuration:
--"ls host=master/server/&lt;SERVERNAME&gt;/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--For a Standalone configuration:
--"ls /core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled,value=true)"
--
--If "enabled" = false, this is a finding.</check-content></check></Rule></Group><Group id="V-62343"><title>SRG-APP-000514-AS-000137</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76833r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000730</version><title>The JBoss server must be configured to use DoD- or CNSS-approved PKI Class 3 or Class 4 certificates.</title><description>&lt;VulnDiscussion&gt;Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The application server must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002450</ident><fixtext fixref="F-68263r1_fix">Configure the application server to use DoD- or CNSS-approved Class 3 or Class 4 PKI certificates.</fixtext><fix id="F-68263r1_fix" /><check system="C-63147r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>Interview the administrator to determine if JBoss is using certificates for PKI.  If JBoss is not performing any PKI functions, this finding is NA.
--
--The CA certs are usually stored in a file called cacerts located in the directory $JAVA_HOME/lib/security.  If the file is not in this location, use a search command to locate the file, or ask the administrator where the certificate store is located.
--
--Open a dos shell or terminal window and change to the location of the certificate store.  To view the certificates within the certificate store, run the command (in this example, the keystore file is cacerts.): keytool -list -v -keystore ./cacerts  
--
--Locate the "OU" field for each certificate within the keystore.  The field should contain either "DoD" or "CNSS" as the Organizational Unit (OU). 
--
--If the OU does not show that the certificates are DoD or CNSS supplied, this is a finding.</check-content></check></Rule></Group><Group id="V-62345"><title>SRG-APP-000515-AS-000203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-76835r1_rule" severity="medium" weight="10.0"><version>JBOS-AS-000735</version><title>JBoss servers must be configured to roll over and transfer logs on a minimum weekly basis.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.  Protecting log data is important during a forensic investigation to ensure investigators can track and understand what may have occurred.  Off-loading should be set up as a scheduled task but can be configured to be run manually, if other processes during the off-loading are manual.
--
--Off-loading is a common process in information systems with limited log storage capacity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target JBoss EAP 6.3</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>JBoss EAP 6.3</dc:subject><dc:identifier>2923</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-68265r1_fix">Open the web-based management interface by opening a browser and pointing it to HTTPS://&lt;EAP_SERVER&gt;:9990/
--
--Authenticate as a user with Admin rights.
--Navigate to the "Configuration" tab.
--Expand + Subsystems.
--Expand + Core.
--Select "Logging".
--Select the "Handler" tab.
--Select  "Periodic".
--
--If a periodic file handler does not exist, reference JBoss admin guide for instructions on how to create a file handler that will rotate logs on a daily basis. 
--Create scripts that package and off-load log data at least weekly.</fixtext><fix id="F-68265r1_fix" /><check system="C-63149r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_JBoss_EAP_6-3_STIG.xml" /><check-content>If the JBoss server is configured to use a Syslog Handler, this is not a finding.
--
--Log on to the OS of the JBoss server with OS permissions that allow access to JBoss. 
--Using the relevant OS commands and syntax, cd to the &lt;JBOSS_HOME&gt;/bin/ folder. 
--Run the jboss-cli script.  
--Connect to the server and authenticate. 
--
--Determine if there is a periodic rotating file handler.
--
--For a domain configuration run the following command; where &lt;SERVERNAME&gt; is a variable for all of the servers in the domain.  Usually "server-one", "server-two", etc.:
--
--"ls /host=master/server=&lt;SERVERNAME&gt;/subsystem=logging/periodic-rotating-file-handler="
--
--For a standalone configuration run the command:
--"ls /subsystem=logging/periodic-rotating-file-handler="
--
--If the command does not return "FILE", this is a finding.
--
--Review the &lt;JBOSS_HOME&gt;/standalone/log folder for the existence of rotated logs, and ask the admin to demonstrate how rotated logs are packaged and transferred to another system on at least a weekly basis.</check-content></check></Rule></Group></Benchmark>
-\ No newline at end of file
-diff --git a/ssg/constants.py b/ssg/constants.py
-index a585f32afc..0eca2f4f95 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -7,7 +7,6 @@
- product_directories = [
-     'chromium',
-     'debian8', 'debian9', 'debian10',
--    'eap6',
-     'example',
-     'fedora',
-     'firefox',
-@@ -145,7 +144,6 @@
-     "Debian 8": "debian8",
-     "Debian 9": "debian9",
-     "Debian 10": "debian10",
--    "JBoss EAP 6": "eap6",
-     "Example": "example",
-     "Fedora": "fedora",
-     "Firefox": "firefox",
-@@ -188,41 +186,6 @@
-     "debian10": [
-         "cpe:/o:debian:debian_linux:10",
-     ],
--    "eap6": [
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.0.1",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.1.0",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.1.1",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.0",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.1",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.2",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.2.4",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.1",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.2",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.3.3",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.1",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.2",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.3",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.4",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.5",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.6",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.7",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.8",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.9",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.10",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.11",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.12",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.15",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.16",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.17",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.18",
--        "cpe:/a:redhat:jboss_enterprise_application_platform:6.4.19",
--    ],
-     "example": [
-     ],
-     "fedora": [
diff --git a/SOURCES/scap-security-guide-0.1.53-remove_screen_from_stig-PR_6072.patch b/SOURCES/scap-security-guide-0.1.53-remove_screen_from_stig-PR_6072.patch
deleted file mode 100644
index 6cdaf9c..0000000
--- a/SOURCES/scap-security-guide-0.1.53-remove_screen_from_stig-PR_6072.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From 9e0e70ef9f38bc8b44f873b3d731ca253e60ffd8 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 11 Sep 2020 14:11:00 +0200
-Subject: [PATCH] remove package_screen_installed from rhel7 stig
-
----
- rhel7/profiles/stig.profile | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 3d8647de70..bb4af878a7 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -66,7 +66,6 @@ selections:
-     - dconf_gnome_screensaver_lock_locked
-     - dconf_gnome_enable_smartcard_auth
-     - dconf_gnome_screensaver_idle_delay
--    - package_screen_installed
-     - dconf_gnome_screensaver_idle_activation_enabled
-     - dconf_gnome_screensaver_idle_activation_locked
-     - dconf_gnome_screensaver_lock_delay
diff --git a/SOURCES/scap-security-guide-0.1.53-remove_srg_accounts_pam_retry-PR_6045.patch b/SOURCES/scap-security-guide-0.1.53-remove_srg_accounts_pam_retry-PR_6045.patch
deleted file mode 100644
index 4cb0830..0000000
--- a/SOURCES/scap-security-guide-0.1.53-remove_srg_accounts_pam_retry-PR_6045.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 6ce386a7c414646ae69ac1880ca70b6ca664ccdd Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 3 Sep 2020 18:43:45 +0200
-Subject: [PATCH] remove srgs
-
----
- .../accounts_password_pam_retry/rule.yml                        | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-index e8b510da73..a64ee575a1 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-@@ -31,7 +31,7 @@ references:
-     nist: CM-6(a),AC-7(a),IA-5(4)
-     nist-csf: PR.AC-1,PR.AC-6,PR.AC-7,PR.IP-1
-     ospp: FMT_MOF_EXT.1
--    srg: SRG-OS-000069-GPOS-00037,SRG-OS-000480-GPOS-00225,SRG-OS-000480-GPOS-00229
-+    srg: SRG-OS-000480-GPOS-00225
-     stigid@rhel7: RHEL-07-010119
-     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 7.6'
-     isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
diff --git a/SOURCES/scap-security-guide-0.1.53-remove_stig_rule-PR_6086.patch b/SOURCES/scap-security-guide-0.1.53-remove_stig_rule-PR_6086.patch
deleted file mode 100644
index 32dbe2b..0000000
--- a/SOURCES/scap-security-guide-0.1.53-remove_stig_rule-PR_6086.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 7d1c18187b8bd74a384ca1ed2fc1768cdf2cca16 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 15 Sep 2020 18:07:25 +0200
-Subject: [PATCH] Remove accounts_user_interactive_home_directory_defined from
- RHEL7 STIG.
-
-Rule has been removed from latest release (v2r8).
----
- rhel7/profiles/stig.profile | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index bb4af878a7..30d7b4b4cd 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -127,7 +127,6 @@ selections:
-     - accounts_no_uid_except_zero
-     - no_files_unowned_by_user
-     - file_permissions_ungroupowned
--    - accounts_user_interactive_home_directory_defined
-     - accounts_have_homedir_login_defs
-     - accounts_user_interactive_home_directory_exists
-     - file_permissions_home_directories
diff --git a/SOURCES/scap-security-guide-0.1.53-remove_ub1404-PR_6154.patch b/SOURCES/scap-security-guide-0.1.53-remove_ub1404-PR_6154.patch
deleted file mode 100644
index 73ea238..0000000
--- a/SOURCES/scap-security-guide-0.1.53-remove_ub1404-PR_6154.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-diff --git a/shared/templates/template_OVAL_service_disabled b/shared/templates/template_OVAL_service_disabled
-index 941c289c43..61d3748688 100644
---- a/shared/templates/template_OVAL_service_disabled
-+++ b/shared/templates/template_OVAL_service_disabled
-@@ -85,36 +85,7 @@
- 
- {{% else %}}
- 
--  {{% if product == "ubuntu1404" %}}
--
--  <definition class="compliance" id="service_{{{ SERVICENAME }}}_disabled"
--  version="1">
--    {{{ oval_metadata("The " + SERVICENAME + " service should be disabled if possible.", affected_platforms=["multi_platform_all"]) }}}
--   <criteria comment="package {{{ PACKAGENAME }}} removed or service {{{ SERVICENAME }}} is not configured to start" operator="OR">
--    <criterion comment="{{{ PACKAGENAME }}} removed" test_ref="{{{ package_removed_test_id }}}" />
--
--    <!-- OVAL <runlevel_test> is not implemented in OpenSCAP when compiled on Ubuntusystems yet:
--         https://github.com/OpenSCAP/openscap/blob/maint-1.2/src/OVAL/probes/unix/runlevel.c#L210
--
--         (attempt to use it will result into 'error' result), therefore we verify that there
--         DOES NOT exist some "S\d{2}ssh" service record in all of "/etc/rc*.d/" subfolders -->
--    <criterion comment="{{{ SERVICENAME }}} disabled in /etc/rc*.d" test_ref="test_{{{ SERVICENAME }}}_disabled" />
--
--    </criteria>
--  </definition>
--
--  <!-- Verify there DOES NOT exist some 'S\d{2}ssh' service record in some of '/etc/rc*.d/' subfolders -->
--  <unix:file_test id="test_{{{ SERVICENAME }}}_disabled" check="all" check_existence="none_exist"
--   comment="{{{ SERVICENAME }}} disabled in /etc/rc*.d" version="1" >
--   <unix:object object_ref="object_{{{ DAEMONNAME }}}_etc_rcd" />
--  </unix:file_test>
--
--  <unix:file_object id="object_{{{ DAEMONNAME }}}_etc_rcd" comment="/etc/rc*.d/S\d{2}{{{ DAEMONNAME }}}" version="1">
--    <unix:path operation="pattern match">^/etc/rc[0-6S]\.d$</unix:path>
--    <unix:filename operation="pattern match">^S\d{2}{{{ DAEMONNAME }}}$</unix:filename>
--  </unix:file_object>
--
--  {{% elif init_system != "systemd" %}}
-+  {{% if init_system != "systemd" %}}
- 
-   {{# we are not using systemd, it doesn't matter if we can or cannot use OVAL 5.11, let us just use the runlevel test #}}
- 
-
diff --git a/SOURCES/scap-security-guide-0.1.53-tftpd_fix_variable_type-PR_6077.patch b/SOURCES/scap-security-guide-0.1.53-tftpd_fix_variable_type-PR_6077.patch
deleted file mode 100644
index e29eb13..0000000
--- a/SOURCES/scap-security-guide-0.1.53-tftpd_fix_variable_type-PR_6077.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 772f2708abe00e3fa80fe17859f4b39517cc0b8b Mon Sep 17 00:00:00 2001
-From: Milan Lysonek <mlysonek@redhat.com>
-Date: Mon, 14 Sep 2020 17:13:43 +0200
-Subject: [PATCH] Fix wrong type of var_tftpd_secure_directory in
- tftpd_uses_secure_mode rule
-
----
- .../obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml        | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-index 2268a49467..8d105244f4 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-@@ -26,7 +26,7 @@
-   </ind:textfilecontent54_object>
- 
-   <ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">
--    <ind:subexpression datatype="int" operation="equals" var_check="all"
-+    <ind:subexpression datatype="string" operation="equals" var_check="all"
-     var_ref="var_tftpd_secure_directory" />
-   </ind:textfilecontent54_state>
- 
diff --git a/SOURCES/scap-security-guide-0.1.53-update_audisp_network_failure_action-PR_6071.patch b/SOURCES/scap-security-guide-0.1.53-update_audisp_network_failure_action-PR_6071.patch
deleted file mode 100644
index 32afa4e..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_audisp_network_failure_action-PR_6071.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 4c0470b91583d75c0a364612b9511aa04d67a2c0 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 11 Sep 2020 12:56:27 +0200
-Subject: [PATCH 1/2] use xccdf variable in the rule.yml
-
----
- .../auditd_audispd_network_failure_action/rule.yml    | 11 ++++-------
- 1 file changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
-index 9703bba724..01b16a4dd2 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
-@@ -14,6 +14,7 @@ description: |-
-     <tt>halt</tt>. For certain systems, the need for availability
-     outweighs the need to log all actions, and a different setting should be
-     determined.
-+    This profile configures the <i>action</i> to be {{{ sub_var_value("var_audispd_network_failure_action") }}}.
- 
- rationale: |-
-     Taking appropriate action when there is an error sending audit records to a
-@@ -35,11 +36,7 @@ ocil_clause: 'the system is not configured to switch to single user mode for cor
- 
- ocil: |-
-     Inspect <tt>/etc/audisp/audisp-remote.conf</tt> and locate the following line to
--    determine if the system is configured to either send to syslog, switch to single user mode,
--    or halt when there is a network failure with audispd:
-+    determine if the system is configured to perform a correct action according to the policy:
-     <pre>grep -i network_failure_action /etc/audisp/audisp-remote.conf</pre>
--    The output should return something similar to:
--    <pre>network_failure_action = single</pre>
--    Acceptable values also include <tt>syslog</tt> and
--    <tt>halt</tt>.
--
-+    The output should return:
-+    <pre>network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}</pre>
-
-From 2d7c59fe90d8dad86c6e6743f137a5d1ba580257 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 22 Sep 2020 08:45:57 +0200
-Subject: [PATCH 2/2] change jinja macro used
-
----
- .../auditd_audispd_network_failure_action/rule.yml            | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
-index 01b16a4dd2..9e677d225c 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_network_failure_action/rule.yml
-@@ -14,7 +14,7 @@ description: |-
-     <tt>halt</tt>. For certain systems, the need for availability
-     outweighs the need to log all actions, and a different setting should be
-     determined.
--    This profile configures the <i>action</i> to be {{{ sub_var_value("var_audispd_network_failure_action") }}}.
-+    This profile configures the <i>action</i> to be <tt>{{{ xccdf_value("var_audispd_network_failure_action") }}}</tt>.
- 
- rationale: |-
-     Taking appropriate action when there is an error sending audit records to a
-@@ -39,4 +39,4 @@ ocil: |-
-     determine if the system is configured to perform a correct action according to the policy:
-     <pre>grep -i network_failure_action /etc/audisp/audisp-remote.conf</pre>
-     The output should return:
--    <pre>network_failure_action = {{{ sub_var_value("var_audispd_network_failure_action") }}}</pre>
-+    <pre>network_failure_action = {{{ xccdf_value("var_audispd_network_failure_action") }}}</pre>
diff --git a/SOURCES/scap-security-guide-0.1.53-update_rule_disable_ctrlaltdel_reboot-PR_6043.patch b/SOURCES/scap-security-guide-0.1.53-update_rule_disable_ctrlaltdel_reboot-PR_6043.patch
deleted file mode 100644
index 77476b1..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_rule_disable_ctrlaltdel_reboot-PR_6043.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 3f1fdf77f923bb9f25a1c154873dbca7db8d8573 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 3 Sep 2020 18:07:37 +0200
-Subject: [PATCH 1/2] update ocil
-
----
- .../disable_ctrlaltdel_reboot/rule.yml        | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
-index 12aa2bc108..09a9af5176 100644
---- a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/rule.yml
-@@ -72,15 +72,20 @@ ocil_clause: 'the system is configured to reboot when Ctrl-Alt-Del is pressed'
- ocil: |-
- {{% if product == "rhel6" %}}
-     To ensure the system is configured to log a message instead of rebooting the
--    system when Ctrl-Alt-Del is pressed, ensure the following line is in
--    <tt>/etc/init/control-alt-delete.conf</tt>:
-+    system when Ctrl-Alt-Del is pressed, run the following command:
-+    <pre>sudo grep logger /etc/init/control-alt-delete.conf</pre>
-+    The output should contain a line resembling the following one:
-     <pre>exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
- {{% else %}}
--    To ensure the system is configured to mask the Ctrl-Alt-Del sequence,
--    enter the following command:
--    <pre>$ sudo ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target</pre>
--    or
--    <pre>$ sudo systemctl mask ctrl-alt-del.target</pre>
-+    To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
-+    that the ctrl-alt-del.target is masked and not active with the following
-+    command:
-+    <pre>sudo systemctl status ctrl-alt-del.target</pre>
-+    The output should indicate that the target is masked and not active. It
-+    might resemble following output:
-+    <pre>ctrl-alt-del.target
-+    Loaded: masked (/dev/null; bad)
-+    Active: inactive (dead)</pre>
- {{% endif %}}
- 
- warnings:
-
-From b8fe86828425bdd423fabb2e6950b2d7f7f636a5 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 3 Sep 2020 18:07:54 +0200
-Subject: [PATCH 2/2] add tests
-
----
- .../disable_ctrlaltdel_reboot/tests/masked.pass.sh            | 4 ++++
- .../disable_ctrlaltdel_reboot/tests/not_masked.fail.sh        | 4 ++++
- 2 files changed, 8 insertions(+)
- create mode 100644 linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh
-new file mode 100644
-index 0000000000..79a1398a4e
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/masked.pass.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
-+
-+systemctl mask ctrl-alt-del.target
-diff --git a/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh
-new file mode 100644
-index 0000000000..74342f0251
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-physical/disable_ctrlaltdel_reboot/tests/not_masked.fail.sh
-@@ -0,0 +1,4 @@
-+#!/bin/bash
-+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
-+
-+systemctl unmask ctrl-alt-del.target
diff --git a/SOURCES/scap-security-guide-0.1.53-update_rule_install_hips-PR_6039.diff b/SOURCES/scap-security-guide-0.1.53-update_rule_install_hips-PR_6039.diff
deleted file mode 100644
index f57d325..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_rule_install_hips-PR_6039.diff
+++ /dev/null
@@ -1,104 +0,0 @@
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml
-deleted file mode 100644
-index 1ac70e5aeb..0000000000
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/oval/shared.xml
-+++ /dev/null
-@@ -1,21 +0,0 @@
--<def-group>
--  <definition class="compliance" id="install_mcafee_hbss_hips"
--  version="1">
--	  {{{ oval_metadata("Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely necessary. If SELinux is enabled, do not install or enable this module.",
--	  affected_platforms=["multi_platform_all"]) }}}
--    <criteria>
--      <criterion comment="McAfee IPS  is installed"
--      test_ref="test_mcafee_hbss_hips_installed" />
--    </criteria>
--  </definition>
--
--  <linux:rpminfo_test check="all" check_existence="all_exist"
--  id="test_mcafee_hbss_hips_installed" version="1"
--  comment="McAfee IPS is installed">
--    <linux:object object_ref="obj_mcafee_hbss_hips_installed" />
--  </linux:rpminfo_test>
--  <linux:rpminfo_object id="obj_mcafee_hbss_hips_installed" version="1">
--    <linux:name>MFEhiplsm</linux:name>
--  </linux:rpminfo_object>
--
--</def-group>
-diff --git a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/rule.yml b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
-similarity index 88%
-rename from linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/rule.yml
-rename to linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
-index 459a656d40..00e5f12873 100644
---- a/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/install_mcafee_hbss_hips/rule.yml
-+++ b/linux_os/guide/system/software/integrity/endpoint_security_software/mcafee_security_software/mcafee_hbss_software/package_MFEhiplsm_installed/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: rhel7,rhel8
-+prodtype: fedora,rhel6,rhel7,rhel8,rhv4
- 
- title: 'Install the Host Intrusion Prevention System (HIPS) Module'
- 
-@@ -24,12 +24,13 @@ references:
-     nist: CM-6(a)
-     nist-csf: DE.AE-1,DE.AE-2,DE.AE-3,DE.AE-4,DE.CM-1,DE.CM-5,DE.CM-6,DE.CM-7,DE.DP-2,DE.DP-3,DE.DP-4,DE.DP-5,ID.RA-1,PR.AC-5,PR.DS-5,PR.IP-8,PR.PT-4,RS.AN-1,RS.CO-3
-     pcidss: Req-11.4
--    srg: STG-OS-000480-GPOS-00227
-+    srg: SRG-OS-000480-GPOS-00227,SRG-OS-000196
-     isa-62443-2013: 'SR 2.10,SR 2.11,SR 2.12,SR 2.4,SR 2.8,SR 2.9,SR 3.1,SR 3.3,SR 3.5,SR 3.8,SR 3.9,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 6.1,SR 6.2,SR 7.1,SR 7.6'
-     isa-62443-2009: 4.2.3,4.2.3.12,4.2.3.7,4.2.3.9,4.3.3.4,4.3.4.5.2,4.3.4.5.6,4.3.4.5.7,4.3.4.5.8,4.3.4.5.9,4.4.3.2,4.4.3.3,4.4.3.4
-     cobit5: APO01.06,APO07.06,APO08.04,APO10.05,APO11.06,APO12.01,APO12.02,APO12.03,APO12.04,APO12.06,APO13.01,APO13.02,BAI08.02,BAI08.04,DSS01.03,DSS01.05,DSS02.04,DSS02.05,DSS02.07,DSS03.01,DSS03.04,DSS03.05,DSS04.05,DSS05.01,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.01,DSS06.02,MEA03.03,MEA03.04
-     iso27001-2013: 'A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.12.1.1,A.12.1.2,A.12.4.1,A.12.4.3,A.12.5.1,A.12.6.1,A.12.6.2,A.13.1.1,A.13.1.2,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.14.2.7,A.14.2.8,A.15.2.1,A.16.1.1,A.16.1.2,A.16.1.3,A.16.1.4,A.16.1.5,A.16.1.6,A.16.1.7,A.18.1.4,A.18.2.2,A.18.2.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5,Clause 16.1.2,Clause 7.4'
-     cis-csc: 1,11,12,13,14,15,16,18,19,2,3,4,5,6,7,8,9
-+    stigid@rhel7: RHEL-07-020019
- 
- ocil_clause: 'the HBSS HIPS module is not installed'
- 
-@@ -37,6 +38,9 @@ ocil: |-
-     To verify that McAfee HIPS is installed, run the following command(s):
-     <pre>$ rpm -q MFEhiplsm</pre>
- 
-+conflicts:
-+    - selinux_state
-+
- warnings:
-     - functionality: |-
-         Installing and enabling this module conflicts with SELinux.
-@@ -44,3 +48,14 @@ warnings:
-     - general: |-
-         Due to McAfee HIPS being 3rd party software, automated
-         remediation is not available for this configuration check.
-+
-+template:
-+    name: package_installed
-+    vars:
-+        pkgname: MFEhiplsm
-+    backends:
-+        anaconda: "off"
-+        ansible: "off"
-+        bash: "off"
-+        puppet: "off"
-+
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 9033e433d8..f9f3e94e2a 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -308,3 +308,4 @@ selections:
-     - mount_option_dev_shm_noexec
-     - mount_option_dev_shm_nosuid
-     - audit_rules_privileged_commands_mount
-+    - package_MFEhiplsm_installed
-diff --git a/shared/checks/oval/install_mcafee_hbss.xml b/shared/checks/oval/install_mcafee_hbss.xml
-index 8ae73ecffc..e0fc31d760 100644
---- a/shared/checks/oval/install_mcafee_hbss.xml
-+++ b/shared/checks/oval/install_mcafee_hbss.xml
-@@ -12,7 +12,7 @@
-     <criteria operator="AND">
-       <extend_definition comment="McAfee HBSS" definition_ref="install_mcafee_cma_rt" />
-       <extend_definition comment="McAfee HBSS" definition_ref="install_mcafee_hbss_accm" />
--      <extend_definition comment="McAfee HBSS" definition_ref="install_mcafee_hbss_hips" />
-+      <extend_definition comment="McAfee HBSS" definition_ref="package_MFEhiplsm_installed" />
-       <extend_definition comment="McAfee HBSS" definition_ref="install_mcafee_hbss_pa" />
-     </criteria>
-   </definition>
diff --git a/SOURCES/scap-security-guide-0.1.53-update_rule_max_pass_life-PR_6027.patch b/SOURCES/scap-security-guide-0.1.53-update_rule_max_pass_life-PR_6027.patch
deleted file mode 100644
index 89edf57..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_rule_max_pass_life-PR_6027.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From d09b82de682756213c96b396abb0c912bea32a2b Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 26 Aug 2020 17:50:57 +0200
-Subject: [PATCH 1/4] unify bash remediations
-
----
- .../accounts_maximum_age_login_defs/bash/fedora.sh    | 11 -----------
- .../accounts_maximum_age_login_defs/bash/shared.sh    |  2 +-
- 2 files changed, 1 insertion(+), 12 deletions(-)
- delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
-deleted file mode 100644
-index ef664f1a64..0000000000
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/fedora.sh
-+++ /dev/null
-@@ -1,11 +0,0 @@
--# platform = multi_platform_fedora
--. /usr/share/scap-security-guide/remediation_functions
--declare var_accounts_maximum_age_login_defs
--populate var_accounts_maximum_age_login_defs
--
--grep -q ^PASS_MAX_DAYS /etc/login.defs && \
--sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
--if ! [ $? -eq 0 ]
--then
--  echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" >> /etc/login.defs
--fi
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
-index 494e04abb9..9c61548d3a 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
-@@ -1,4 +1,4 @@
--# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv
-+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
- . /usr/share/scap-security-guide/remediation_functions
- populate var_accounts_maximum_age_login_defs
- 
-
-From 041017588bf29a3f84024ab2dd4928624dfbf82e Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 26 Aug 2020 17:51:19 +0200
-Subject: [PATCH 2/4] fix regex in oval check
-
----
- .../accounts_maximum_age_login_defs/oval/shared.xml             | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
-index cd79ca81b5..27649723ac 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/oval/shared.xml
-@@ -22,6 +22,6 @@
-     <ind:filepath>/etc/login.defs</ind:filepath>
-     <!-- Retrieve last (uncommented) occurrence of PASS_MAX_DAYS directive -->
--    <ind:pattern operation="pattern match">.*\n[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
-+    <ind:pattern operation="pattern match">^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
-     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-
-From 6120e191d15b5869e6f95bea8c0a6e9de4e3e6fc Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 26 Aug 2020 17:51:37 +0200
-Subject: [PATCH 3/4] add tests
-
----
- .../tests/commented_standard.fail.sh                         | 5 +++++
- .../tests/commented_stig.fail.sh                             | 5 +++++
- .../tests/correct_standard.pass.sh                           | 5 +++++
- .../tests/correct_stig.pass.sh                               | 5 +++++
- .../tests/incorrect_standard.fail.sh                         | 5 +++++
- .../tests/incorrect_stig.fail.sh                             | 5 +++++
- 6 files changed, 30 insertions(+)
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
-new file mode 100644
-index 0000000000..84301cc031
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_standard
-+
-+rm -f /etc/login.defs
-+echo '#PASS_MAX_DAYS 90' > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
-new file mode 100644
-index 0000000000..8ab4879dda
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_stig.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+rm -f /etc/login.defs
-+echo '#PASS_MAX_DAYS 60' > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
-new file mode 100644
-index 0000000000..989cf596d6
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_standard
-+
-+rm -f /etc/login.defs
-+echo "PASS_MAX_DAYS    90" > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
-new file mode 100644
-index 0000000000..172cc4841d
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_stig.pass.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+rm -f /etc/login.defs
-+echo "PASS_MAX_DAYS        60" > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
-new file mode 100644
-index 0000000000..4556ef09d5
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_standard
-+
-+rm -f /etc/login.defs
-+echo "PASS_MAX_DAYS 120" > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
-new file mode 100644
-index 0000000000..d079467f2d
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_stig.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+rm -f /etc/login.defs
-+echo "PASS_MAX_DAYS 120" > /etc/login.defs
-
-From c3dfc4148e2136ce74e1c59cd66ade7e540b51b3 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 1 Sep 2020 14:46:23 +0200
-Subject: [PATCH 4/4] change platform of some tests to fedora
-
----
- ...mented_standard.fail.sh => commented_standard_fedora.fail.sh} | 1 +
- ...{correct_standard.pass.sh => correct_standard_fedora.pass.sh} | 1 +
- ...orrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} | 1 +
- 3 files changed, 3 insertions(+)
- rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{commented_standard.fail.sh => commented_standard_fedora.fail.sh} (79%)
- rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{correct_standard.pass.sh => correct_standard_fedora.pass.sh} (79%)
- rename linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/{incorrect_standard.fail.sh => incorrect_standard_fedora.fail.sh} (79%)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
-similarity index 79%
-rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
-rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
-index 84301cc031..0add08ec19 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/commented_standard_fedora.fail.sh
-@@ -1,5 +1,6 @@
- #!/bin/bash
- # profiles = xccdf_org.ssgproject.content_profile_standard
-+# platform = multi_platform_fedora
- 
- rm -f /etc/login.defs
- echo '#PASS_MAX_DAYS 90' > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
-similarity index 79%
-rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
-rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
-index 989cf596d6..7fd75139c8 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard.pass.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_standard_fedora.pass.sh
-@@ -1,5 +1,6 @@
- #!/bin/bash
- # profiles = xccdf_org.ssgproject.content_profile_standard
-+# platform = multi_platform_fedora
- 
- rm -f /etc/login.defs
- echo "PASS_MAX_DAYS    90" > /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
-similarity index 79%
-rename from linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
-rename to linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
-index 4556ef09d5..b4f647c324 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard.fail.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_standard_fedora.fail.sh
-@@ -1,5 +1,6 @@
- #!/bin/bash
- # profiles = xccdf_org.ssgproject.content_profile_standard
-+# platform = multi_platform_fedora
- 
- rm -f /etc/login.defs
- echo "PASS_MAX_DAYS 120" > /etc/login.defs
diff --git a/SOURCES/scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch b/SOURCES/scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch
deleted file mode 100644
index 014fb16..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From d907acba7aba3676001e0849a2608b95b14b1363 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 3 Sep 2020 16:37:24 +0200
-Subject: [PATCH 1/2] update severity, fix ocil
-
----
- .../accounts-session/accounts_logon_fail_delay/rule.yml       | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-index 2888cb365a..9a359b22c5 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-@@ -11,7 +11,7 @@ rationale: |-
-     Increasing the time between a failed authentication attempt and re-prompting to
-     enter credentials helps to slow a single-threaded brute force attack.
- 
--severity: low
-+severity: medium
- 
- identifiers:
-     cce@rhel7: CCE-80352-8
-@@ -37,6 +37,6 @@ ocil: |-
-     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs</pre>
-     All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
-     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
--    fail_delay <sub idref="var_accounts_fail_delay" /></pre>
-+    FAIL_DELAY <sub idref="var_accounts_fail_delay" /></pre>
- 
- platform: login_defs
-
-From 633f4f12413d27467f63f0676887018c0d147024 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Thu, 3 Sep 2020 16:38:19 +0200
-Subject: [PATCH 2/2] add tests
-
----
- .../accounts_logon_fail_delay/tests/correct.pass.sh       | 8 ++++++++
- .../accounts_logon_fail_delay/tests/missing.fail.sh       | 6 ++++++
- .../accounts_logon_fail_delay/tests/stricter.pass.sh      | 8 ++++++++
- .../accounts_logon_fail_delay/tests/wrong.fail.sh         | 8 ++++++++
- 4 files changed, 30 insertions(+)
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
-new file mode 100644
-index 0000000000..147f350247
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/correct.pass.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+if grep -q 'FAIL_DELAY' /etc/login.defs; then
-+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 4/' /etc/login.defs
-+else
-+	echo 'FAIL_DELAY 4' >> /etc/login.defs
-+fi
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
-new file mode 100644
-index 0000000000..c9d31494b4
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/missing.fail.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+if grep -q 'FAIL_DELAY' /etc/login.defs; then
-+	sed -i '/^.*FAIL_DELAY.*/d' /etc/login.defs
-+fi
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
-new file mode 100644
-index 0000000000..6154484445
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/stricter.pass.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+if grep -q 'FAIL_DELAY' /etc/login.defs; then
-+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 8/' /etc/login.defs
-+else
-+	echo 'FAIL_DELAY 8' >> /etc/login.defs
-+fi
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
-new file mode 100644
-index 0000000000..c1b0d600cb
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/tests/wrong.fail.sh
-@@ -0,0 +1,8 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+if grep -q 'FAIL_DELAY' /etc/login.defs; then
-+	sed -i 's/^.*FAIL_DELAY.*/FAIL_DELAY 1/' /etc/login.defs
-+else
-+	echo 'FAIL_DELAY 1' >> /etc/login.defs
-+fi
diff --git a/SOURCES/scap-security-guide-0.1.53-update_snmpd_no_default_password-PR_6050.patch b/SOURCES/scap-security-guide-0.1.53-update_snmpd_no_default_password-PR_6050.patch
deleted file mode 100644
index 4de3123..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_snmpd_no_default_password-PR_6050.patch
+++ /dev/null
@@ -1,279 +0,0 @@
-From 5ac59fa21c10ba7d87beefaa8c26099ddd73a0c3 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 4 Sep 2020 15:51:47 +0200
-Subject: [PATCH 1/6] make oval regex stricter
-
----
- .../snmpd_not_default_password/oval/shared.xml                  | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-index b617c7339d..1bc84e1a88 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/oval/shared.xml
-@@ -17,7 +17,7 @@
-   </ind:textfilecontent54_test>
-   <ind:textfilecontent54_object id="object_snmp_default_communities" version="1">
-     <ind:filepath>/etc/snmp/snmpd.conf</ind:filepath>
--    <ind:pattern operation="pattern match">^[\s]*(com2se|rocommunity|rwcommunity|createUser).*(public|private)</ind:pattern>
-+    <ind:pattern operation="pattern match">^((?!#).)*(public|private).*</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
- </def-group>
-
-From 481cce33f5b148071e36d07a75291f5d39a8c02a Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 4 Sep 2020 15:52:07 +0200
-Subject: [PATCH 2/6] add tests
-
----
- .../snmpd_not_default_password/tests/both.fail.sh          | 6 ++++++
- .../snmpd_not_default_password/tests/commented.pass.sh     | 7 +++++++
- .../snmpd_not_default_password/tests/correct.pass.sh       | 6 ++++++
- .../snmpd_not_default_password/tests/private.fail.sh       | 5 +++++
- .../snmpd_not_default_password/tests/public.fail.sh        | 6 ++++++
- 5 files changed, 30 insertions(+)
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh
-new file mode 100644
-index 0000000000..5b8efa3c75
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/both.fail.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+
-+yum -y install net-snmp
-+
-+echo "something public" >> /etc/snmp/snmpd.conf
-+echo "something private" >> /etc/snmp/snmpd.conf
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh
-new file mode 100644
-index 0000000000..410d00f5a1
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/commented.pass.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+
-+yum -y install net-snmp
-+
-+sed -i '/.*public.*/d' /etc/snmp/snmpd.conf
-+sed -i '/.*private.*/d' /etc/snmp/snmpd.conf
-+echo '# public' >> /etc/snmp/snmpd.conf
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh
-new file mode 100644
-index 0000000000..355cc8b71d
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/correct.pass.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+
-+yum -y install net-snmp
-+
-+sed -i '/.*public.*/d' /etc/snmp/snmpd.conf
-+sed -i '/.*private.*/d' /etc/snmp/snmpd.conf
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh
-new file mode 100644
-index 0000000000..c6bcf9b401
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/private.fail.sh
-@@ -0,0 +1,5 @@
-+#!/bin/bash
-+
-+yum -y install net-snmp
-+
-+echo "something private" >> /etc/snmp/snmpd.conf
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh
-new file mode 100644
-index 0000000000..43022ba28c
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/tests/public.fail.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+
-+yum -y install net-snmp
-+
-+echo "something public" >> /etc/snmp/snmpd.conf
-+
-
-From 9ad3734aa2c6a40fc8a6881d361e420faaaa1117 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 9 Sep 2020 11:19:46 +0200
-Subject: [PATCH 3/6] add variables
-
----
- .../snmpd_not_default_password/bash/shared.sh      |  5 -----
- .../snmpd_not_default_password/rule.yml            |  1 +
- .../snmp_configure_server/var_snmpd_ro_string.var  | 14 ++++++++++++++
- .../snmp_configure_server/var_snmpd_rw_string.var  | 14 ++++++++++++++
- 4 files changed, 29 insertions(+), 5 deletions(-)
- delete mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
-deleted file mode 100644
-index 4d5bc82282..0000000000
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
-+++ /dev/null
-@@ -1,5 +0,0 @@
--# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol
--
--if grep -s "public\|private" /etc/snmp/snmpd.conf | grep -qv "^#"; then
--	sed -i "/^\s*#/b;/public\|private/ s/^/#/" /etc/snmp/snmpd.conf
--fi
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
-index 648f45caa2..72d2495713 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/rule.yml
-@@ -7,6 +7,7 @@ title: 'Ensure Default SNMP Password Is Not Used'
- description: |-
-     Edit <tt>/etc/snmp/snmpd.conf</tt>, remove or change the default community strings of
-     <tt>public</tt> and <tt>private</tt>.
-+    This profile configures new read-only community string to <tt>{{{ sub_var_value("var_snmpd_ro_string") }}}</tt> and read-write community string to <tt>{{{ sub_var_value("var_snmpd_rw_string") }}}</tt>.
-     Once the default community strings have been changed, restart the SNMP service:
-     <pre>$ sudo service snmpd restart</pre>
- 
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var
-new file mode 100644
-index 0000000000..ac755d154f
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_ro_string.var
-@@ -0,0 +1,14 @@
-+documentation_complete: true
-+
-+title: 'SNMP read-only community string'
-+
-+description: "Specify the SNMP community string used for read-only access."
-+
-+type: string
-+
-+operator: equals
-+
-+interactive: true
-+
-+options:
-+    default: changemero
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var
-new file mode 100644
-index 0000000000..7d2016a4dd
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/var_snmpd_rw_string.var
-@@ -0,0 +1,14 @@
-+documentation_complete: true
-+
-+title: 'SNMP read-write community string'
-+
-+description: "Specify the SNMP community string used for read-write access."
-+
-+type: string
-+
-+operator: equals
-+
-+interactive: true
-+
-+options:
-+    default: changemerw
-
-From c2f193a43373900d65da6134325a8916a734c659 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 9 Sep 2020 18:03:31 +0200
-Subject: [PATCH 4/6] add bash remediation
-
----
- .../snmpd_not_default_password/bash/shared.sh    | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
-new file mode 100644
-index 0000000000..1b0474c07c
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/bash/shared.sh
-@@ -0,0 +1,16 @@
-+#!/bin/bash
-+# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
-+
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+{{{ bash_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
-+
-+# remediate read-only community string
-+if grep -q 'public' /etc/snmp/snmpd.conf; then
-+    sed -i "s/public/$var_snmpd_ro_string/" /etc/snmp/snmpd.conf
-+fi
-+
-+# remediate read-write community string
-+if grep -q 'private' /etc/snmp/snmpd.conf; then
-+    sed -i "s/private/$var_snmpd_rw_string/" /etc/snmp/snmpd.conf
-+fi
-
-From 967f9eedd0dfac92d85c62231c13894964fafb5d Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 11 Sep 2020 10:23:52 +0200
-Subject: [PATCH 5/6] add ansible remediation
-
----
- .../ansible/shared.yml                        | 21 +++++++++++++++++++
- 1 file changed, 21 insertions(+)
- create mode 100644 linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-new file mode 100644
-index 0000000000..33062169cd
---- /dev/null
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-@@ -0,0 +1,21 @@
-+# platform = debian 10,debian 9,multi_platform_fedora,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,WRLinux 1019
-+# reboot = false
-+# strategy = configure
-+# complexity = low
-+# disruption = medium
-+
-+{{{ ansible_instantiate_variables("var_snmpd_ro_string", "var_snmpd_rw_string") }}}
-+
-+- name: "Replace all instances of SNMP RO strings"
-+  replace:
-+    path: "/etc/snmp/snmpd.conf"
-+    #regexp: '^[#](.*)public(.*)$'
-+    regexp: 'public'
-+    replace: '{{ var_snmpd_ro_string }}'
-+
-+- name: "Replace all instances of SNMP RW strings"
-+  replace:
-+    path: "/etc/snmp/snmpd.conf"
-+    #regexp: '^[#](.*)private(.*)$'
-+    regexp: 'private'
-+    replace: '{{ var_snmpd_rw_string }}'
-
-From 946e540dadaf43eadb43479cc6328ee503e5d981 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Mon, 14 Sep 2020 07:30:56 +0200
-Subject: [PATCH 6/6] remove forgotten commented lines
-
----
- .../snmpd_not_default_password/ansible/shared.yml               | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-index 33062169cd..d92c0a17da 100644
---- a/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-+++ b/linux_os/guide/services/snmp/snmp_configure_server/snmpd_not_default_password/ansible/shared.yml
-@@ -9,13 +9,11 @@
- - name: "Replace all instances of SNMP RO strings"
-   replace:
-     path: "/etc/snmp/snmpd.conf"
--    #regexp: '^[#](.*)public(.*)$'
-     regexp: 'public'
-     replace: '{{ var_snmpd_ro_string }}'
- 
- - name: "Replace all instances of SNMP RW strings"
-   replace:
-     path: "/etc/snmp/snmpd.conf"
--    #regexp: '^[#](.*)private(.*)$'
-     regexp: 'private'
-     replace: '{{ var_snmpd_rw_string }}'
diff --git a/SOURCES/scap-security-guide-0.1.53-update_srgs_smartcart_cert_checking-PR_6073.patch b/SOURCES/scap-security-guide-0.1.53-update_srgs_smartcart_cert_checking-PR_6073.patch
deleted file mode 100644
index cf4702c..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_srgs_smartcart_cert_checking-PR_6073.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 1d3a9f62ca953523423e5a374adf23f00ee016d1 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Fri, 11 Sep 2020 14:36:10 +0200
-Subject: [PATCH] change wrong srg
-
----
- .../smart_card_login/smartcard_configure_cert_checking/rule.yml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
-index 199721051a..1088282c27 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_configure_cert_checking/rule.yml
-@@ -31,7 +31,7 @@ identifiers:
- references:
-     stigid@ol7: OL07-00-041003
-     disa: CCI-001948,CCI-001953,CCI-001954
--    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167
-+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162,SRG-OS-000384-GPOS-00167
-     stigid@rhel7: RHEL-07-041003
- 
- ocil_clause: 'ocsp_on is not configured'
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010310-PR_6084.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010310-PR_6084.patch
deleted file mode 100644
index d3a17ac..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010310-PR_6084.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 48d106a9a876b376b53cf28c896c6af74913f6f7 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 15 Sep 2020 17:10:02 +0200
-Subject: [PATCH] Update text of rule account_disable_post_pw_expiration.
-
-Remove hardcoded recommended value and make it more generic to be more
-aligned with RHEL7 STIG. The current text is from RHEL6 STIG.
----
- .../rule.yml                                  | 21 +++++++------------
- 1 file changed, 8 insertions(+), 13 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-index cfa59edd38..f92b6079c9 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-@@ -7,20 +7,15 @@ title: 'Set Account Expiration Following Inactivity'
- description: |-
-     To specify the number of days after a password expires (which
-     signifies inactivity) until an account is permanently disabled, add or correct
--    the following lines in <tt>/etc/default/useradd</tt>, substituting
--    <tt><i>NUM_DAYS</i></tt> appropriately:
-+    the following line in <tt>/etc/default/useradd</tt>:
-     <pre>INACTIVE=<i>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</i></pre>
--    A value of 35 is recommended; however, this profile expects that the value is set to
--    <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt>.
--    If a password is currently on the
--    verge of expiration, then 35 days remain until the account is automatically
--    disabled. However, if the password will not expire for another 60 days, then 95
--    days could elapse until the account would be automatically disabled. See the
--    <tt>useradd</tt> man page for more information.  Determining the inactivity
--    timeout must be done with careful consideration of the length of a "normal"
--    period of inactivity for users in the particular environment. Setting
--    the timeout too low incurs support costs and also has the potential to impact
--    availability of the system to legitimate users.
-+    If a password is currently on the verge of expiration, then
-+    <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt>
-+    day(s) remain(s) until the account is automatically
-+    disabled. However, if the password will not expire for another 60 days, then 60
-+    days plus <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt> day(s) could
-+    elapse until the account would be automatically disabled. See the
-+    <tt>useradd</tt> man page for more information.
- 
- rationale: |-
-     Disabling inactive accounts ensures that accounts which may not
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010320_2-PR_6067.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010320_2-PR_6067.patch
deleted file mode 100644
index 56a31a7..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010320_2-PR_6067.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From d6a5542e3a86fe7206546aff431ace2823091ae3 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 9 Sep 2020 16:33:13 +0200
-Subject: [PATCH] Set a lower bound value for
- accounts_passwords_pam_faillock_deny check.
-
----
- .../oval/shared.xml                           | 36 ++++++++++++-------
- .../tests/pam_config_deny_zero                | 26 ++++++++++++++
- .../tests/remediable_deny_zero.fail.sh        |  6 ++++
- 3 files changed, 55 insertions(+), 13 deletions(-)
- create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero
- create mode 100644 linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
-index db91fa97c6..8fdd7fb3d3 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/oval/shared.xml
-@@ -45,9 +45,10 @@
-   <!-- step 1 and 3 test -->
-   <ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_numeric_default_check_system-auth"
-   check="all" check_existence="all_exist"
--  comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="1">
-+  comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="2">
-     <ind:object object_ref="object_accounts_passwords_pam_faillock_when_lines_skipped_system-auth" />
--    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
-   </ind:textfilecontent54_test>
- 
-   <!-- step 1 and 4 object -->
-@@ -78,9 +79,10 @@
-   <!-- step 1 and 3 test -->
-   <ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_numeric_default_check_password-auth"
-   check="all" check_existence="all_exist"
--  comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="1">
-+  comment="Checks if pam_faillock authfail is hit even if pam_unix skips lines by defaulting, and also authfail deny value" version="2">
-     <ind:object object_ref="object_accounts_passwords_pam_faillock_when_lines_skipped_password-auth" />
--    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
-   </ind:textfilecontent54_test>
- 
-   <!-- step 1 and 4 object -->
-@@ -113,17 +115,22 @@
-   <external_variable id="var_accounts_passwords_pam_faillock_deny" datatype="int"
-   comment="number of failed login attempts allowed" version="1" />
- 
--  <ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value" version="1">
-+  <ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" version="1">
-     <ind:subexpression datatype="int" operation="less than or equal" var_ref="var_accounts_passwords_pam_faillock_deny" />
-   </ind:textfilecontent54_state>
- 
-+  <ind:textfilecontent54_state id="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" version="1">
-+    <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-+  </ind:textfilecontent54_state>
-+
-   <!-- Check for preauth silent in /etc/pam.d/system-auth -->
-   <!-- Also check the 'deny' option value matches the number of failed login attempts allowed -->
-   <ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_preauth_silent_system-auth"
-   check="all" check_existence="all_exist"
--  comment="Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix." version="1">
-+  comment="Check pam_faillock.so preauth silent present, with correct deny value, and is followed by pam_unix." version="2">
-     <ind:object object_ref="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" />
--    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
-   </ind:textfilecontent54_test>
- 
-   <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_system-auth" version="1">
-@@ -138,9 +145,10 @@
-   <!-- Check for authfail deny in /etc/pam.d/system-auth -->
-   <ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_authfail_deny_system-auth"
-   check="all" check_existence="all_exist"
--  comment="Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail" version="1">
-+  comment="Check control values of pam_unix, that it is followed by pam_faillock.so authfail and deny value of pam_faillock.so authfail" version="2">
-     <ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" />
--    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
-   </ind:textfilecontent54_test>
- 
-   <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_system-auth" version="1">
-@@ -170,9 +178,10 @@
-   <!-- Also check the 'deny' option value matches the number of failed login attempts allowed -->
-   <ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_preauth_silent_password-auth"
-   check="all" check_existence="all_exist"
--  comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix" version="1">
-+  comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth, has correct deny value, and is followed by pam_unix" version="2">
-     <ind:object object_ref="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" />
--    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
-   </ind:textfilecontent54_test>
- 
-   <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_preauth_silent_password-auth" version="1">
-@@ -187,9 +196,10 @@
-   <!-- Check for authfail deny in /etc/pam.d/password-auth -->
-   <ind:textfilecontent54_test id="test_accounts_passwords_pam_faillock_authfail_deny_password-auth"
-   check="all" check_existence="all_exist"
--  comment="Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct." version="1">
-+  comment="Check pam_faillock authfail is present after pam_unix, check pam_unix has proper control values, and authfail deny value is correct." version="2">
-     <ind:object object_ref="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" />
--    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_upper_bound" />
-+    <ind:state state_ref="state_var_accounts_passwords_pam_faillock_deny_value_lower_bound" />
-   </ind:textfilecontent54_test>
- 
-   <ind:textfilecontent54_object id="object_accounts_passwords_pam_faillock_authfail_deny_password-auth" version="1">
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero
-new file mode 100644
-index 0000000000..4f426dca55
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/pam_config_deny_zero
-@@ -0,0 +1,26 @@
-+# This pam config is an example of a pam_faillock and pam_unix configured correctly
-+# without skipping any module
-+
-+auth        required      pam_env.so
-+auth        required      pam_faildelay.so delay=2000000
-+auth        required      pam_faillock.so preauth silent deny=0 unlock_time=1200
-+auth        sufficient    pam_unix.so nullok try_first_pass
-+auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
-+auth        [default=die] pam_faillock.so authfail deny=0 unlock_time=1200
-+auth        required      pam_deny.so
-+
-+account     required      pam_faillock.so
-+account     required      pam_unix.so
-+account     sufficient    pam_localuser.so
-+account     sufficient    pam_succeed_if.so uid < 1000 quiet
-+account     required      pam_permit.so
-+
-+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
-+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
-+password    required      pam_deny.so
-+
-+session     optional      pam_keyinit.so revoke
-+session     required      pam_limits.so
-+-session     optional      pam_systemd.so
-+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
-+session     required      pam_unix.so
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh
-new file mode 100644
-index 0000000000..b3f71fc16c
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/tests/remediable_deny_zero.fail.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+#
-+# profiles = xccdf_org.ssgproject.content_profile_ospp
-+
-+cp pam_config_deny_zero /etc/pam.d/system-auth
-+cp pam_config_deny_zero /etc/pam.d/password-auth
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch
deleted file mode 100644
index 0f4a929..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch
+++ /dev/null
@@ -1,233 +0,0 @@
-From d60c5a0b861625bc1184b0ed3951e9d46fc1e256 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 4 Sep 2020 15:21:42 +0200
-Subject: [PATCH 1/3] Add ansible remediation for sudo_remove_nopasswd.
-
-Add test scenarios for sudo_remove_nopasswd.
----
- .../sudo_remove_nopasswd/ansible/shared.yml   | 21 +++++++++++++++++++
- .../tests/correct_value.pass.sh               |  6 ++++++
- .../tests/wrong_value.fail.sh                 |  9 ++++++++
- 3 files changed, 36 insertions(+)
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
-new file mode 100644
-index 0000000000..ba0f9e78a6
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
-@@ -0,0 +1,21 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = restrict
-+# complexity = low
-+# disruption = low
-+
-+- name: Find /etc/sudoers.d/ files
-+  find:
-+    paths:
-+      - /etc/sudoers.d/
-+  register: sudoers
-+
-+- name: "Remove lines containing NOPASSWD from sudoers files"
-+  replace:
-+    regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
-+    replace: '# \g<1>'
-+    path: "{{ item.path }}"
-+    validate: /usr/sbin/visudo -cf %s
-+  with_items:
-+    - { path: /etc/sudoers }
-+    - "{{ sudoers.files }}"
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..3a94382235
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+rm -f /etc/sudoers
-+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
-+chmod 440 /etc/sudoers
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..5b2eecd3be
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
-@@ -0,0 +1,9 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
-+chmod 440 /etc/sudoers
-+
-+mkdir /etc/sudoers.d/
-+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers.d/sudoers
-+chmod 440 /etc/sudoers.d/sudoers
-
-From af0f8b73f84a1bd14a69295a04dd6520c56930ba Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 7 Sep 2020 16:25:40 +0200
-Subject: [PATCH 2/3] Add bash remediation for sudo_remove_nopasswd.
-
----
- .../sudo/sudo_remove_nopasswd/bash/shared.sh    | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
-
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
-new file mode 100644
-index 0000000000..8c2f2f8240
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
-@@ -0,0 +1,17 @@
-+# platform = multi_platform_all
-+# reboot = false
-+# strategy = restrict
-+# complexity = low
-+# disruption = low
-+
-+for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
-+  nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-+  if ! test -z "$nopasswd_list"; then 
-+    while IFS= read -r nopasswd_entry; do
-+      # comment out "NOPASSWD:" matches to preserve user data
-+      sed -i "s/^${nopasswd_entry}$/# &/g" $f
-+    done <<< "$nopasswd_list"
-+
-+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-+  fi
-+done
-
-From e6ebab404aa415e7308f112e2ac99e8ccd821aff Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 7 Sep 2020 17:53:53 +0200
-Subject: [PATCH 3/3] Create bash and ansible macro for sudo related rules.
-
----
- .../ansible/shared.yml                        |  7 +++++++
- .../bash/shared.sh                            |  7 +++++++
- .../tests/correct_value.pass.sh               |  6 ++++++
- .../tests/wrong_value.fail.sh                 |  9 +++++++++
- .../sudo_remove_nopasswd/ansible/shared.yml   | 16 +---------------
- .../sudo/sudo_remove_nopasswd/bash/shared.sh  | 12 +-----------
- .../ansible/shared.yml                        |  9 +++++++++
- .../bash/shared.sh                            |  9 +++++++++
- .../tests/correct_value.pass.sh               |  7 +++++++
- .../tests/wrong_value.fail.sh                 | 11 +++++++++++
- shared/macros-ansible.jinja                   | 19 +++++++++++++++++++
- shared/macros-bash.jinja                      | 14 ++++++++++++++
- 12 files changed, 100 insertions(+), 26 deletions(-)
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
- create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
- create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
- create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..692f86a2df
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
-@@ -0,0 +1,6 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+rm -f /etc/sudoers
-+echo "Defaults authenticate" > /etc/sudoers
-+chmod 440 /etc/sudoers
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..2de9538865
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
-@@ -0,0 +1,9 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+echo "Defaults !authenticate" >> /etc/sudoers
-+chmod 440 /etc/sudoers
-+
-+mkdir /etc/sudoers.d/
-+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
-+chmod 440 /etc/sudoers.d/sudoers
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
-index ba0f9e78a6..37937aeda7 100644
---- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
-@@ -4,18 +4,4 @@
- # complexity = low
- # disruption = low
- 
--- name: Find /etc/sudoers.d/ files
--  find:
--    paths:
--      - /etc/sudoers.d/
--  register: sudoers
--
--- name: "Remove lines containing NOPASSWD from sudoers files"
--  replace:
--    regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
--    replace: '# \g<1>'
--    path: "{{ item.path }}"
--    validate: /usr/sbin/visudo -cf %s
--  with_items:
--    - { path: /etc/sudoers }
--    - "{{ sudoers.files }}"
-+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
-diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
-index 8c2f2f8240..cd4f829482 100644
---- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
-+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
-@@ -4,14 +4,4 @@
- # complexity = low
- # disruption = low
- 
--for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
--  nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
--  if ! test -z "$nopasswd_list"; then 
--    while IFS= read -r nopasswd_entry; do
--      # comment out "NOPASSWD:" matches to preserve user data
--      sed -i "s/^${nopasswd_entry}$/# &/g" $f
--    done <<< "$nopasswd_list"
--
--    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
--  fi
--done
-+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
-diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..6d01825fa8
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_e8
-+
-+rm -f /etc/sudoers
-+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
-+echo "Defaults authenticate" > /etc/sudoers
-+chmod 440 /etc/sudoers
-diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..a2942b97e7
---- /dev/null
-+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_e8
-+
-+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
-+echo "Defaults !authenticate" >> /etc/sudoers
-+chmod 440 /etc/sudoers
-+
-+mkdir /etc/sudoers.d/
-+echo "%wheel        ALL=(ALL)       !authenticate ALL" >> /etc/sudoers.d/sudoers
-+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
-+chmod 440 /etc/sudoers.d/sudoers
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_020310-PR_6060.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_020310-PR_6060.patch
deleted file mode 100644
index 3dd2095..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_020310-PR_6060.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 464a9095156228c2d965344ef35b7ff3873f06b5 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 8 Sep 2020 14:17:50 +0200
-Subject: [PATCH] Fix bash remediation for rule accounts_no_uid_except_zero.
-
-When multiple offending accounts were found in the system, xargs
-couldn't process properly each account found.
----
- .../root_logins/accounts_no_uid_except_zero/bash/rhel6.sh     | 2 --
- .../root_logins/accounts_no_uid_except_zero/bash/shared.sh    | 4 ++--
- 2 files changed, 2 insertions(+), 4 deletions(-)
- delete mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/rhel6.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/rhel6.sh
-deleted file mode 100644
-index 18d83405b1..0000000000
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/rhel6.sh
-+++ /dev/null
-@@ -1,2 +0,0 @@
--# platform = Red Hat Enterprise Linux 6
--awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh
-index 016bb43b34..496e9e10df 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_no_uid_except_zero/bash/shared.sh
-@@ -1,2 +1,2 @@
--# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv
--awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs passwd -l
-+# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv
-+awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/passwd | xargs --max-lines=1 passwd -l
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040000-PR_6063.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040000-PR_6063.patch
deleted file mode 100644
index ef74908..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040000-PR_6063.patch
+++ /dev/null
@@ -1,160 +0,0 @@
-From 8e7f586ff2c52a7a30cf55973ba8a15303dcdff1 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 8 Sep 2020 19:17:27 +0200
-Subject: [PATCH 1/2] Fix ansible remediation of
- accounts_max_concurrent_login_sessions.
-
-Add test scenarios.
----
- .../ansible/shared.yml                        | 27 +++++++++++++++++--
- .../tests/correct_value.pass.sh               |  2 ++
- .../tests/correct_value_2.pass.sh             |  2 ++
- .../tests/line_not_there.fail.sh              |  2 ++
- .../tests/wrong_value_1000.fail.sh            |  2 ++
- .../tests/wrong_value_1000_limits_d.fail.sh   |  3 +++
- 6 files changed, 36 insertions(+), 2 deletions(-)
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh
- create mode 100644 linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
-index ed3d15331a..f901edee4d 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
-@@ -3,7 +3,29 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_max_concurrent_login_sessions)
-+
-+{{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}
-+
-+- name: Find /etc/security/limits.d files contains maxlogins configuration
-+  shell: "grep -q '^[^#]*\\<maxlogins\\>' /etc/security/limits.d/*.conf"
-+  register: maxlogins
-+  failed_when: False
-+
-+- name: Find /etc/security/limits.d files contains maxlogins configuration 2
-+  find:
-+    paths:
-+      - /etc/security/limits.d
-+  register: configuration_files
-+  when: maxlogins.rc == 0
-+
-+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d"
-+  replace:
-+    dest: "{{ item.path }}"
-+    regexp: "^#?\\*.*maxlogins.*"
-+    replace: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"
-+  with_items:
-+    - "{{ configuration_files.files }}"
-+  when: maxlogins.rc == 0
- 
- - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
-   lineinfile:
-@@ -11,5 +33,6 @@
-     dest: /etc/security/limits.conf
-     insertbefore: "^# End of file"
-     regexp: "^#?\\*.*maxlogins"
--    line: "*           hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"
-+    line: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"
-     create: yes
-+  when: maxlogins.rc != 0 # no files found on /etc/security/limits.d
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..0edb1e2873
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value.pass.sh
-@@ -0,0 +1,2 @@
-+#!/bin/bash
-+echo "* hard maxlogins 1" >> /etc/security/limits.conf
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh
-new file mode 100644
-index 0000000000..a58f18abf1
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/correct_value_2.pass.sh
-@@ -0,0 +1,2 @@
-+#!/bin/bash
-+echo "* hard maxlogins 1" >> /etc/security/limits.d/limits.conf
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh
-new file mode 100644
-index 0000000000..05a7907cf5
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/line_not_there.fail.sh
-@@ -0,0 +1,2 @@
-+#!/bin/bash
-+
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh
-new file mode 100644
-index 0000000000..bbf7622d87
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000.fail.sh
-@@ -0,0 +1,2 @@
-+#!/bin/bash
-+echo "* hard maxlogins 1000" >> /etc/security/limits.conf
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh
-new file mode 100644
-index 0000000000..49ed331a3e
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/tests/wrong_value_1000_limits_d.fail.sh
-@@ -0,0 +1,3 @@
-+#!/bin/bash
-+mkdir -p /etc/security/limits.d/
-+echo "* hard maxlogins 1000" >> /etc/security/limits.d/limits.conf
-
-From c84d31d789675ac2373bc1dec5cb218f15a06ec0 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 9 Sep 2020 14:05:53 +0200
-Subject: [PATCH 2/2] Use ansible find module in
- accounts_max_concurrent_login_sessions.
-
----
- .../ansible/shared.yml                        | 22 +++++++------------
- 1 file changed, 8 insertions(+), 14 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
-index f901edee4d..9d50a9d20c 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/ansible/shared.yml
-@@ -6,26 +6,20 @@
- 
- {{{ ansible_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}
- 
--- name: Find /etc/security/limits.d files contains maxlogins configuration
--  shell: "grep -q '^[^#]*\\<maxlogins\\>' /etc/security/limits.d/*.conf"
--  register: maxlogins
--  failed_when: False
--
--- name: Find /etc/security/limits.d files contains maxlogins configuration 2
-+- name: Find /etc/security/limits.d files containing maxlogins configuration
-   find:
--    paths:
--      - /etc/security/limits.d
--  register: configuration_files
--  when: maxlogins.rc == 0
-+    paths: "/etc/security/limits.d"
-+    contains: '^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins'
-+    patterns: "*.conf"
-+  register: maxlogins
- 
--- name: "Limit the Number of Concurrent Login Sessions Allowed Per User limits.d"
-+- name: "Limit the Number of Concurrent Login Sessions Allowed Per User in files from limits.d"
-   replace:
-     dest: "{{ item.path }}"
-     regexp: "^#?\\*.*maxlogins.*"
-     replace: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"
-   with_items:
--    - "{{ configuration_files.files }}"
--  when: maxlogins.rc == 0
-+    - "{{ maxlogins.files }}"
- 
- - name: "Limit the Number of Concurrent Login Sessions Allowed Per User"
-   lineinfile:
-@@ -35,4 +29,4 @@
-     regexp: "^#?\\*.*maxlogins"
-     line: "*          hard    maxlogins     {{ var_accounts_max_concurrent_login_sessions }}"
-     create: yes
--  when: maxlogins.rc != 0 # no files found on /etc/security/limits.d
-+  when: maxlogins.matched == 0 # no files found on /etc/security/limits.d matching maxlogins
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040160-PR_6085.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040160-PR_6085.patch
deleted file mode 100644
index 42447bf..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040160-PR_6085.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From f643b41c96c3551cdd6035f77e95c49c6f74e5ed Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 15 Sep 2020 17:33:30 +0200
-Subject: [PATCH] Update accounts_tmout rule with regards to latest RHEL7 STIG
- revision.
-
-- Select 15 minutes as new timeout value.
-- Fix CCI and SRG identifiers.
----
- .../system/accounts/accounts-session/accounts_tmout/rule.yml  | 4 ++--
- rhel7/profiles/stig.profile                                   | 2 +-
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-index eb64b12e51..ef06735283 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-@@ -26,11 +26,11 @@ identifiers:
- references:
-     stigid@ol7: OL07-00-040160
-     cui: 3.1.11
--    disa: CCI-000361,CCI-001133
-+    disa: CCI-002361,CCI-001133
-     nist: AC-12,SC-10,AC-2(5),CM-6(a)
-     nist-csf: PR.AC-7
-     ospp: FMT_MOF_EXT.1
--    srg: SRG-OS-000163-GPOS-00072
-+    srg: SRG-OS-000163-GPOS-00072,SRG-OS-000029-GPOS-00010
-     vmmsrg: SRG-OS-000163-VMM-000700,SRG-OS-000279-VMM-001010
-     stigid@rhel7: RHEL-07-040160
-     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index bb4af878a7..93e14eecf6 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -47,7 +47,7 @@ selections:
-     - var_accounts_user_umask=077
-     - var_password_pam_retry=3
-     - var_accounts_max_concurrent_login_sessions=10
--    - var_accounts_tmout=10_min
-+    - var_accounts_tmout=15_min
-     - var_time_service_set_maxpoll=system_default
-     - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-     - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040180-PR_6032.diff b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040180-PR_6032.diff
deleted file mode 100644
index 3e8935d..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_040180-PR_6032.diff
+++ /dev/null
@@ -1,634 +0,0 @@
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
-index 9fb218a0f7..a056742417 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
-@@ -42,3 +42,5 @@ ocil: |-
-     <pre>$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf</pre>
-     The output should return the following with a correctly configured CA cert path:
-     <pre>ldap_tls_cacert /path/to/tls/ca.cert</pre>
-+
-+platform: sssd-ldap
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
-index a6e8eeaad3..202fc7f444 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
-@@ -3,39 +3,6 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var var_sssd_ldap_tls_ca_dir)
-+{{{ ansible_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}}
- 
--- name: "Test for domain group"
--  command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
--  register: test_grep_domain
--  ignore_errors: yes
--  changed_when: False
--  check_mode: no
--
--- name: "Add default domain group and set CA directory (if no domain there)"
--  ini_file:
--    path: /etc/sssd/sssd.conf
--    section: "{{ item.section }}"
--    option: "{{ item.option }}"
--    value: "{{ item.value }}"
--    create: yes
--    mode: 0600
--  with_items:
--    - { section: sssd, option: domains, value: default}
--    - { section: domain/default, option: id_provider, value: files }
--    - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" }
--  when:
--    - test_grep_domain.stdout is defined
--    - test_grep_domain.stdout | length < 1
--
--- name: "Configure LDAPs path to CA directory"
--  ini_file:
--    path: /etc/sssd/sssd.conf
--    section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
--    option: ldap_tls_cacertdir
--    value: "{{ var_sssd_ldap_tls_ca_dir }}"
--    create: yes
--    mode: 0600
--  when:
--    - test_grep_domain.stdout is defined
--    - test_grep_domain.stdout | length > 0
-+{{{ ansible_sssd_ldap_config(parameter="ldap_tls_cacertdir", value="{{ var_sssd_ldap_tls_ca_dir }}") }}}
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
-index 91464ef04c..8a0d04ad78 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
-@@ -2,20 +2,7 @@
- 
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
--populate var_sssd_ldap_tls_ca_dir
- 
--SSSD_CONF="/etc/sssd/sssd.conf"
--LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir'
--DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
-+{{{ bash_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}}
- 
--# Try find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to CA directory
--# if it isn't here, add it, if [domain/..] doesn't exist, add it here for default domain
--if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
--        sed -i "s~ldap_tls_cacertdir[^(\n)]*~ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir~" $SSSD_CONF
--elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
--        sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF
--else
--        mkdir -p /etc/sssd
--        touch $SSSD_CONF
--        echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF
--fi
-+{{{ bash_sssd_ldap_config(parameter="ldap_tls_cacertdir", value="$var_sssd_ldap_tls_ca_dir") }}}
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
-index d554bc6f18..570aa1baf9 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
-@@ -28,11 +28,11 @@ identifiers:
-     cce@rhel8: CCE-82456-5
- 
- references:
--    stigid@ol7: OL07-00-040190
-+    stigid@ol7: OL07-00-040200
-     disa: CCI-001453
-     nist: SC-12(3),CM-6(a)
-     srg: SRG-OS-000250-GPOS-00093
--    stigid@rhel7: RHEL-07-040190
-+    stigid@rhel7: RHEL-07-040200
- 
- ocil_clause: 'the TLS CA cert is not configured'
- 
-@@ -42,3 +42,5 @@ ocil: |-
-     <pre>$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf</pre>
-     The output should return the following with a correctly configured CA cert path:
-     <pre>ldap_tls_cacertdir /path/to/tls/cacert</pre>
-+
-+platform: sssd-ldap
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
-index 82e56d89a6..ebd2a37df8 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
-@@ -4,4 +4,7 @@
- . $SHARED/setup_config_files.sh
- setup_correct_sssd_config
- 
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
- sed -i '/\[domain/d' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
-index 82bff74acf..99ca3f8fba 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
-@@ -3,3 +3,6 @@
- 
- . $SHARED/setup_config_files.sh
- setup_correct_sssd_config
-+
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
-index 8e06bfae6b..5fb3609015 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
-@@ -4,5 +4,8 @@
- . $SHARED/setup_config_files.sh
- setup_correct_sssd_config
- 
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
- sed -i 's:\(ldap_tls_cacertdir = \).*:\1/tmp/etc/openldap/cacerts:g' /etc/sssd/sssd.conf
- 
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
-index 58b1324e09..9dd958933d 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
-@@ -4,4 +4,7 @@
- . $SHARED/setup_config_files.sh
- setup_correct_sssd_config
- 
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
- sed -i 's:\(ldap_tls_cacertdir = \)/:\1:g' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
-index 38e88a1dc4..5a09eaf52f 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
-@@ -4,4 +4,7 @@
- . $SHARED/setup_config_files.sh
- setup_correct_sssd_config
- 
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
- sed -i '/ldap_tls_cacertdir/d' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
-index 07f4b1ea5a..b38bc41fe3 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
-@@ -4,44 +4,4 @@
- # complexity = low
- # disruption = medium
- 
--- name: "Set LDAP to be used for authentication"
--  lineinfile:
--    path: /etc/sysconfig/authconfig
--    regexp: '^USELDAPAUTH='
--    line: 'USELDAPAUTH=yes'
--    create: yes
--
--- name: "Test for domain group"
--  command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
--  register: test_grep_domain
--  ignore_errors: yes
--  changed_when: False
--  check_mode: no
--
--- name: "Add default domain group and use STARTTLS (if no domain there)"
--  ini_file:
--    path: /etc/sssd/sssd.conf
--    section: "{{ item.section }}"
--    option: "{{ item.option }}"
--    value: "{{ item.value }}"
--    create: yes
--    mode: 0600
--  with_items:
--    - { section: sssd, option: domains, value: default}
--    - { section: domain/default, option: id_provider, value: files }
--    - { section: domain/default, option: ldap_id_use_start_tls, value: true}
--  when:
--    - test_grep_domain.stdout is defined
--    - test_grep_domain.stdout | length < 1
--
--- name: "Configure LDAP to use STARTTLS"
--  ini_file:
--    path: /etc/sssd/sssd.conf
--    section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
--    option: ldap_id_use_start_tls
--    value: true
--    create: yes
--    mode: 0600
--  when:
--    - test_grep_domain.stdout is defined
--    - test_grep_domain.stdout | length > 0
-+{{{ ansible_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}}
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
-index 4b1d3d2544..805f7ad326 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
-@@ -3,27 +3,5 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--AUTHCONFIG="/etc/sysconfig/authconfig"
--USELDAPAUTH_REGEX="^USELDAPAUTH="
--SSSD_CONF="/etc/sssd/sssd.conf"
--LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
--DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
-+{{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}}
- 
--# Try find USELDAPAUTH in authconfig. If its here set to 'yes', otherwise append USELDAPAUTH=yes
--grep -qs "^USELDAPAUTH=" "$AUTHCONFIG" && sed -i 's/^USELDAPAUTH=.*/USELDAPAUTH=yes/g' $AUTHCONFIG
--if ! [ $? -eq 0 ]; then
--        echo "USELDAPAUTH=yes" >> $AUTHCONFIG
--fi
--
--# Try find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'True'
--# if ldap_id_use_start_tls isn't here, add it
--# if [domain/..] doesn't exist, add it here for default domain
--if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
--        sed -i 's/ldap_id_use_start_tls[^(\n)]*/ldap_id_use_start_tls = True/' $SSSD_CONF
--elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
--        sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = True" $SSSD_CONF
--else
--        mkdir -p /etc/sssd
--        touch $SSSD_CONF
--        echo -e "[domain/default]\nldap_id_use_start_tls = True" >> $SSSD_CONF
--fi
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
-index a196220340..ed502062e4 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
-@@ -2,40 +2,23 @@
-   <definition class="compliance" id="sssd_ldap_start_tls" version="1">
-     <metadata>
-       <title>Configure SSSD LDAP Backend to Use TLS For All Transactions</title>
--      <affected family="unix">
--        <platform>multi_platform_wrlinux</platform>
--        <platform>multi_platform_rhel</platform>
--        <platform>multi_platform_ol</platform>
--      </affected>
-+      {{{- oval_affected(products) }}}
-       <description>LDAP should be used for authentication and use STARTTLS</description>
-     </metadata>
--    <criteria operator="AND">
--      <criterion comment="Using LDAP for authentication set within /etc/sysconfig/authconfig" test_ref="test_use_ldap_authentication" />
-+    <criteria>
-       <criterion comment="LDAP uses STARTTLS set within /etc/sssd/sssd.conf" test_ref="test_use_starttls" />
-     </criteria>
-   </definition>
- 
--  <ind:textfilecontent54_test check="all" check_existence="all_exist"
--  comment="Ensures that LDAP is being used for authentication"
--  id="test_use_ldap_authentication" version="1">
--    <ind:object object_ref="object_use_ldap_authentication_authconfig" />
--  </ind:textfilecontent54_test>
--
-   <ind:textfilecontent54_test check="all" check_existence="all_exist"
-   comment="Ensures that LDAP uses STARTTLS"
-   id="test_use_starttls" version="1">
-     <ind:object object_ref="object_use_starttls_sssd_conf" />
-   </ind:textfilecontent54_test>
- 
--  <ind:textfilecontent54_object id="object_use_ldap_authentication_authconfig" version="1">
--    <ind:filepath>/etc/sysconfig/authconfig</ind:filepath>
--    <ind:pattern operation="pattern match">^USELDAPAUTH=((?i)yes)[ ]*$</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
-   <ind:textfilecontent54_object id="object_use_starttls_sssd_conf" version="1">
-     <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
--    <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ ]*=[ ]*((?i)true)[ ]*$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ \t]*=[ \t]*((?i)true)[ \t]*$</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
- </def-group>
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
-index b81a8b8ff5..452de1d014 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
-@@ -5,15 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
- title: 'Configure SSSD LDAP Backend to Use TLS For All Transactions'
- 
- description: |-
--    This check verifies that {{{ full_name }}} implements cryptography
--    to protect the integrity of remote LDAP authentication sessions.
-+    The LDAP client should be configured to implement TLS for the integrity
-+    of all remote LDAP authentication sessions. If the <tt>id_provider</tt> is
-+    set to <tt>ldap</tt> or <tt>ipa</tt> in <tt>/etc/sssd/sssd.conf</tt> or any of the
-+    <tt>/etc/sssd/sssd.conf.d</tt> configuration files, <tt>ldap_id_use_start_tls</tt>
-+    must be set to <tt>true</tt>.
-     <br /><br />
--    To determine if LDAP is being used for authentication, use the following
--    command:
--    <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre>
--    <br /><br />
--    If <tt>USELDAPAUTH=yes</tt>, then LDAP is being used. To check if LDAP is
--    configured to use TLS, use the following command:
-+    To check if LDAP is configured to use TLS when <tt>id_provider</tt> is
-+    set to <tt>ldap</tt> or <tt>ipa</tt>, use the following command:
-     <pre>$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf</pre>
- 
- rationale: |-
-@@ -41,8 +40,10 @@ references:
-     iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
-     cis-csc: 11,12,14,15,3,8,9
- 
--ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''True'''
-+ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''true'''
- 
- ocil: |-
-     If the system is not using TLS, set the <tt>ldap_id_use_start_tls</tt> option
--    in <tt>/etc/sssd/sssd.conf</tt> to <tt>True</tt>.
-+    in <tt>/etc/sssd/sssd.conf</tt> to <tt>true</tt>.
-+
-+platform: sssd-ldap
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh
-new file mode 100644
-index 0000000000..83ae606ece
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
-+sed -i 's/ldap_id_use_start_tls = true/ldap_id_use_start_tls = false/I' /etc/sssd/sssd.conf
-+sed -i 's/id_provider = ldap/id_provider = ad/I' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
-similarity index 50%
-rename from linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh
-rename to linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
-index 75a80d37cc..99ca3f8fba 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
-@@ -2,6 +2,7 @@
- # profiles = xccdf_org.ssgproject.content_profile_stig
- 
- . $SHARED/setup_config_files.sh
--setup_correct_auth_and_sssd_configs
-+setup_correct_sssd_config
- 
--sed -i '/USELDAPAUTH/d' /etc/sysconfig/authconfig
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh
-new file mode 100644
-index 0000000000..9ec246444f
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh
-@@ -0,0 +1,10 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
-+sed -i 's/id_provider = ldap/id_provider = ad/I' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh
-new file mode 100644
-index 0000000000..f0942ddf74
---- /dev/null
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh
-@@ -0,0 +1,10 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/setup_config_files.sh
-+setup_correct_sssd_config
-+
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
-+
-+sed -i 's/ldap_id_use_start_tls = true/ldap_id_use_start_tls = false/I' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh
-deleted file mode 100644
-index 4bbf0ad01a..0000000000
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh
-+++ /dev/null
-@@ -1,7 +0,0 @@
--#!/bin/bash
--# profiles = xccdf_org.ssgproject.content_profile_stig
--
--. $SHARED/setup_config_files.sh
--setup_correct_auth_and_sssd_configs
--
--sed -i 's/ldap_id_use_start_tls = True/ldap_id_use_start_tls = False/' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
-index 0ce168ed97..3952176952 100644
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
-+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
-@@ -2,6 +2,9 @@
- # profiles = xccdf_org.ssgproject.content_profile_stig
- 
- . $SHARED/setup_config_files.sh
--setup_correct_auth_and_sssd_configs
-+setup_correct_sssd_config
-+
-+yum -y install /usr/lib/systemd/system/sssd.service
-+systemctl enable sssd
- 
- sed -i '/ldap_id_use_start_tls/d' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh
-deleted file mode 100644
-index f8ca33b8d4..0000000000
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh
-+++ /dev/null
-@@ -1,5 +0,0 @@
--#!/bin/bash
--# profiles = xccdf_org.ssgproject.content_profile_stig
--
--. $SHARED/setup_config_files.sh
--setup_correct_auth_and_sssd_configs
-diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh
-deleted file mode 100644
-index 64b0c21c28..0000000000
---- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh
-+++ /dev/null
-@@ -1,7 +0,0 @@
--#!/bin/bash
--# profiles = xccdf_org.ssgproject.content_profile_stig
--
--. $SHARED/setup_config_files.sh
--setup_correct_auth_and_sssd_configs
--
--sed -i 's/USELDAPAUTH=yes/USELDAPAUTH=no/' /etc/sysconfig/authconfig
-diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
-index 5d4691aaf6..59c5c728aa 100644
---- a/ol7/cpe/ol7-cpe-dictionary.xml
-+++ b/ol7/cpe/ol7-cpe-dictionary.xml
-@@ -76,4 +76,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:sssd-ldap">
-+            <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
-index 35167b1f70..473ba36235 100644
---- a/ol8/cpe/ol8-cpe-dictionary.xml
-+++ b/ol8/cpe/ol8-cpe-dictionary.xml
-@@ -71,4 +71,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:sssd-ldap">
-+            <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
-index bc2aa869e8..e6b88f55cd 100644
---- a/rhel7/cpe/rhel7-cpe-dictionary.xml
-+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
-@@ -106,4 +106,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:sssd-ldap">
-+            <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 41745ea4c3..3d8647de70 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -235,6 +235,7 @@ selections:
-     - accounts_tmout
-     - sshd_enable_warning_banner
-     - sssd_ldap_start_tls
-+    - sssd_ldap_start_tls.severity=medium
-     - sssd_ldap_configure_tls_ca_dir
-     - sssd_ldap_configure_tls_ca
-     - sysctl_kernel_randomize_va_space
-diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
-index eab827291f..699251868d 100644
---- a/rhel8/cpe/rhel8-cpe-dictionary.xml
-+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
-@@ -76,4 +76,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:sssd-ldap">
-+            <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-+      </cpe-item>
- </cpe-list>
-diff --git a/shared/checks/oval/sssd_conf_uses_ldap.xml b/shared/checks/oval/sssd_conf_uses_ldap.xml
-new file mode 100644
-index 0000000000..985c1bd8ef
---- /dev/null
-+++ b/shared/checks/oval/sssd_conf_uses_ldap.xml
-@@ -0,0 +1,28 @@
-+<def-group>
-+  <definition class="inventory" id="sssd_conf_uses_ldap" version="1">
-+    <metadata>
-+      <title>SSSD is configured to use LDAP</title>
-+      <affected family="unix">
-+        <platform>multi_platform_all</platform>
-+      </affected>
-+      <description>Identification provider is not set to ad within /etc/sssd/sssd.conf</description>
-+      <reference ref_id="cpe:/a:sssd-ldap" source="CPE" />
-+    </metadata>
-+    <criteria>
-+      <criterion comment="Identification provider is not set to ad within /etc/sssd/sssd.conf"
-+      test_ref="test_id_provider_is_set_to_ad" negate="true"/>
-+    </criteria>
-+  </definition>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="SSSD Configuration is set to use Active Directory"
-+  id="test_id_provider_is_set_to_ad" version="1">
-+  <ind:object object_ref="object_id_provider_is_set_to_ad"/>
-+  </ind:textfilecontent54_test>
-+
-+  <ind:textfilecontent54_object id="object_id_provider_is_set_to_ad" version="1">
-+  <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-+  <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
-+  <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+</def-group>
-diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
-index ecaf14ced9..babce11aff 100644
---- a/shared/macros-oval.jinja
-+++ b/shared/macros-oval.jinja
-@@ -534,3 +534,29 @@
-         <description>{{{ description }}}</description>
-     </metadata>
- {{%- endmacro %}}
-+
-+
-+{{% macro bash_sssd_ldap_config(parameter, value) -%}}
-+SSSD_CONF="/etc/sssd/sssd.conf"
-+LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*{{{ parameter }}}'
-+AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
-+DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
-+
-+# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
-+# Try to find [domain/..] and {{{ parameter }}} in sssd.conf, if it exists, set to '{{{ value }}}'
-+# if {{{ parameter }}} isn't here, add it
-+# if [domain/..] doesn't exist, add it here for default domain
-+if grep -qvzosP $AD_REGEX $SSSD_CONF; then
-+        if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
-+                sed -i "s#{{{ parameter }}}[^(\n)]*#{{{ parameter }}} = {{{ value }}}#" $SSSD_CONF
-+        elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
-+                sed -i "/$DOMAIN_REGEX/a {{{ parameter }}} = {{{ value }}}" $SSSD_CONF
-+        else
-+                if test -f "$SSSD_CONF"; then
-+                        echo -e "[domain/default]\n{{{ parameter }}} = {{{ value }}}" >> $SSSD_CONF
-+                else
-+                        echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
-+                fi        
-+        fi
-+fi
-+{{%- endmacro %}}
-diff --git a/ssg/constants.py b/ssg/constants.py
-index 3f9d7d37ce..2af2c580a2 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -496,6 +496,7 @@
-     "pam": "cpe:/a:pam",
-     "login_defs": "cpe:/a:login_defs",
-     "sssd": "cpe:/a:sssd",
-+    "sssd-ldap": "cpe:/a:sssd-ldap",
-     "systemd": "cpe:/a:systemd",
-     "yum": "cpe:/a:yum",
-     "zipl": "cpe:/a:zipl",
-diff --git a/tests/shared/setup_config_files.sh b/tests/shared/setup_config_files.sh
-index 957eab77cb..5bee91890f 100644
---- a/tests/shared/setup_config_files.sh
-+++ b/tests/shared/setup_config_files.sh
-@@ -1,15 +1,8 @@
- #!/bin/bash
- 
--configs_dir="$( dirname "${BASH_SOURCE[0]}" )/example-configs"
-+configs_dir="$( dirname "${BASH_SOURCE[0]}" )"
- 
- setup_correct_sssd_config() {
-     mkdir -p /etc/sssd
-     cp "$configs_dir/sssd.conf" /etc/sssd/
- }
--
--setup_correct_auth_and_sssd_configs() {
--    mkdir -p /etc/sysconfig
--    cp "$configs_dir/authconfig" /etc/sysconfig/
--
--    setup_correct_sssd_config
--}
-diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
-index ef7e803505..f32e69e118 100644
---- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
-+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
-@@ -75,4 +75,8 @@
-             <title xml:lang="en-us">System uses zipl</title>
-             <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
-       </cpe-item>
-+      <cpe-item name="cpe:/a:sssd-ldap">
-+            <title xml:lang="en-us">SSSD is configured to use LDAP</title>
-+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
-+      </cpe-item>
- </cpe-list>
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_041001-PR_6083.diff b/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_041001-PR_6083.diff
deleted file mode 100644
index 101a210..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_041001-PR_6083.diff
+++ /dev/null
@@ -1,102 +0,0 @@
-diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml
-index 6c344c1cb4..426635c85f 100644
---- a/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml
-@@ -30,7 +30,7 @@ references:
-     disa: CCI-001948,CCI-001953,CCI-001954
-     nist: IA-2(1),CM-6(a)
-     nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
--    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162
-+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162
-     vmmsrg: SRG-OS-000107-VMM-000530
-     stigid@rhel7: RHEL-07-041002
-     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh
-deleted file mode 100644
-index a8f1aedd5e..0000000000
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/bash/shared.sh
-+++ /dev/null
-@@ -1,4 +0,0 @@
--# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
--
--{{{ bash_package_install("esc") }}}
--{{{ bash_package_install("pam_pkcs11") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml
-deleted file mode 100644
-index fa837b5d30..0000000000
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/oval/shared.xml
-+++ /dev/null
-@@ -1,9 +0,0 @@
--<def-group>
--  <definition class="compliance" id="install_smartcard_packages" version="1">
--    {{{ oval_metadata("The RPM packages esc and pam_pkcs11 must be installed.") }}}
--      <criteria comment="packages for smartcard use are installed">
--      <extend_definition comment="pam_pkcs11 package is installed" definition_ref="package_pam_pkcs11_installed" />
--      <extend_definition comment="esc package is installed" definition_ref="package_esc_installed" />
--      </criteria>
--  </definition>
--</def-group>
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
-index 91cc09590a..1747b7901a 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/install_smartcard_packages/rule.yml
-@@ -6,8 +6,8 @@ title: 'Install Smart Card Packages For Multifactor Authentication'
- 
- description: |-
-     Configure the operating system to implement multifactor authentication by
--    installing the required packages with the following command:
--    {{{ describe_package_install(package="esc pam_pkcs11") }}}
-+    installing the required package with the following command:
-+    {{{ describe_package_install(package="pam_pkcs11") }}}
- 
- rationale: |-
-     Using an authentication device, such as a CAC or token that is separate from
-@@ -30,12 +30,14 @@ references:
-     stigid@ol7: OL07-00-041001
-     disa: CCI-000765,CCI-001948,CCI-001953,CCI-001954
-     nist: CM-6(a)
--    srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162
-+    srg: SRG-OS-000105-GPOS-00052,SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162
-     stigid@rhel7: RHEL-07-041001
- 
- ocil_clause: 'smartcard software is not installed'
- 
--ocil: |-
--    To verify the operating system has the packages required for multifactor
--    authentication installed, run the following command:
--    <pre>$ sudo yum list installed esc pam_pkcs11</pre>
-+ocil: '{{{ ocil_package(package="pam_pkcs11") }}}'
-+
-+template:
-+    name: package_installed
-+    vars:
-+        pkgname: pam_pkcs11
-diff --git a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml
-index eb88f519f2..c0ac9db891 100644
---- a/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml
-@@ -34,7 +34,7 @@ references:
-     disa: CCI-000765,CCI-000766,CCI-000767,CCI-000768,CCI-000771,CCI-000772,CCI-000884,CCI-001948,CCI-001954
-     nist: IA-2(3),IA-2(4),IA-2(8),IA-2(9),IA-2(11)
-     pcidss: Req-8.3
--    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000375-GPOS-00161,SRG-OS-000377-GPOS-00162
-+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162
-     stigid@rhel7: RHEL-07-010061
- 
- ocil_clause: 'enable-smartcard-authentication has not been configured or is disabled'
-diff --git a/shared/templates/extra_ovals.yml b/shared/templates/extra_ovals.yml
-index 948912c228..2d305f56d4 100644
---- a/shared/templates/extra_ovals.yml
-+++ b/shared/templates/extra_ovals.yml
-@@ -8,11 +8,6 @@ package_esc_installed:
-   vars:
-     pkgname: esc
- 
--package_pam_pkcs11_installed:
--  name: package_installed
--  vars:
--    pkgname: pam_pkcs11
--
- package_GConf2_installed:
-   name: package_installed
-   vars:
diff --git a/SOURCES/scap-security-guide-0.1.53-update_stig_references-PR_6104.patch b/SOURCES/scap-security-guide-0.1.53-update_stig_references-PR_6104.patch
deleted file mode 100644
index afa5488..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_stig_references-PR_6104.patch
+++ /dev/null
@@ -1,3314 +0,0 @@
-From a2d23c9e646fb1e0d670a142b0a43ed055d004fa Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 18 Sep 2020 14:07:23 +0200
-Subject: [PATCH] Update DISA STIG RHEL7 reference files to latest version
- (v2r8).
-
----
- rhel7/overlays/stig_overlay.xml               | 1004 ++++++++---------
- rhel7/profiles/stig.profile                   |    2 +-
- ... => disa-stig-rhel7-v2r8-xccdf-manual.xml} |  878 +++++++-------
- 3 files changed, 940 insertions(+), 944 deletions(-)
- rename shared/references/{disa-stig-rhel7-v2r7-xccdf-manual.xml => disa-stig-rhel7-v2r8-xccdf-manual.xml} (82%)
-
-diff --git a/rhel7/overlays/stig_overlay.xml b/rhel7/overlays/stig_overlay.xml
-index ca7cdc5bcb..7cd955c977 100644
---- a/rhel7/overlays/stig_overlay.xml
-+++ b/rhel7/overlays/stig_overlay.xml
-@@ -1,991 +1,975 @@
--<?xml version="1.0" encoding="UTF-8"?>
-+<?xml version='1.0' encoding='UTF-8'?>
- <overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
--  <overlay disa="2235" owner="disastig" ownerid="RHEL-07-010010" ruleid="rpm_verify_permissions" severity="high">
--    <VMSinfo SVKey="86473" VKey="71849" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="rpm_verify_permissions" ownerid="RHEL-07-010010" disa="2235" severity="high">
-+    <VMSinfo VKey="71849" SVKey="86473" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/>
-   </overlay>
--  <overlay disa="663" owner="disastig" ownerid="RHEL-07-010020" ruleid="rpm_verify_hashes" severity="high">
--    <VMSinfo SVKey="86479" VKey="71855" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high">
-+    <VMSinfo VKey="71855" SVKey="86479" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/>
-   </overlay>
--  <overlay disa="48" owner="disastig" ownerid="RHEL-07-010030" ruleid="dconf_gnome_banner_enabled" severity="medium">
--    <VMSinfo SVKey="86483" VKey="71859" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-07-010030" disa="48" severity="medium">
-+    <VMSinfo VKey="71859" SVKey="86483" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
-   </overlay>
--  <overlay disa="48" owner="disastig" ownerid="RHEL-07-010040" ruleid="dconf_gnome_login_banner_text" severity="medium">
--    <VMSinfo SVKey="86485" VKey="71861" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="RHEL-07-010040" disa="48" severity="medium">
-+    <VMSinfo VKey="71861" SVKey="86485" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
-   </overlay>
--  <overlay disa="48" owner="disastig" ownerid="RHEL-07-010050" ruleid="banner_etc_issue" severity="medium">
--    <VMSinfo SVKey="86487" VKey="71863" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-07-010050" disa="48" severity="medium">
-+    <VMSinfo VKey="71863" SVKey="86487" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
-   </overlay>
--  <overlay disa="56" owner="disastig" ownerid="RHEL-07-010060" ruleid="dconf_gnome_screensaver_lock_enabled" severity="medium">
--    <VMSinfo SVKey="86515" VKey="71891" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-07-010060" disa="56" severity="medium">
-+    <VMSinfo VKey="71891" SVKey="86515" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/>
-   </overlay>
--  <overlay disa="1954" owner="disastig" ownerid="RHEL-07-010061" ruleid="dconf_gnome_enable_smartcard_auth" severity="medium">
--    <VMSinfo SVKey="92515" VKey="77819" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="RHEL-07-010061" disa="1954" severity="medium">
-+    <VMSinfo VKey="77819" SVKey="92515" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010062" ruleid="dconf_gnome_screensaver_lock_locked" severity="medium">
--    <VMSinfo SVKey="93701" VKey="78995" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="RHEL-07-010062" disa="57" severity="medium">
-+    <VMSinfo VKey="78995" SVKey="93701" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010070" ruleid="dconf_gnome_screensaver_idle_delay" severity="medium">
--    <VMSinfo SVKey="86517" VKey="71893" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-07-010070" disa="57" severity="medium">
-+    <VMSinfo VKey="71893" SVKey="86517" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010081" ruleid="dconf_gnome_screensaver_user_locks" severity="medium">
--    <VMSinfo SVKey="87807" VKey="73155" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="RHEL-07-010081" disa="57" severity="medium">
-+    <VMSinfo VKey="73155" SVKey="87807" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010082" ruleid="dconf_gnome_session_idle_user_locks" severity="medium">
--    <VMSinfo SVKey="87809" VKey="73157" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="RHEL-07-010082" disa="57" severity="medium">
-+    <VMSinfo VKey="73157" SVKey="87809" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010090" ruleid="package_screen_installed" severity="medium">
--    <VMSinfo SVKey="86521" VKey="71897" VRelease="3"/>
--    <title text="The Red Hat Enterprise Linux operating system must have the screen package installed."/>
--  </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010100" ruleid="dconf_gnome_screensaver_idle_activation_enabled" severity="medium">
--    <VMSinfo SVKey="86523" VKey="71899" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="RHEL-07-010100" disa="57" severity="medium">
-+    <VMSinfo VKey="71899" SVKey="86523" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010101" ruleid="dconf_gnome_screensaver_idle_activation_locked" severity="medium">
--    <VMSinfo SVKey="93703" VKey="78997" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="RHEL-07-010101" disa="57" severity="medium">
-+    <VMSinfo VKey="78997" SVKey="93703" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/>
-   </overlay>
--  <overlay disa="57" owner="disastig" ownerid="RHEL-07-010110" ruleid="dconf_gnome_screensaver_lock_delay" severity="medium">
--    <VMSinfo SVKey="86525" VKey="71901" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="RHEL-07-010110" disa="57" severity="medium">
-+    <VMSinfo VKey="71901" SVKey="86525" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/>
-   </overlay>
--  <overlay disa="192" owner="disastig" ownerid="RHEL-07-010118" ruleid="XXXX" severity="medium">
--    <VMSinfo SVKey="95715" VKey="81003" VRelease="1"/>
-+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-010118" disa="192" severity="medium">
-+    <VMSinfo VKey="81003" SVKey="95715" VRelease="1"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/>
-   </overlay>
--  <overlay disa="192" owner="disastig" ownerid="RHEL-07-010119" ruleid="accounts_password_pam_retry" severity="medium">
--    <VMSinfo SVKey="87811" VKey="73159" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010119" disa="192" severity="medium">
-+    <VMSinfo VKey="73159" SVKey="87811" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/>
-   </overlay>
--  <overlay disa="192" owner="disastig" ownerid="RHEL-07-010120" ruleid="accounts_password_pam_ucredit" severity="medium">
--    <VMSinfo SVKey="86527" VKey="71903" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-07-010120" disa="192" severity="medium">
-+    <VMSinfo VKey="71903" SVKey="86527" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/>
-   </overlay>
--  <overlay disa="193" owner="disastig" ownerid="RHEL-07-010130" ruleid="accounts_password_pam_lcredit" severity="medium">
--    <VMSinfo SVKey="86529" VKey="71905" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-07-010130" disa="193" severity="medium">
-+    <VMSinfo VKey="71905" SVKey="86529" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/>
-   </overlay>
--  <overlay disa="194" owner="disastig" ownerid="RHEL-07-010140" ruleid="accounts_password_pam_dcredit" severity="medium">
--    <VMSinfo SVKey="86531" VKey="71907" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-07-010140" disa="194" severity="medium">
-+    <VMSinfo VKey="71907" SVKey="86531" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/>
-   </overlay>
--  <overlay disa="1619" owner="disastig" ownerid="RHEL-07-010150" ruleid="accounts_password_pam_ocredit" severity="medium">
--    <VMSinfo SVKey="86533" VKey="71909" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-07-010150" disa="1619" severity="medium">
-+    <VMSinfo VKey="71909" SVKey="86533" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/>
-   </overlay>
--  <overlay disa="195" owner="disastig" ownerid="RHEL-07-010160" ruleid="accounts_password_pam_difok" severity="medium">
--    <VMSinfo SVKey="86535" VKey="71911" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-07-010160" disa="195" severity="medium">
-+    <VMSinfo VKey="71911" SVKey="86535" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/>
-   </overlay>
--  <overlay disa="195" owner="disastig" ownerid="RHEL-07-010170" ruleid="accounts_password_pam_minclass" severity="medium">
--    <VMSinfo SVKey="86537" VKey="71913" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-07-010170" disa="195" severity="medium">
-+    <VMSinfo VKey="71913" SVKey="86537" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/>
-   </overlay>
--  <overlay disa="195" owner="disastig" ownerid="RHEL-07-010180" ruleid="accounts_password_pam_maxrepeat" severity="medium">
--    <VMSinfo SVKey="86539" VKey="71915" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-07-010180" disa="195" severity="medium">
-+    <VMSinfo VKey="71915" SVKey="86539" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/>
-   </overlay>
--  <overlay disa="195" owner="disastig" ownerid="RHEL-07-010190" ruleid="accounts_password_pam_maxclassrepeat" severity="medium">
--    <VMSinfo SVKey="86541" VKey="71917" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-07-010190" disa="195" severity="medium">
-+    <VMSinfo VKey="71917" SVKey="86541" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/>
-   </overlay>
--  <overlay disa="196" owner="disastig" ownerid="RHEL-07-010200" ruleid="set_password_hashing_algorithm_systemauth" severity="medium">
--    <VMSinfo SVKey="86543" VKey="71919" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-07-010200" disa="196" severity="medium">
-+    <VMSinfo VKey="71919" SVKey="86543" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/>
-   </overlay>
--  <overlay disa="196" owner="disastig" ownerid="RHEL-07-010210" ruleid="set_password_hashing_algorithm_logindefs" severity="medium">
--    <VMSinfo SVKey="86545" VKey="71921" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-07-010210" disa="196" severity="medium">
-+    <VMSinfo VKey="71921" SVKey="86545" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/>
-   </overlay>
--  <overlay disa="196" owner="disastig" ownerid="RHEL-07-010220" ruleid="set_password_hashing_algorithm_libuserconf" severity="medium">
--    <VMSinfo SVKey="86547" VKey="71923" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-07-010220" disa="196" severity="medium">
-+    <VMSinfo VKey="71923" SVKey="86547" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/>
-   </overlay>
--  <overlay disa="198" owner="disastig" ownerid="RHEL-07-010230" ruleid="accounts_minimum_age_login_defs" severity="medium">
--    <VMSinfo SVKey="86549" VKey="71925" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-07-010230" disa="198" severity="medium">
-+    <VMSinfo VKey="71925" SVKey="86549" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/>
-   </overlay>
--  <overlay disa="198" owner="disastig" ownerid="RHEL-07-010240" ruleid="accounts_password_set_min_life_existing" severity="medium">
--    <VMSinfo SVKey="86551" VKey="71927" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-07-010240" disa="198" severity="medium">
-+    <VMSinfo VKey="71927" SVKey="86551" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/>
-   </overlay>
--  <overlay disa="199" owner="disastig" ownerid="RHEL-07-010250" ruleid="accounts_maximum_age_login_defs" severity="medium">
--    <VMSinfo SVKey="86553" VKey="71929" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-07-010250" disa="199" severity="medium">
-+    <VMSinfo VKey="71929" SVKey="86553" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/>
-   </overlay>
--  <overlay disa="199" owner="disastig" ownerid="RHEL-07-010260" ruleid="accounts_password_set_max_life_existing" severity="medium">
--    <VMSinfo SVKey="86555" VKey="71931" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-07-010260" disa="199" severity="medium">
-+    <VMSinfo VKey="71931" SVKey="86555" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
-   </overlay>
--  <overlay disa="200" owner="disastig" ownerid="RHEL-07-010270" ruleid="accounts_password_pam_unix_remember" severity="medium">
--    <VMSinfo SVKey="86557" VKey="71933" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-07-010270" disa="200" severity="medium">
-+    <VMSinfo VKey="71933" SVKey="86557" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/>
-   </overlay>
--  <overlay disa="205" owner="disastig" ownerid="RHEL-07-010280" ruleid="accounts_password_pam_minlen" severity="medium">
--    <VMSinfo SVKey="86559" VKey="71935" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-07-010280" disa="205" severity="medium">
-+    <VMSinfo VKey="71935" SVKey="86559" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-010290" ruleid="no_empty_passwords" severity="high">
--    <VMSinfo SVKey="86561" VKey="71937" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-07-010290" disa="366" severity="high">
-+    <VMSinfo VKey="71937" SVKey="86561" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords."/>
-   </overlay>
--  <overlay disa="766" owner="disastig" ownerid="RHEL-07-010300" ruleid="sshd_disable_empty_passwords" severity="high">
--    <VMSinfo SVKey="86563" VKey="71939" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-07-010300" disa="766" severity="high">
-+    <VMSinfo VKey="71939" SVKey="86563" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/>
-   </overlay>
--  <overlay disa="795" owner="disastig" ownerid="RHEL-07-010310" ruleid="account_disable_post_pw_expiration" severity="medium">
--    <VMSinfo SVKey="86565" VKey="71941" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-07-010310" disa="795" severity="medium">
-+    <VMSinfo VKey="71941" SVKey="86565" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/>
-   </overlay>
--  <overlay disa="2238" owner="disastig" ownerid="RHEL-07-010320" ruleid="accounts_passwords_pam_faillock_interval" severity="medium">
--    <VMSinfo SVKey="86567" VKey="71943" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-07-010320" disa="2238" severity="medium">
-+    <VMSinfo VKey="71943" SVKey="86567" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/>
-   </overlay>
--  <overlay disa="2238" owner="disastig" ownerid="RHEL-07-010330" ruleid="accounts_passwords_pam_faillock_deny_root" severity="medium">
--    <VMSinfo SVKey="86569" VKey="71945" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-07-010330" disa="2238" severity="medium">
-+    <VMSinfo VKey="71945" SVKey="86569" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/>
-   </overlay>
--  <overlay disa="2038" owner="disastig" ownerid="RHEL-07-010340" ruleid="sudo_remove_nopasswd" severity="medium">
--    <VMSinfo SVKey="86571" VKey="71947" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010340" disa="2038" severity="medium">
-+    <VMSinfo VKey="71947" SVKey="86571" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/>
-   </overlay>
--  <overlay disa="2038" owner="disastig" ownerid="RHEL-07-010350" ruleid="sudo_remove_no_authenticate" severity="medium">
--    <VMSinfo SVKey="86573" VKey="71949" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium">
-+    <VMSinfo VKey="71949" SVKey="86573" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-010430" ruleid="accounts_logon_fail_delay" severity="medium">
--    <VMSinfo SVKey="86575" VKey="71951" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-07-010430" disa="366" severity="medium">
-+    <VMSinfo VKey="71951" SVKey="86575" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-010440" ruleid="gnome_gdm_disable_automatic_login" severity="high">
--    <VMSinfo SVKey="86577" VKey="71953" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-07-010440" disa="366" severity="high">
-+    <VMSinfo VKey="71953" SVKey="86577" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-010450" ruleid="gnome_gdm_disable_guest_login" severity="high">
--    <VMSinfo SVKey="86579" VKey="71955" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="RHEL-07-010450" disa="366" severity="high">
-+    <VMSinfo VKey="71955" SVKey="86579" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-010460" ruleid="sshd_do_not_permit_user_env" severity="medium">
--    <VMSinfo SVKey="86581" VKey="71957" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-07-010460" disa="366" severity="medium">
-+    <VMSinfo VKey="71957" SVKey="86581" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-010470" ruleid="disable_host_auth" severity="medium">
--    <VMSinfo SVKey="86583" VKey="71959" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-07-010470" disa="366" severity="medium">
-+    <VMSinfo VKey="71959" SVKey="86583" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/>
-   </overlay>
--  <overlay disa="213" owner="disastig" ownerid="RHEL-07-010480" ruleid="grub2_password" severity="high">
--    <VMSinfo SVKey="86585" VKey="71961" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-07-010480" disa="213" severity="high">
-+    <VMSinfo VKey="71961" SVKey="86585" VRelease="6"/>
-     <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
--  <overlay disa="213" owner="disastig" ownerid="RHEL-07-010481" ruleid="require_singleuser_auth" severity="medium">
--    <VMSinfo SVKey="92519" VKey="77823" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-07-010481" disa="213" severity="medium">
-+    <VMSinfo VKey="77823" SVKey="92519" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
--  <overlay disa="213" owner="disastig" ownerid="RHEL-07-010482" ruleid="XXXX" severity="high">
--    <VMSinfo SVKey="95717" VKey="81005" VRelease="1"/>
-+  <overlay owner="disastig" ruleid="grub2_password" ownerid="RHEL-07-010482" disa="213" severity="high">
-+    <VMSinfo VKey="81005" SVKey="95717" VRelease="1"/>
-     <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
--  <overlay disa="213" owner="disastig" ownerid="RHEL-07-010490" ruleid="grub2_uefi_password" severity="high">
--    <VMSinfo SVKey="86587" VKey="71963" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-07-010490" disa="213" severity="high">
-+    <VMSinfo VKey="71963" SVKey="86587" VRelease="4"/>
-     <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
--  <overlay disa="213" owner="disastig" ownerid="RHEL-07-010491" ruleid="XXXX" severity="high">
--    <VMSinfo SVKey="95719" VKey="81007" VRelease="1"/>
-+  <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="RHEL-07-010491" disa="213" severity="high">
-+    <VMSinfo VKey="81007" SVKey="95719" VRelease="1"/>
-     <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
--  <overlay disa="766" owner="disastig" ownerid="RHEL-07-010500" ruleid="smartcard_auth" severity="medium">
--    <VMSinfo SVKey="86589" VKey="71965" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-07-010500" disa="766" severity="medium">
-+    <VMSinfo VKey="71965" SVKey="86589" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/>
-   </overlay>
--  <overlay disa="381" owner="disastig" ownerid="RHEL-07-020000" ruleid="package_rsh-server_removed" severity="high">
--    <VMSinfo SVKey="86591" VKey="71967" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-07-020000" disa="381" severity="high">
-+    <VMSinfo VKey="71967" SVKey="86591" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the rsh-server package installed."/>
-   </overlay>
--  <overlay disa="381" owner="disastig" ownerid="RHEL-07-020010" ruleid="package_ypserv_removed" severity="high">
--    <VMSinfo SVKey="86593" VKey="71969" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="RHEL-07-020010" disa="381" severity="high">
-+    <VMSinfo VKey="71969" SVKey="86593" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the ypserv package installed."/>
-   </overlay>
--  <overlay disa="1263" owner="disastig" ownerid="RHEL-07-020019" ruleid="XXXX" severity="medium">
--    <VMSinfo SVKey="102357" VKey="92255" VRelease="r1"/>
-+  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-020019" disa="1263" severity="medium">
-+    <VMSinfo VKey="92255" SVKey="102357" VRelease="r2"/>
-     <title text="The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."/>
-   </overlay>
--  <overlay disa="2235" owner="disastig" ownerid="RHEL-07-020020" ruleid="selinux_user_login_roles" severity="medium">
--    <VMSinfo SVKey="86595" VKey="71971" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2235" severity="medium">
-+    <VMSinfo VKey="71971" SVKey="86595" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/>
-   </overlay>
--  <overlay disa="1744" owner="disastig" ownerid="RHEL-07-020030" ruleid="aide_periodic_cron_checking" severity="medium">
--    <VMSinfo SVKey="86597" VKey="71973" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-07-020030" disa="1744" severity="medium">
-+    <VMSinfo VKey="71973" SVKey="86597" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/>
-   </overlay>
--  <overlay disa="1744" owner="disastig" ownerid="RHEL-07-020040" ruleid="aide_scan_notification" severity="medium">
--    <VMSinfo SVKey="86599" VKey="71975" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-07-020040" disa="1744" severity="medium">
-+    <VMSinfo VKey="71975" SVKey="86599" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/>
-   </overlay>
--  <overlay disa="1749" owner="disastig" ownerid="RHEL-07-020050" ruleid="ensure_gpgcheck_globally_activated" severity="high">
--    <VMSinfo SVKey="86601" VKey="71977" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-07-020050" disa="1749" severity="high">
-+    <VMSinfo VKey="71977" SVKey="86601" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
-   </overlay>
--  <overlay disa="1749" owner="disastig" ownerid="RHEL-07-020060" ruleid="ensure_gpgcheck_local_packages" severity="high">
--    <VMSinfo SVKey="86603" VKey="71979" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-07-020060" disa="1749" severity="high">
-+    <VMSinfo VKey="71979" SVKey="86603" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
-   </overlay>
--  <overlay disa="1958" owner="disastig" ownerid="RHEL-07-020100" ruleid="kernel_module_usb-storage_disabled" severity="medium">
--    <VMSinfo SVKey="86607" VKey="71983" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="1958" severity="medium">
-+    <VMSinfo VKey="71983" SVKey="86607" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."/>
-   </overlay>
--  <overlay disa="1958" owner="disastig" ownerid="RHEL-07-020101" ruleid="kernel_module_dccp_disabled" severity="medium">
--    <VMSinfo SVKey="92517" VKey="77821" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-07-020101" disa="1958" severity="medium">
-+    <VMSinfo VKey="77821" SVKey="92517" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/>
-   </overlay>
--  <overlay disa="1958" owner="disastig" ownerid="RHEL-07-020110" ruleid="service_autofs_disabled" severity="medium">
--    <VMSinfo SVKey="86609" VKey="71985" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="1958" severity="medium">
-+    <VMSinfo VKey="71985" SVKey="86609" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."/>
-   </overlay>
--  <overlay disa="2617" owner="disastig" ownerid="RHEL-07-020200" ruleid="clean_components_post_updating" severity="low">
--    <VMSinfo SVKey="86611" VKey="71987" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="1958" severity="medium">
-+    <VMSinfo VKey="100023" SVKey="109127" VRelease="r1"/>
-+    <title text="The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."/>
-+  </overlay>
-+  <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-07-020200" disa="2617" severity="low">
-+    <VMSinfo VKey="71987" SVKey="86611" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."/>
-   </overlay>
--  <overlay disa="2696" owner="disastig" ownerid="RHEL-07-020210" ruleid="selinux_state" severity="high">
--    <VMSinfo SVKey="86613" VKey="71989" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2696" severity="high">
-+    <VMSinfo VKey="71989" SVKey="86613" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable SELinux."/>
-   </overlay>
--  <overlay disa="2696" owner="disastig" ownerid="RHEL-07-020220" ruleid="selinux_policytype" severity="high">
--    <VMSinfo SVKey="86615" VKey="71991" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2696" severity="high">
-+    <VMSinfo VKey="71991" SVKey="86615" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020230" ruleid="disable_ctrlaltdel_reboot" severity="high">
--    <VMSinfo SVKey="86617" VKey="71993" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-07-020230" disa="366" severity="high">
-+    <VMSinfo VKey="71993" SVKey="86617" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020231" ruleid="kernel_module_usb-storage_disabled" severity="high">
--    <VMSinfo SVKey="104673" VKey="94843" VRelease="r1"/>
--    <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the GUI."/>
-+  <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-07-020231" disa="366" severity="high">
-+    <VMSinfo VKey="94843" SVKey="104673" VRelease="r2"/>
-+    <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020240" ruleid="accounts_umask_etc_login_defs" severity="medium">
--    <VMSinfo SVKey="86619" VKey="71995" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-07-020240" disa="366" severity="medium">
-+    <VMSinfo VKey="71995" SVKey="86619" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020250" ruleid="installed_OS_is_vendor_supported" severity="high">
--    <VMSinfo SVKey="86621" VKey="71997" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-07-020250" disa="366" severity="high">
-+    <VMSinfo VKey="71997" SVKey="86621" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must be a vendor supported release."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020260" ruleid="security_patches_up_to_date" severity="medium">
--    <VMSinfo SVKey="86623" VKey="71999" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-07-020260" disa="366" severity="medium">
-+    <VMSinfo VKey="71999" SVKey="86623" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020270" ruleid="kernel_module_usb-storage_disabled" severity="medium">
--    <VMSinfo SVKey="86625" VKey="72001" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-020270" disa="366" severity="medium">
-+    <VMSinfo VKey="72001" SVKey="86625" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/>
-   </overlay>
--  <overlay disa="764" owner="disastig" ownerid="RHEL-07-020300" ruleid="gid_passwd_group_same" severity="low">
--    <VMSinfo SVKey="86627" VKey="72003" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-07-020300" disa="764" severity="low">
-+    <VMSinfo VKey="72003" SVKey="86627" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020310" ruleid="accounts_no_uid_except_zero" severity="high">
--    <VMSinfo SVKey="86629" VKey="72005" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-07-020310" disa="366" severity="high">
-+    <VMSinfo VKey="72005" SVKey="86629" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/>
-   </overlay>
--  <overlay disa="2165" owner="disastig" ownerid="RHEL-07-020320" ruleid="no_files_unowned_by_user" severity="medium">
--    <VMSinfo SVKey="86631" VKey="72007" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-07-020320" disa="2165" severity="medium">
-+    <VMSinfo VKey="72007" SVKey="86631" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."/>
-   </overlay>
--  <overlay disa="2165" owner="disastig" ownerid="RHEL-07-020330" ruleid="file_permissions_ungroupowned" severity="medium">
--    <VMSinfo SVKey="86633" VKey="72009" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-07-020330" disa="2165" severity="medium">
-+    <VMSinfo VKey="72009" SVKey="86633" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020600" ruleid="accounts_user_interactive_home_directory_defined" severity="medium">
--    <VMSinfo SVKey="86635" VKey="72011" VRelease="2"/>
--    <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file."/>
--  </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020610" ruleid="accounts_have_homedir_login_defs" severity="medium">
--    <VMSinfo SVKey="86637" VKey="72013" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-07-020610" disa="366" severity="medium">
-+    <VMSinfo VKey="72013" SVKey="86637" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020620" ruleid="accounts_user_interactive_home_directory_exists" severity="medium">
--    <VMSinfo SVKey="86639" VKey="72015" VRelease="2"/>
--    <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file."/>
-+  <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-07-020620" disa="366" severity="medium">
-+    <VMSinfo VKey="72015" SVKey="86639" VRelease="3"/>
-+    <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020630" ruleid="file_permissions_home_directories" severity="medium">
--    <VMSinfo SVKey="86641" VKey="72017" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-07-020630" disa="366" severity="medium">
-+    <VMSinfo VKey="72017" SVKey="86641" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020640" ruleid="file_ownership_home_directories" severity="medium">
--    <VMSinfo SVKey="86643" VKey="72019" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="RHEL-07-020640" disa="366" severity="medium">
-+    <VMSinfo VKey="72019" SVKey="86643" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020650" ruleid="file_groupownership_home_directories" severity="medium">
--    <VMSinfo SVKey="86645" VKey="72021" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-07-020650" disa="366" severity="medium">
-+    <VMSinfo VKey="72021" SVKey="86645" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020660" ruleid="accounts_users_home_files_ownership" severity="medium">
--    <VMSinfo SVKey="86647" VKey="72023" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="RHEL-07-020660" disa="366" severity="medium">
-+    <VMSinfo VKey="72023" SVKey="86647" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020670" ruleid="accounts_users_home_files_groupownership" severity="medium">
--    <VMSinfo SVKey="86649" VKey="72025" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="RHEL-07-020670" disa="366" severity="medium">
-+    <VMSinfo VKey="72025" SVKey="86649" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020680" ruleid="accounts_users_home_files_permissions" severity="medium">
--    <VMSinfo SVKey="86651" VKey="72027" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="RHEL-07-020680" disa="366" severity="medium">
-+    <VMSinfo VKey="72027" SVKey="86651" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020690" ruleid="accounts_user_dot_user_ownership" severity="medium">
--    <VMSinfo SVKey="86653" VKey="72029" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="RHEL-07-020690" disa="366" severity="medium">
-+    <VMSinfo VKey="72029" SVKey="86653" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020700" ruleid="accounts_user_dot_group_ownership" severity="medium">
--    <VMSinfo SVKey="86655" VKey="72031" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="RHEL-07-020700" disa="366" severity="medium">
-+    <VMSinfo VKey="72031" SVKey="86655" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020710" ruleid="file_permission_user_init_files" severity="medium">
--    <VMSinfo SVKey="86657" VKey="72033" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-07-020710" disa="366" severity="medium">
-+    <VMSinfo VKey="72033" SVKey="86657" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020720" ruleid="accounts_user_home_paths_only" severity="medium">
--    <VMSinfo SVKey="86659" VKey="72035" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-07-020720" disa="366" severity="medium">
-+    <VMSinfo VKey="72035" SVKey="86659" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-020730" ruleid="accounts_user_dot_no_world_writable_programs" severity="medium">
--    <VMSinfo SVKey="86661" VKey="72037" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-07-020730" disa="366" severity="medium">
-+    <VMSinfo VKey="72037" SVKey="86661" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-020900" ruleid="selinux_all_devicefiles_labeled" severity="medium">
--    <VMSinfo SVKey="86663" VKey="72039" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="1814" severity="medium">
-+    <VMSinfo VKey="72039" SVKey="86663" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021000" ruleid="mount_option_home_nosuid" severity="medium">
--    <VMSinfo SVKey="86665" VKey="72041" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-07-021000" disa="366" severity="medium">
-+    <VMSinfo VKey="72041" SVKey="86665" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021010" ruleid="mount_option_nosuid_removable_partitions" severity="medium">
--    <VMSinfo SVKey="86667" VKey="72043" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-07-021010" disa="366" severity="medium">
-+    <VMSinfo VKey="72043" SVKey="86667" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021020" ruleid="mount_option_nosuid_remote_filesystems" severity="medium">
--    <VMSinfo SVKey="86669" VKey="72045" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-07-021020" disa="366" severity="medium">
-+    <VMSinfo VKey="72045" SVKey="86669" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021021" ruleid="mount_option_noexec_remote_filesystems" severity="medium">
--    <VMSinfo SVKey="87813" VKey="73161" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-07-021021" disa="366" severity="medium">
-+    <VMSinfo VKey="73161" SVKey="87813" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/>
-   </overlay>
--  <overlay disa="1764" owner="disastig" ownerid="RHEL-07-021022" ruleid="XXXX" severity="low">
--    <VMSinfo SVKey="95721" VKey="81009" VRelease="2"/>
--    <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option."/>
-+  <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-07-021024" disa="1764" severity="low">
-+    <VMSinfo VKey="81013" SVKey="95725" VRelease="3"/>
-+    <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options."/>
-   </overlay>
--  <overlay disa="1764" owner="disastig" ownerid="RHEL-07-021023" ruleid="XXXX" severity="low">
--    <VMSinfo SVKey="95723" VKey="81011" VRelease="2"/>
--    <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option."/>
--  </overlay>
--  <overlay disa="1764" owner="disastig" ownerid="RHEL-07-021024" ruleid="XXXX" severity="low">
--    <VMSinfo SVKey="95725" VKey="81013" VRelease="2"/>
--    <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option."/>
--  </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021030" ruleid="dir_perms_world_writable_system_owned" severity="medium">
--    <VMSinfo SVKey="86671" VKey="72047" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021030" disa="366" severity="medium">
-+    <VMSinfo VKey="72047" SVKey="86671" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-021040" ruleid="accounts_umask_interactive_users" severity="medium">
--    <VMSinfo SVKey="86673" VKey="72049" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1814" severity="medium">
-+    <VMSinfo VKey="72049" SVKey="86673" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021100" ruleid="rsyslog_cron_logging" severity="medium">
--    <VMSinfo SVKey="86675" VKey="72051" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-07-021100" disa="366" severity="medium">
-+    <VMSinfo VKey="72051" SVKey="86675" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must have cron logging implemented."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021110" ruleid="file_owner_cron_allow" severity="medium">
--    <VMSinfo SVKey="86677" VKey="72053" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="RHEL-07-021110" disa="366" severity="medium">
-+    <VMSinfo VKey="72053" SVKey="86677" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021120" ruleid="file_groupowner_cron_allow" severity="medium">
--    <VMSinfo SVKey="86679" VKey="72055" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="RHEL-07-021120" disa="366" severity="medium">
-+    <VMSinfo VKey="72055" SVKey="86679" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021300" ruleid="service_kdump_disabled" severity="medium">
--    <VMSinfo SVKey="86681" VKey="72057" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-07-021300" disa="366" severity="medium">
-+    <VMSinfo VKey="72057" SVKey="86681" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021310" ruleid="partition_for_home" severity="low">
--    <VMSinfo SVKey="86683" VKey="72059" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-07-021310" disa="366" severity="low">
-+    <VMSinfo VKey="72059" SVKey="86683" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021320" ruleid="partition_for_var" severity="low">
--    <VMSinfo SVKey="86685" VKey="72061" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-07-021320" disa="366" severity="low">
-+    <VMSinfo VKey="72061" SVKey="86685" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /var."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021330" ruleid="partition_for_var_log_audit" severity="low">
--    <VMSinfo SVKey="86687" VKey="72063" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-07-021330" disa="366" severity="low">
-+    <VMSinfo VKey="72063" SVKey="86687" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021340" ruleid="partition_for_tmp" severity="low">
--    <VMSinfo SVKey="86689" VKey="72065" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-07-021340" disa="366" severity="low">
-+    <VMSinfo VKey="72065" SVKey="86689" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)."/>
-   </overlay>
--  <overlay disa="2476" owner="disastig" ownerid="RHEL-07-021350" ruleid="grub2_enable_fips_mode" severity="high">
--    <VMSinfo SVKey="86691" VKey="72067" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="RHEL-07-021350" disa="2476" severity="high">
-+    <VMSinfo VKey="72067" SVKey="86691" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021600" ruleid="aide_verify_acls" severity="low">
--    <VMSinfo SVKey="86693" VKey="72069" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-07-021600" disa="366" severity="low">
-+    <VMSinfo VKey="72069" SVKey="86693" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021610" ruleid="aide_verify_ext_attributes" severity="low">
--    <VMSinfo SVKey="86695" VKey="72071" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-07-021610" disa="366" severity="low">
-+    <VMSinfo VKey="72071" SVKey="86695" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-021620" ruleid="aide_use_fips_hashes" severity="medium">
--    <VMSinfo SVKey="86697" VKey="72073" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="RHEL-07-021620" disa="366" severity="medium">
-+    <VMSinfo VKey="72073" SVKey="86697" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-021700" ruleid="grub2_no_removeable_media" severity="medium">
--    <VMSinfo SVKey="86699" VKey="72075" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="uefi_no_removeable_media" ownerid="RHEL-07-021700" disa="1814" severity="medium">
-+    <VMSinfo VKey="72075" SVKey="86699" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."/>
-   </overlay>
--  <overlay disa="381" owner="disastig" ownerid="RHEL-07-021710" ruleid="package_telnet-server_removed" severity="high">
--    <VMSinfo SVKey="86701" VKey="72077" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-07-021710" disa="381" severity="high">
-+    <VMSinfo VKey="72077" SVKey="86701" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."/>
-   </overlay>
--  <overlay disa="131" owner="disastig" ownerid="RHEL-07-030000" ruleid="service_auditd_enabled" severity="high">
--    <VMSinfo SVKey="86703" VKey="72079" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="131" severity="high">
-+    <VMSinfo VKey="72079" SVKey="86703" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/>
-   </overlay>
--  <overlay disa="139" owner="disastig" ownerid="RHEL-07-030010" ruleid="audit_rules_system_shutdown" severity="medium">
--    <VMSinfo SVKey="86705" VKey="72081" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="RHEL-07-030010" disa="139" severity="medium">
-+    <VMSinfo VKey="72081" SVKey="86705" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030200" ruleid="auditd_audispd_configure_remote_server" severity="medium">
--    <VMSinfo SVKey="95727" VKey="81015" VRelease="1"/>
--    <title text="The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin."/>
--  </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030201" ruleid="auditd_audispd_configure_remote_server" severity="medium">
--    <VMSinfo SVKey="95729" VKey="81017" VRelease="1"/>
--    <title text="The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon."/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030201" disa="1851" severity="medium">
-+    <VMSinfo VKey="81017" SVKey="95729" VRelease="2"/>
-+    <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030210" ruleid="auditd_audispd_configure_remote_server" severity="medium">
--    <VMSinfo SVKey="95731" VKey="81019" VRelease="1"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030210" disa="1851" severity="medium">
-+    <VMSinfo VKey="81019" SVKey="95731" VRelease="1"/>
-     <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030211" ruleid="auditd_audispd_configure_remote_server" severity="medium">
--    <VMSinfo SVKey="95733" VKey="81021" VRelease="1"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030211" disa="1851" severity="medium">
-+    <VMSinfo VKey="81021" SVKey="95733" VRelease="1"/>
-     <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030300" ruleid="auditd_audispd_configure_remote_server" severity="medium">
--    <VMSinfo SVKey="86707" VKey="72083" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030300" disa="1851" severity="medium">
-+    <VMSinfo VKey="72083" SVKey="86707" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030310" ruleid="auditd_audispd_encrypt_sent_records" severity="medium">
--    <VMSinfo SVKey="86709" VKey="72085" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030310" disa="1851" severity="medium">
-+    <VMSinfo VKey="72085" SVKey="86709" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030320" ruleid="auditd_audispd_disk_full_action" severity="medium">
--    <VMSinfo SVKey="86711" VKey="72087" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="RHEL-07-030320" disa="1851" severity="medium">
-+    <VMSinfo VKey="72087" SVKey="86711" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/>
-   </overlay>
--  <overlay disa="1851" owner="disastig" ownerid="RHEL-07-030321" ruleid="auditd_audispd_network_failure_action" severity="medium">
--    <VMSinfo SVKey="87815" VKey="73163" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="RHEL-07-030321" disa="1851" severity="medium">
-+    <VMSinfo VKey="73163" SVKey="87815" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/>
-   </overlay>
--  <overlay disa="1855" owner="disastig" ownerid="RHEL-07-030330" ruleid="auditd_data_retention_space_left" severity="medium">
--    <VMSinfo SVKey="86713" VKey="72089" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-07-030330" disa="1855" severity="medium">
-+    <VMSinfo VKey="72089" SVKey="86713" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/>
-   </overlay>
--  <overlay disa="1855" owner="disastig" ownerid="RHEL-07-030340" ruleid="auditd_data_retention_space_left_action" severity="medium">
--    <VMSinfo SVKey="86715" VKey="72091" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium">
-+    <VMSinfo VKey="72091" SVKey="86715" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/>
-   </overlay>
--  <overlay disa="1855" owner="disastig" ownerid="RHEL-07-030350" ruleid="auditd_data_retention_action_mail_acct" severity="medium">
--    <VMSinfo SVKey="86717" VKey="72093" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-07-030350" disa="1855" severity="medium">
-+    <VMSinfo VKey="72093" SVKey="86717" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/>
-   </overlay>
--  <overlay disa="2234" owner="disastig" ownerid="RHEL-07-030360" ruleid="audit_rules_privileged_commands" severity="medium">
--    <VMSinfo SVKey="86719" VKey="72095" VRelease="7"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="RHEL-07-030360" disa="2234" severity="medium">
-+    <VMSinfo VKey="72095" SVKey="86719" VRelease="7"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030370" ruleid="audit_rules_dac_modification_chown" severity="medium">
--    <VMSinfo SVKey="86721" VKey="72097" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="172" severity="medium">
-+    <VMSinfo VKey="72097" SVKey="86721" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030380" ruleid="audit_rules_dac_modification_fchown" severity="medium">
--    <VMSinfo SVKey="86723" VKey="72099" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-07-030380" disa="172" severity="medium">
-+    <VMSinfo VKey="72099" SVKey="86723" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030390" ruleid="audit_rules_dac_modification_lchown" severity="medium">
--    <VMSinfo SVKey="86725" VKey="72101" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="172" severity="medium">
-+    <VMSinfo VKey="72101" SVKey="86725" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030400" ruleid="audit_rules_dac_modification_fchownat" severity="medium">
--    <VMSinfo SVKey="86727" VKey="72103" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-07-030400" disa="172" severity="medium">
-+    <VMSinfo VKey="72103" SVKey="86727" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030410" ruleid="audit_rules_dac_modification_chmod" severity="medium">
--    <VMSinfo SVKey="86729" VKey="72105" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-07-030410" disa="172" severity="medium">
-+    <VMSinfo VKey="72105" SVKey="86729" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030420" ruleid="audit_rules_dac_modification_fchmod" severity="medium">
--    <VMSinfo SVKey="86731" VKey="72107" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-07-030420" disa="172" severity="medium">
-+    <VMSinfo VKey="72107" SVKey="86731" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030430" ruleid="audit_rules_dac_modification_fchmodat" severity="medium">
--    <VMSinfo SVKey="86733" VKey="72109" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-07-030430" disa="172" severity="medium">
-+    <VMSinfo VKey="72109" SVKey="86733" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030440" ruleid="audit_rules_dac_modification_setxattr" severity="medium">
--    <VMSinfo SVKey="86735" VKey="72111" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-07-030440" disa="172" severity="medium">
-+    <VMSinfo VKey="72111" SVKey="86735" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030450" ruleid="audit_rules_dac_modification_fsetxattr" severity="medium">
--    <VMSinfo SVKey="86737" VKey="72113" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-07-030450" disa="172" severity="medium">
-+    <VMSinfo VKey="72113" SVKey="86737" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030460" ruleid="audit_rules_dac_modification_lsetxattr" severity="medium">
--    <VMSinfo SVKey="86739" VKey="72115" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-07-030460" disa="172" severity="medium">
-+    <VMSinfo VKey="72115" SVKey="86739" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030470" ruleid="audit_rules_dac_modification_removexattr" severity="medium">
--    <VMSinfo SVKey="86741" VKey="72117" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-07-030470" disa="172" severity="medium">
-+    <VMSinfo VKey="72117" SVKey="86741" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030480" ruleid="audit_rules_dac_modification_fremovexattr" severity="medium">
--    <VMSinfo SVKey="86743" VKey="72119" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-07-030480" disa="172" severity="medium">
-+    <VMSinfo VKey="72119" SVKey="86743" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030490" ruleid="audit_rules_dac_modification_lremovexattr" severity="medium">
--    <VMSinfo SVKey="86745" VKey="72121" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-07-030490" disa="172" severity="medium">
-+    <VMSinfo VKey="72121" SVKey="86745" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030500" ruleid="audit_rules_unsuccessful_file_modification_creat" severity="medium">
--    <VMSinfo SVKey="86747" VKey="72123" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="RHEL-07-030500" disa="2884" severity="medium">
-+    <VMSinfo VKey="72123" SVKey="86747" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030510" ruleid="audit_rules_unsuccessful_file_modification_open" severity="medium">
--    <VMSinfo SVKey="86749" VKey="72125" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="RHEL-07-030510" disa="2884" severity="medium">
-+    <VMSinfo VKey="72125" SVKey="86749" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030520" ruleid="audit_rules_unsuccessful_file_modification_openat" severity="medium">
--    <VMSinfo SVKey="86751" VKey="72127" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="RHEL-07-030520" disa="2884" severity="medium">
-+    <VMSinfo VKey="72127" SVKey="86751" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030530" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" severity="medium">
--    <VMSinfo SVKey="86753" VKey="72129" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="RHEL-07-030530" disa="2884" severity="medium">
-+    <VMSinfo VKey="72129" SVKey="86753" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030540" ruleid="audit_rules_unsuccessful_file_modification_truncate" severity="medium">
--    <VMSinfo SVKey="86755" VKey="72131" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="RHEL-07-030540" disa="2884" severity="medium">
-+    <VMSinfo VKey="72131" SVKey="86755" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030550" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" severity="medium">
--    <VMSinfo SVKey="86757" VKey="72133" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="RHEL-07-030550" disa="2884" severity="medium">
-+    <VMSinfo VKey="72133" SVKey="86757" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030560" ruleid="audit_rules_execution_semanage" severity="medium">
--    <VMSinfo SVKey="86759" VKey="72135" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="RHEL-07-030560" disa="2884" severity="medium">
-+    <VMSinfo VKey="72135" SVKey="86759" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030570" ruleid="audit_rules_execution_setsebool" severity="medium">
--    <VMSinfo SVKey="86761" VKey="72137" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="RHEL-07-030570" disa="2884" severity="medium">
-+    <VMSinfo VKey="72137" SVKey="86761" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030580" ruleid="audit_rules_execution_chcon" severity="medium">
--    <VMSinfo SVKey="86763" VKey="72139" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="RHEL-07-030580" disa="2884" severity="medium">
-+    <VMSinfo VKey="72139" SVKey="86763" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030590" ruleid="audit_rules_execution_setfiles" severity="medium">
--    <VMSinfo SVKey="86765" VKey="72141" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="RHEL-07-030590" disa="2884" severity="medium">
-+    <VMSinfo VKey="72141" SVKey="86765" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030610" ruleid="audit_rules_login_events_faillock" severity="medium">
--    <VMSinfo SVKey="86769" VKey="72145" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="RHEL-07-030610" disa="2884" severity="medium">
-+    <VMSinfo VKey="72145" SVKey="86769" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030620" ruleid="audit_rules_login_events_lastlog" severity="medium">
--    <VMSinfo SVKey="86771" VKey="72147" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-07-030620" disa="2884" severity="medium">
-+    <VMSinfo VKey="72147" SVKey="86771" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030630" ruleid="audit_rules_privileged_commands_passwd" severity="medium">
--    <VMSinfo SVKey="86773" VKey="72149" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="RHEL-07-030630" disa="2884" severity="medium">
-+    <VMSinfo VKey="72149" SVKey="86773" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030640" ruleid="audit_rules_privileged_commands_unix_chkpwd" severity="medium">
--    <VMSinfo SVKey="86775" VKey="72151" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="RHEL-07-030640" disa="2884" severity="medium">
-+    <VMSinfo VKey="72151" SVKey="86775" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030650" ruleid="audit_rules_privileged_commands_gpasswd" severity="medium">
--    <VMSinfo SVKey="86777" VKey="72153" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="RHEL-07-030650" disa="2884" severity="medium">
-+    <VMSinfo VKey="72153" SVKey="86777" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030660" ruleid="audit_rules_privileged_commands_chage" severity="medium">
--    <VMSinfo SVKey="86779" VKey="72155" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="RHEL-07-030660" disa="2884" severity="medium">
-+    <VMSinfo VKey="72155" SVKey="86779" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chage command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030670" ruleid="audit_rules_privileged_commands_userhelper" severity="medium">
--    <VMSinfo SVKey="86781" VKey="72157" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="RHEL-07-030670" disa="2884" severity="medium">
-+    <VMSinfo VKey="72157" SVKey="86781" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030680" ruleid="audit_rules_privileged_commands_su" severity="medium">
--    <VMSinfo SVKey="86783" VKey="72159" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="RHEL-07-030680" disa="2884" severity="medium">
-+    <VMSinfo VKey="72159" SVKey="86783" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the su command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030690" ruleid="audit_rules_privileged_commands_sudo" severity="medium">
--    <VMSinfo SVKey="86785" VKey="72161" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="RHEL-07-030690" disa="2884" severity="medium">
-+    <VMSinfo VKey="72161" SVKey="86785" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030700" ruleid="audit_rules_sysadmin_actions" severity="medium">
--    <VMSinfo SVKey="86787" VKey="72163" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-07-030700" disa="2884" severity="medium">
-+    <VMSinfo VKey="72163" SVKey="86787" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030710" ruleid="audit_rules_privileged_commands_newgrp" severity="medium">
--    <VMSinfo SVKey="86789" VKey="72165" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="RHEL-07-030710" disa="2884" severity="medium">
-+    <VMSinfo VKey="72165" SVKey="86789" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030720" ruleid="audit_rules_privileged_commands_chsh" severity="medium">
--    <VMSinfo SVKey="86791" VKey="72167" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="RHEL-07-030720" disa="2884" severity="medium">
-+    <VMSinfo VKey="72167" SVKey="86791" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030740" ruleid="audit_rules_media_export" severity="medium">
--    <VMSinfo SVKey="86795" VKey="72171" VRelease="7"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="RHEL-07-030740" disa="2884" severity="medium">
-+    <VMSinfo VKey="72171" SVKey="86795" VRelease="8"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030750" ruleid="audit_rules_privileged_commands_umount" severity="medium">
--    <VMSinfo SVKey="86797" VKey="72173" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="RHEL-07-030750" disa="2884" severity="medium">
-+    <VMSinfo VKey="72173" SVKey="86797" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the umount command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030760" ruleid="audit_rules_privileged_commands_postdrop" severity="medium">
--    <VMSinfo SVKey="86799" VKey="72175" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="RHEL-07-030760" disa="2884" severity="medium">
-+    <VMSinfo VKey="72175" SVKey="86799" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030770" ruleid="audit_rules_privileged_commands_postqueue" severity="medium">
--    <VMSinfo SVKey="86801" VKey="72177" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="RHEL-07-030770" disa="2884" severity="medium">
-+    <VMSinfo VKey="72177" SVKey="86801" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030780" ruleid="audit_rules_privileged_commands_ssh_keysign" severity="medium">
--    <VMSinfo SVKey="86803" VKey="72179" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="RHEL-07-030780" disa="2884" severity="medium">
-+    <VMSinfo VKey="72179" SVKey="86803" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030800" ruleid="audit_rules_privileged_commands_crontab" severity="medium">
--    <VMSinfo SVKey="86807" VKey="72183" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="RHEL-07-030800" disa="2884" severity="medium">
-+    <VMSinfo VKey="72183" SVKey="86807" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030810" ruleid="audit_rules_privileged_commands_pam_timestamp_check" severity="medium">
--    <VMSinfo SVKey="86809" VKey="72185" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="RHEL-07-030810" disa="172" severity="medium">
-+    <VMSinfo VKey="72185" SVKey="86809" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030819" ruleid="audit_rules_kernel_module_loading_init" severity="medium">
--    <VMSinfo SVKey="93705" VKey="78999" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium">
-+    <VMSinfo VKey="78999" SVKey="93705" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030820" ruleid="audit_rules_kernel_module_loading_init" severity="medium">
--    <VMSinfo SVKey="86811" VKey="72187" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="RHEL-07-030820" disa="172" severity="medium">
-+    <VMSinfo VKey="72187" SVKey="86811" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030821" ruleid="audit_rules_kernel_module_loading_finit" severity="medium">
--    <VMSinfo SVKey="93707" VKey="79001" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030821" disa="172" severity="medium">
-+    <VMSinfo VKey="79001" SVKey="93707" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030830" ruleid="audit_rules_kernel_module_loading_delete" severity="medium">
--    <VMSinfo SVKey="86813" VKey="72189" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030830" disa="172" severity="medium">
-+    <VMSinfo VKey="72189" SVKey="86813" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/>
-   </overlay>
--  <overlay disa="172" owner="disastig" ownerid="RHEL-07-030840" ruleid="audit_rules_kernel_module_loading_init" severity="medium">
--    <VMSinfo SVKey="86815" VKey="72191" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium">
-+    <VMSinfo VKey="72191" SVKey="86815" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/>
-   </overlay>
--  <overlay disa="2130" owner="disastig" ownerid="RHEL-07-030870" ruleid="audit_rules_usergroup_modification_passwd" severity="medium">
--    <VMSinfo SVKey="86821" VKey="72197" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="2130" severity="medium">
-+    <VMSinfo VKey="72197" SVKey="86821" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
-   </overlay>
--  <overlay disa="2130" owner="disastig" ownerid="RHEL-07-030871" ruleid="audit_rules_usergroup_modification_group" severity="medium">
--    <VMSinfo SVKey="87817" VKey="73165" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-07-030871" disa="2130" severity="medium">
-+    <VMSinfo VKey="73165" SVKey="87817" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
-   </overlay>
--  <overlay disa="2130" owner="disastig" ownerid="RHEL-07-030872" ruleid="audit_rules_usergroup_modification_gshadow" severity="medium">
--    <VMSinfo SVKey="87819" VKey="73167" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="2130" severity="medium">
-+    <VMSinfo VKey="73167" SVKey="87819" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
-   </overlay>
--  <overlay disa="2130" owner="disastig" ownerid="RHEL-07-030873" ruleid="audit_rules_usergroup_modification_shadow" severity="medium">
--    <VMSinfo SVKey="87823" VKey="73171" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-07-030873" disa="2130" severity="medium">
-+    <VMSinfo VKey="73171" SVKey="87823" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
-   </overlay>
--  <overlay disa="2130" owner="disastig" ownerid="RHEL-07-030874" ruleid="audit_rules_usergroup_modification_opasswd" severity="medium">
--    <VMSinfo SVKey="87825" VKey="73173" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="2130" severity="medium">
-+    <VMSinfo VKey="73173" SVKey="87825" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030880" ruleid="audit_rules_file_deletion_events_rename" severity="medium">
--    <VMSinfo SVKey="86823" VKey="72199" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="RHEL-07-030880" disa="2884" severity="medium">
-+    <VMSinfo VKey="72199" SVKey="86823" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030890" ruleid="audit_rules_file_deletion_events_renameat" severity="medium">
--    <VMSinfo SVKey="86825" VKey="72201" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="RHEL-07-030890" disa="2884" severity="medium">
-+    <VMSinfo VKey="72201" SVKey="86825" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030900" ruleid="audit_rules_file_deletion_events_rmdir" severity="medium">
--    <VMSinfo SVKey="86827" VKey="72203" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="RHEL-07-030900" disa="2884" severity="medium">
-+    <VMSinfo VKey="72203" SVKey="86827" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030910" ruleid="audit_rules_file_deletion_events_unlink" severity="medium">
--    <VMSinfo SVKey="86829" VKey="72205" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="RHEL-07-030910" disa="2884" severity="medium">
-+    <VMSinfo VKey="72205" SVKey="86829" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."/>
-   </overlay>
--  <overlay disa="2884" owner="disastig" ownerid="RHEL-07-030920" ruleid="audit_rules_file_deletion_events_unlinkat" severity="medium">
--    <VMSinfo SVKey="86831" VKey="72207" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="RHEL-07-030920" disa="2884" severity="medium">
-+    <VMSinfo VKey="72207" SVKey="86831" VRelease="6"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-031000" ruleid="rsyslog_remote_loghost" severity="medium">
--    <VMSinfo SVKey="86833" VKey="72209" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-031000" disa="366" severity="medium">
-+    <VMSinfo VKey="72209" SVKey="86833" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-031010" ruleid="rsyslog_nolisten" severity="medium">
--    <VMSinfo SVKey="86835" VKey="72211" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="1814" severity="medium">
-+    <VMSinfo VKey="72211" SVKey="86835" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/>
-   </overlay>
--  <overlay disa="1668" owner="disastig" ownerid="RHEL-07-032000" ruleid="install_mcafee_antivirus" severity="high">
--    <VMSinfo SVKey="86837" VKey="72213" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="RHEL-07-032000" disa="1668" severity="high">
-+    <VMSinfo VKey="72213" SVKey="86837" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a virus scan program."/>
-   </overlay>
--  <overlay disa="54" owner="disastig" ownerid="RHEL-07-040000" ruleid="accounts_max_concurrent_login_sessions" severity="low">
--    <VMSinfo SVKey="86841" VKey="72217" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-07-040000" disa="54" severity="low">
-+    <VMSinfo VKey="72217" SVKey="86841" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
-   </overlay>
--  <overlay disa="2314" owner="disastig" ownerid="RHEL-07-040100" ruleid="configure_firewalld_ports" severity="medium">
--    <VMSinfo SVKey="86843" VKey="72219" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-07-040100" disa="2314" severity="medium">
-+    <VMSinfo VKey="72219" SVKey="86843" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/>
-   </overlay>
--  <overlay disa="803" owner="disastig" ownerid="RHEL-07-040110" ruleid="sshd_use_approved_ciphers" severity="medium">
--    <VMSinfo SVKey="86845" VKey="72221" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-07-040110" disa="803" severity="medium">
-+    <VMSinfo VKey="72221" SVKey="86845" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications."/>
-   </overlay>
--  <overlay disa="2361" owner="disastig" ownerid="RHEL-07-040160" ruleid="accounts_tmout" severity="medium">
--    <VMSinfo SVKey="86847" VKey="72223" VRelease="4"/>
--    <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/>
-+  <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium">
-+    <VMSinfo VKey="72223" SVKey="86847" VRelease="5"/>
-+    <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/>
-   </overlay>
--  <overlay disa="1388" owner="disastig" ownerid="RHEL-07-040170" ruleid="sshd_enable_warning_banner" severity="medium">
--    <VMSinfo SVKey="86849" VKey="72225" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="1388" severity="medium">
-+    <VMSinfo VKey="72225" SVKey="86849" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/>
-   </overlay>
--  <overlay disa="1453" owner="disastig" ownerid="RHEL-07-040180" ruleid="sssd_ldap_start_tls" severity="medium">
--    <VMSinfo SVKey="86851" VKey="72227" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="RHEL-07-040180" disa="1453" severity="medium">
-+    <VMSinfo VKey="72227" SVKey="86851" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/>
-   </overlay>
--  <overlay disa="1453" owner="disastig" ownerid="RHEL-07-040190" ruleid="sssd_ldap_configure_tls_ca_dir" severity="medium">
--    <VMSinfo SVKey="86853" VKey="72229" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040190" disa="1453" severity="medium">
-+    <VMSinfo VKey="72229" SVKey="86853" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
-   </overlay>
--  <overlay disa="1453" owner="disastig" ownerid="RHEL-07-040200" ruleid="sssd_ldap_configure_tls_ca" severity="medium">
--    <VMSinfo SVKey="86855" VKey="72231" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="RHEL-07-040200" disa="1453" severity="medium">
-+    <VMSinfo VKey="72231" SVKey="86855" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040201" ruleid="sysctl_kernel_randomize_va_space" severity="medium">
--    <VMSinfo SVKey="92521" VKey="77825" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-07-040201" disa="366" severity="medium">
-+    <VMSinfo VKey="77825" SVKey="92521" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement virtual address space randomization."/>
-   </overlay>
--  <overlay disa="2422" owner="disastig" ownerid="RHEL-07-040300" ruleid="package_openssh-server_installed" severity="medium">
--    <VMSinfo SVKey="86857" VKey="72233" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2422" severity="medium">
-+    <VMSinfo VKey="72233" SVKey="86857" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."/>
-   </overlay>
--  <overlay disa="2422" owner="disastig" ownerid="RHEL-07-040310" ruleid="service_sshd_enabled" severity="medium">
--    <VMSinfo SVKey="86859" VKey="72235" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2422" severity="medium">
-+    <VMSinfo VKey="72235" SVKey="86859" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/>
-   </overlay>
--  <overlay disa="2361" owner="disastig" ownerid="RHEL-07-040320" ruleid="sshd_set_idle_timeout" severity="medium">
--    <VMSinfo SVKey="86861" VKey="72237" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-07-040320" disa="2361" severity="medium">
-+    <VMSinfo VKey="72237" SVKey="86861" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040330" ruleid="sshd_disable_rhosts_rsa" severity="medium">
--    <VMSinfo SVKey="86863" VKey="72239" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="RHEL-07-040330" disa="366" severity="medium">
-+    <VMSinfo VKey="72239" SVKey="86863" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/>
-   </overlay>
--  <overlay disa="2361" owner="disastig" ownerid="RHEL-07-040340" ruleid="sshd_set_keepalive" severity="medium">
--    <VMSinfo SVKey="86865" VKey="72241" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="RHEL-07-040340" disa="2361" severity="medium">
-+    <VMSinfo VKey="72241" SVKey="86865" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040350" ruleid="sshd_disable_rhosts" severity="medium">
--    <VMSinfo SVKey="86867" VKey="72243" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-07-040350" disa="366" severity="medium">
-+    <VMSinfo VKey="72243" SVKey="86867" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040360" ruleid="sshd_print_last_log" severity="medium">
--    <VMSinfo SVKey="86869" VKey="72245" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-07-040360" disa="366" severity="medium">
-+    <VMSinfo VKey="72245" SVKey="86869" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040370" ruleid="sshd_disable_root_login" severity="medium">
--    <VMSinfo SVKey="86871" VKey="72247" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-040370" disa="366" severity="medium">
-+    <VMSinfo VKey="72247" SVKey="86871" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040380" ruleid="sshd_disable_user_known_hosts" severity="medium">
--    <VMSinfo SVKey="86873" VKey="72249" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-07-040380" disa="366" severity="medium">
-+    <VMSinfo VKey="72249" SVKey="86873" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040390" ruleid="sshd_allow_only_protocol2" severity="high">
--    <VMSinfo SVKey="86875" VKey="72251" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="366" severity="high">
-+    <VMSinfo VKey="72251" SVKey="86875" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/>
-   </overlay>
--  <overlay disa="1453" owner="disastig" ownerid="RHEL-07-040400" ruleid="sshd_use_approved_macs" severity="medium">
--    <VMSinfo SVKey="86877" VKey="72253" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040400" disa="1453" severity="medium">
-+    <VMSinfo VKey="72253" SVKey="86877" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040410" ruleid="file_permissions_sshd_pub_key" severity="medium">
--    <VMSinfo SVKey="86879" VKey="72255" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-07-040410" disa="366" severity="medium">
-+    <VMSinfo VKey="72255" SVKey="86879" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040420" ruleid="file_permissions_sshd_private_key" severity="medium">
--    <VMSinfo SVKey="86881" VKey="72257" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-07-040420" disa="366" severity="medium">
-+    <VMSinfo VKey="72257" SVKey="86881" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-040430" ruleid="sshd_disable_gssapi_auth" severity="medium">
--    <VMSinfo SVKey="86883" VKey="72259" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1814" severity="medium">
-+    <VMSinfo VKey="72259" SVKey="86883" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-040440" ruleid="sshd_disable_kerb_auth" severity="medium">
--    <VMSinfo SVKey="86885" VKey="72261" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="1814" severity="medium">
-+    <VMSinfo VKey="72261" SVKey="86885" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040450" ruleid="sshd_enable_strictmodes" severity="medium">
--    <VMSinfo SVKey="86887" VKey="72263" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-07-040450" disa="366" severity="medium">
-+    <VMSinfo VKey="72263" SVKey="86887" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040460" ruleid="sshd_use_priv_separation" severity="medium">
--    <VMSinfo SVKey="86889" VKey="72265" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="RHEL-07-040460" disa="366" severity="medium">
-+    <VMSinfo VKey="72265" SVKey="86889" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040470" ruleid="sshd_disable_compression" severity="medium">
--    <VMSinfo SVKey="86891" VKey="72267" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-07-040470" disa="366" severity="medium">
-+    <VMSinfo VKey="72267" SVKey="86891" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/>
-   </overlay>
--  <overlay disa="2046" owner="disastig" ownerid="RHEL-07-040500" ruleid="chronyd_or_ntpd_set_maxpoll" severity="medium">
--    <VMSinfo SVKey="86893" VKey="72269" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="2046" severity="medium">
-+    <VMSinfo VKey="72269" SVKey="86893" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040520" ruleid="service_firewalld_enabled" severity="medium">
--    <VMSinfo SVKey="86897" VKey="72273" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-07-040520" disa="366" severity="medium">
-+    <VMSinfo VKey="72273" SVKey="86897" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable an application firewall, if available."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040530" ruleid="display_login_attempts" severity="low">
--    <VMSinfo SVKey="86899" VKey="72275" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-07-040530" disa="366" severity="low">
-+    <VMSinfo VKey="72275" SVKey="86899" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040540" ruleid="no_user_host_based_files" severity="high">
--    <VMSinfo SVKey="86901" VKey="72277" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-07-040540" disa="366" severity="high">
-+    <VMSinfo VKey="72277" SVKey="86901" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not contain .shosts files."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040550" ruleid="no_host_based_files" severity="high">
--    <VMSinfo SVKey="86903" VKey="72279" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-07-040550" disa="366" severity="high">
-+    <VMSinfo VKey="72279" SVKey="86903" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040600" ruleid="network_configure_name_resolution" severity="low">
--    <VMSinfo SVKey="86905" VKey="72281" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-07-040600" disa="366" severity="low">
-+    <VMSinfo VKey="72281" SVKey="86905" VRelease="3"/>
-     <title text="For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040610" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" severity="medium">
--    <VMSinfo SVKey="86907" VKey="72283" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-07-040610" disa="366" severity="medium">
-+    <VMSinfo VKey="72283" SVKey="86907" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040611" ruleid="kernel_module_usb-storage_disabled" severity="medium">
--    <VMSinfo SVKey="102353" VKey="92251" VRelease="r1"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-07-040611" disa="366" severity="medium">
-+    <VMSinfo VKey="92251" SVKey="102353" VRelease="r1"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040612" ruleid="kernel_module_usb-storage_disabled" severity="medium">
--    <VMSinfo SVKey="102355" VKey="92253" VRelease="r1"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-07-040612" disa="366" severity="medium">
-+    <VMSinfo VKey="92253" SVKey="102355" VRelease="r1"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040620" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" severity="medium">
--    <VMSinfo SVKey="86909" VKey="72285" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-07-040620" disa="366" severity="medium">
-+    <VMSinfo VKey="72285" SVKey="86909" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040630" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" severity="medium">
--    <VMSinfo SVKey="86911" VKey="72287" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-07-040630" disa="366" severity="medium">
-+    <VMSinfo VKey="72287" SVKey="86911" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040640" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" severity="medium">
--    <VMSinfo SVKey="86913" VKey="72289" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-07-040640" disa="366" severity="medium">
-+    <VMSinfo VKey="72289" SVKey="86913" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040641" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" severity="medium">
--    <VMSinfo SVKey="87827" VKey="73175" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-07-040641" disa="366" severity="medium">
-+    <VMSinfo VKey="73175" SVKey="87827" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040650" ruleid="sysctl_net_ipv4_conf_default_send_redirects" severity="medium">
--    <VMSinfo SVKey="86915" VKey="72291" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-07-040650" disa="366" severity="medium">
-+    <VMSinfo VKey="72291" SVKey="86915" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040660" ruleid="sysctl_net_ipv4_conf_all_send_redirects" severity="medium">
--    <VMSinfo SVKey="86917" VKey="72293" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-07-040660" disa="366" severity="medium">
-+    <VMSinfo VKey="72293" SVKey="86917" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040670" ruleid="network_sniffer_disabled" severity="medium">
--    <VMSinfo SVKey="86919" VKey="72295" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-07-040670" disa="366" severity="medium">
-+    <VMSinfo VKey="72295" SVKey="86919" VRelease="2"/>
-     <title text="Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040680" ruleid="postfix_prevent_unrestricted_relay" severity="medium">
--    <VMSinfo SVKey="86921" VKey="72297" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-07-040680" disa="366" severity="medium">
-+    <VMSinfo VKey="72297" SVKey="86921" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040690" ruleid="package_vsftpd_removed" severity="high">
--    <VMSinfo SVKey="86923" VKey="72299" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-040690" disa="366" severity="high">
-+    <VMSinfo VKey="72299" SVKey="86923" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/>
-   </overlay>
--  <overlay disa="1814" owner="disastig" ownerid="RHEL-07-040700" ruleid="package_tftp-server_removed" severity="high">
--    <VMSinfo SVKey="86925" VKey="72301" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="1814" severity="high">
-+    <VMSinfo VKey="72301" SVKey="86925" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040710" ruleid="sshd_enable_x11_forwarding" severity="high">
--    <VMSinfo SVKey="86927" VKey="72303" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sshd_enable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="high">
-+    <VMSinfo VKey="72303" SVKey="86927" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040720" ruleid="tftpd_uses_secure_mode" severity="medium">
--    <VMSinfo SVKey="86929" VKey="72305" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-07-040720" disa="366" severity="medium">
-+    <VMSinfo VKey="72305" SVKey="86929" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040730" ruleid="package_xorg-x11-server-common_removed" severity="medium">
--    <VMSinfo SVKey="86931" VKey="72307" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="RHEL-07-040730" disa="366" severity="medium">
-+    <VMSinfo VKey="72307" SVKey="86931" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040740" ruleid="sysctl_net_ipv4_ip_forward" severity="medium">
--    <VMSinfo SVKey="86933" VKey="72309" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium">
-+    <VMSinfo VKey="72309" SVKey="86933" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040750" ruleid="mount_option_krb_sec_remote_filesystems" severity="medium">
--    <VMSinfo SVKey="86935" VKey="72311" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="RHEL-07-040750" disa="366" severity="medium">
-+    <VMSinfo VKey="72311" SVKey="86935" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040800" ruleid="snmpd_not_default_password" severity="high">
--    <VMSinfo SVKey="86937" VKey="72313" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-07-040800" disa="366" severity="high">
-+    <VMSinfo VKey="72313" SVKey="86937" VRelease="2"/>
-     <title text="SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040810" ruleid="set_firewalld_default_zone" severity="medium">
--    <VMSinfo SVKey="86939" VKey="72315" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="RHEL-07-040810" disa="366" severity="medium">
-+    <VMSinfo VKey="72315" SVKey="86939" VRelease="3"/>
-     <title text="The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040820" ruleid="libreswan_approved_tunnels" severity="medium">
--    <VMSinfo SVKey="86941" VKey="72317" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="RHEL-07-040820" disa="366" severity="medium">
-+    <VMSinfo VKey="72317" SVKey="86941" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."/>
-   </overlay>
--  <overlay disa="366" owner="disastig" ownerid="RHEL-07-040830" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" severity="medium">
--    <VMSinfo SVKey="86943" VKey="72319" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-07-040830" disa="366" severity="medium">
-+    <VMSinfo VKey="72319" SVKey="86943" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."/>
-   </overlay>
--  <overlay disa="1954" owner="disastig" ownerid="RHEL-07-041001" ruleid="install_smartcard_packages" severity="medium">
--    <VMSinfo SVKey="87041" VKey="72417" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1954" severity="medium">
-+    <VMSinfo VKey="72417" SVKey="87041" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."/>
-   </overlay>
--  <overlay disa="1954" owner="disastig" ownerid="RHEL-07-041002" ruleid="sssd_enable_pam_services" severity="medium">
--    <VMSinfo SVKey="87051" VKey="72427" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1954" severity="medium">
-+    <VMSinfo VKey="72427" SVKey="87051" VRelease="4"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
-   </overlay>
--  <overlay disa="1954" owner="disastig" ownerid="RHEL-07-041003" ruleid="smartcard_configure_cert_checking" severity="medium">
--    <VMSinfo SVKey="87057" VKey="72433" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1954" severity="medium">
-+    <VMSinfo VKey="72433" SVKey="87057" VRelease="5"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."/>
-   </overlay>
--  <overlay disa="2418" owner="disastig" ownerid="RHEL-07-041010" ruleid="wireless_disable_interfaces" severity="medium">
--    <VMSinfo SVKey="87829" VKey="73177" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-07-041010" disa="2418" severity="medium">
-+    <VMSinfo VKey="73177" SVKey="87829" VRelease="2"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."/>
-   </overlay>
- </overlays>
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index dc9951a23e..b820d30608 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -4,7 +4,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7'
- 
- description: |-
-     This profile contains configuration checks that align to the
--    DISA STIG for Red Hat Enterprise Linux V1R4.
-+    DISA STIG for Red Hat Enterprise Linux V2R8.
- 
-     In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
-     configuration baseline as applicable to the operating system tier of
-diff --git a/shared/references/disa-stig-rhel7-v2r7-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml
-similarity index 82%
-rename from shared/references/disa-stig-rhel7-v2r7-xccdf-manual.xml
-rename to shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml
-index 978667cd74..01fb97e10d 100644
---- a/shared/references/disa-stig-rhel7-v2r7-xccdf-manual.xml
-+++ b/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml
-@@ -1,4 +1,4 @@
--<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="RHEL_7_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-02-26">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 7 Benchmark Date: 24 Apr 2020</plain-text><version>2</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71897" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72011" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81009" selected="true" /><select idref="V-81011" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81015" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Group id="V-71849"><title>SRG-OS-000257-GPOS-00098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86473r4_rule" severity="high" weight="10.0"><version>RHEL-07-010010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title><description>&lt;VulnDiscussion&gt;Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
-+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="RHEL_7_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-05-15">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 8 Benchmark Date: 24 Jul 2020</plain-text><version>2</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Group id="V-71849"><title>SRG-OS-000257-GPOS-00098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86473r4_rule" severity="high" weight="10.0"><version>RHEL-07-010010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title><description>&lt;VulnDiscussion&gt;Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
- 
- Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001494</ident><ident system="http://iase.disa.mil/cci">CCI-001496</ident><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002235</ident><fixtext fixref="F-78201r4_fix">Run the following command to determine which package owns the file:
- 
-@@ -265,32 +265,7 @@ Check to see if GNOME is configured to display a screensaver after a 15 minute d
- # grep -i idle-delay /etc/dconf/db/local.d/*
- idle-delay=uint32 900
- 
--If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-71897"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86521r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010090</version><title>The Red Hat Enterprise Linux operating system must have the screen package installed.</title><description>&lt;VulnDiscussion&gt;:  A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
--
--The screen and tmux packages allow for a session lock to be implemented and configured.
--&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-78249r3_fix">Install the screen package to allow the initiation of a session lock after a 15-minute period of inactivity.
--
--Install the screen program (if it is not on the system) with the following command:
--
--# yum install screen   
--
--OR
--
--Install the tmux program (if it is not on the system) with the following command:
--
--#yum install tmux</fixtext><fix id="F-78249r3_fix" /><check system="C-72129r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system has the screen package installed.
--
--Check to see if the screen package is installed with the following command:
--
--# yum list installed screen
--screen-4.3.1-3-x86_64.rpm
--
--If the screen package is not installed, check to see if the tmux package is installed with the following command:
--
--#yum list installed tmux
--tmux-1.8-4.el7.x86_64.rpm 
--
--If either the screen package or the tmux package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-71899"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86523r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010100</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-+If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-71899"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86523r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010100</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
- 
- The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-78251r2_fix">Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.
- 
-@@ -592,7 +567,7 @@ Verify the operating system disables account identifiers (individuals, groups, r
- # grep -i inactive /etc/default/useradd
- INACTIVE=0
- 
--If the value is not set to "0", is commented out, or is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-71943"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86567r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010320</version><title>The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
-+If the value is not set to "0", is commented out, or is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-71943"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86567r6_rule" severity="medium" weight="10.0"><version>RHEL-07-010320</version><title>The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
- 
- Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000044</ident><ident system="http://iase.disa.mil/cci">CCI-002236</ident><ident system="http://iase.disa.mil/cci">CCI-002237</ident><ident system="http://iase.disa.mil/cci">CCI-002238</ident><fixtext fixref="F-78295r5_fix">Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
- 
-@@ -603,7 +578,7 @@ auth sufficient pam_unix.so try_first_pass
- auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
- account required pam_faillock.so   
- 
--Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78295r5_fix" /><check system="C-72175r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
-+Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78295r5_fix" /><check system="C-72175r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
- 
- # grep pam_faillock.so /etc/pam.d/password-auth
- 
-@@ -611,7 +586,7 @@ auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_in
- auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
- account required pam_faillock.so 
- 
--If the "deny" parameter is set to "0" or a value less than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
- 
- If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
- 
-@@ -629,7 +604,7 @@ auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_in
- auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
- account required pam_faillock.so 
- 
--If the "deny" parameter is set to "0" or a value less than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
- 
- If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
- 
-@@ -899,7 +874,7 @@ Check to see if the "ypserve" package is installed with the following command:
- 
- # yum list installed ypserv
- 
--If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-71971"><title>SRG-OS-000324-GPOS-00125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86595r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
-+If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-71971"><title>SRG-OS-000324-GPOS-00125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86595r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
- 
- Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002235</ident><fixtext fixref="F-78323r2_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
- 
-@@ -925,7 +900,7 @@ Use the following command to map a new user to the "user_u" role:
- 
- Use the following command to map an existing user to the "user_u" role:
- 
--# semanage login -m -s user_u &lt;username&gt;</fixtext><fix id="F-78323r2_fix" /><check system="C-72203r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If an HBSS or HIPS is active on the system, this is Not Applicable.
-+# semanage login -m -s user_u &lt;username&gt;</fixtext><fix id="F-78323r2_fix" /><check system="C-72203r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Note: Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
- 
- Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
- 
-@@ -1039,7 +1014,7 @@ localpkg_gpgcheck=1
- 
- If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. 
- 
--If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-71983"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86607r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description>&lt;VulnDiscussion&gt;USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
-+If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-71983"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86607r5_rule" severity="medium" weight="10.0"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description>&lt;VulnDiscussion&gt;USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
- 
- Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><ident system="http://iase.disa.mil/cci">CCI-000778</ident><ident system="http://iase.disa.mil/cci">CCI-001958</ident><fixtext fixref="F-78335r4_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
- 
-@@ -1057,9 +1032,7 @@ Configure the operating system to disable the ability to use USB mass storage de
- 
- Add or update the line:
- 
--blacklist usb-storage</fixtext><fix id="F-78335r4_fix" /><check system="C-72215r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable.
--
--Verify the operating system disables the ability to load the USB Storage kernel module.
-+blacklist usb-storage</fixtext><fix id="F-78335r4_fix" /><check system="C-72215r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system disables the ability to load the USB Storage kernel module.
- 
- # grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
- 
-@@ -1103,7 +1076,7 @@ Check if yum is configured to remove unneeded packages with the following comman
- # grep -i clean_requirements_on_remove /etc/yum.conf
- clean_requirements_on_remove=1
- 
--If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-71989"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86613r3_rule" severity="high" weight="10.0"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-+If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-71989"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86613r4_rule" severity="high" weight="10.0"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
- 
- This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002696</ident><fixtext fixref="F-78341r2_fix">Configure the operating system to verify correct operation of all security functions.
- 
-@@ -1111,7 +1084,7 @@ Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux
- 
- SELINUX=enforcing
- 
--A reboot is required for the changes to take effect.</fixtext><fix id="F-78341r2_fix" /><check system="C-72221r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If an HBSS or HIPS is active on the system, this is Not Applicable.
-+A reboot is required for the changes to take effect.</fixtext><fix id="F-78341r2_fix" /><check system="C-72221r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux.  McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
- 
- Verify the operating system verifies correct operation of all security functions.
- 
-@@ -1120,7 +1093,7 @@ Check if "SELinux" is active and in "Enforcing" mode with the following command:
- # getenforce
- Enforcing
- 
--If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-71991"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86615r5_rule" severity="high" weight="10.0"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-+If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-71991"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86615r6_rule" severity="high" weight="10.0"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
- 
- This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002696</ident><fixtext fixref="F-78343r2_fix">Configure the operating system to verify correct operation of all security functions.
- 
-@@ -1128,7 +1101,7 @@ Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/co
- 
- SELINUXTYPE=targeted
- 
--A reboot is required for the changes to take effect.</fixtext><fix id="F-78343r2_fix" /><check system="C-72223r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If an HBSS or HIPS is active on the system, this is Not Applicable.
-+A reboot is required for the changes to take effect.</fixtext><fix id="F-78343r2_fix" /><check system="C-72223r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
- 
- Verify the operating system verifies correct operation of all security functions.
- 
-@@ -1189,7 +1162,9 @@ Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs"
- # grep -i umask /etc/login.defs
- UMASK  077
- 
--If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71997"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86621r5_rule" severity="high" weight="10.0"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description>&lt;VulnDiscussion&gt;An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78349r1_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-78349r1_fix" /><check system="C-72229r11_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the version of the operating system is vendor supported.
-+If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71997"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86621r6_rule" severity="high" weight="10.0"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description>&lt;VulnDiscussion&gt;An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
-+
-+Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78349r1_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-78349r1_fix" /><check system="C-72229r12_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the version of the operating system is vendor supported.
- 
- Check the version of the operating system with the following command:
- 
-@@ -1197,19 +1172,13 @@ Check the version of the operating system with the following command:
- 
- Red Hat Enterprise Linux Server release 7.4 (Maipo)
- 
--Current End of Life for RHEL 7.1 is 31 March 2017.
--
--Current End of Life for RHEL 7.2 is 30 November 2017.
--
--Current End of Life for RHEL 7.3 is 30 November 2018.
--
--Current End of Life for RHEL 7.4 is 31 August 2019.
-+Current End of Extended Update Support for RHEL 7.6 is 31 October 2020.
- 
--Current End of Life for RHEL 7.5 is 30 April 2020.
-+Current End of Extended Update Support for RHEL 7.7 is 31 August 2021.
- 
--Current End of Life for RHEL 7.6 is 31 October 2020.
-+Current End of Maintenance Support for RHEL 7.8 is 31 October 2020.
- 
--Current End of Life for RHEL 7.7 is 30 August 2021.
-+Current End of Maintenance Support for RHEL 7.9 is 30 April 2021.
- 
- If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-71999"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86623r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020260</version><title>The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.</title><description>&lt;VulnDiscussion&gt;Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78351r1_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-78351r1_fix" /><check system="C-72231r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). 
- 
-@@ -1285,21 +1254,7 @@ Note: The value after -fstype must be replaced with the filesystem type. XFS is
- 
- # find / -fstype xfs -nogroup
- 
--If any files on the system do not have an assigned group, this is a finding.</check-content></check></Rule></Group><Group id="V-72011"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86635r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020600</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78363r1_fix">Assign home directories to all local interactive users that currently do not have a home directory assigned.</fixtext><fix id="F-78363r1_fix" /><check system="C-72243r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify local interactive users on the system have a home directory assigned.
--
--Check for missing local interactive user home directories with the following command:
--
--# pwck -r
--user 'lp': directory '/var/spool/lpd' does not exist
--user 'news': directory '/var/spool/news' does not exist
--user 'uucp': directory '/var/spool/uucp' does not exist
--user 'smithj': directory '/home/smithj' does not exist
--
--Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command:
--
--# cut -d: -f 1,3 /etc/passwd | egrep ":[1-4][0-9]{2}$|:[0-9]{1,2}$"
--
--If any interactive users do not have a home directory assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-72013"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86637r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020610</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78365r1_fix">Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
-+If any files on the system do not have an assigned group, this is a finding.</check-content></check></Rule></Group><Group id="V-72013"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86637r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020610</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78365r1_fix">Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
- 
- CREATE_HOME yes</fixtext><fix id="F-78365r1_fix" /><check system="C-72245r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all local interactive users on the system are assigned a home directory upon creation.
- 
-@@ -1308,18 +1263,20 @@ Check to see if the system is configured to create home directories for local in
- # grep -i create_home /etc/login.defs
- CREATE_HOME yes
- 
--If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72015"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86639r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020620</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78367r2_fix">Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
-+If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72015"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86639r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020620</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
-+
-+In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78367r2_fix">Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
- 
- Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd".
- 
- # mkdir /home/smithj 
- # chown smithj /home/smithj
- # chgrp users /home/smithj
--# chmod 0750 /home/smithj</fixtext><fix id="F-78367r2_fix" /><check system="C-72247r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the assigned home directory of all local interactive users on the system exists.
-+# chmod 0750 /home/smithj</fixtext><fix id="F-78367r2_fix" /><check system="C-72247r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify local interactive users on the system have a home directory assigned and the directory exists.
- 
- Check the home directory assignment for all local interactive non-privileged users on the system with the following command:
- 
--# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
-+# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-9][0-9]{3}"
- 
- smithj:1001:/home/smithj
- 
-@@ -1330,7 +1287,7 @@ Check that all referenced home directories exist with the following command:
- # pwck -r
- user 'smithj': directory '/home/smithj' does not exist
- 
--If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-72017"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86641r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020630</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78369r2_fix">Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
-+If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-72017"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86641r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020630</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78369r2_fix">Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
- 
- Note: The example will be for the user "smithj".
- 
-@@ -1830,13 +1787,13 @@ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
- /bin All # apply the custom rule to the files in bin 
- /sbin All # apply the same custom rule to the files in sbin 
- 
--If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-72073"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86697r3_rule" severity="medium" weight="10.0"><version>RHEL-07-021620</version><title>The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.</title><description>&lt;VulnDiscussion&gt;File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78425r2_fix">Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. 
-+If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-72073"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86697r4_rule" severity="medium" weight="10.0"><version>RHEL-07-021620</version><title>The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.</title><description>&lt;VulnDiscussion&gt;File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
- 
--If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-78425r2_fix" /><check system="C-72305r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
-+Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78425r2_fix">Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. 
- 
--Note: If RHEL-07-021350 is a finding, this is automatically a finding too as the system cannot implement FIPS 140-2 approved cryptographic algorithms and hashes.
-+If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-78425r2_fix" /><check system="C-72305r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
- 
--Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:
-+Check to see if AIDE is installed on the system with the following command:
- 
- # yum list installed aide
- 
-@@ -2067,560 +2024,606 @@ The audit daemon must be restarted for the changes to take effect.</fixtext><fix
- 
- If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
- 
--If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-72097"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86721r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030370</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-72097"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86721r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030370</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78449r8_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
- 
---a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78449r9_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78449r8_fix" /><check system="C-72329r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur.
-+-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78449r9_fix" /><check system="C-72329r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw chown /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72099"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86723r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030380</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72099"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86723r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030380</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78451r8_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78451r9_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78451r8_fix" /><check system="C-72331r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78451r9_fix" /><check system="C-72331r10_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw fchown /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72101"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86725r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030390</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72101"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86725r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030390</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78453r8_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
- 
---a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78453r9_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78453r8_fix" /><check system="C-72333r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur.
-+-a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78453r9_fix" /><check system="C-72333r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw lchown /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72103"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86727r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030400</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72103"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86727r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030400</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78455r7_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78455r8_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78455r7_fix" /><check system="C-72335r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78455r8_fix" /><check system="C-72335r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw fchownat /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72105"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86729r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030410</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72105"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86729r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030410</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78457r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78457r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78457r7_fix" /><check system="C-72337r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78457r8_fix" /><check system="C-72337r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw chmod /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72107"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86731r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030420</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72107"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86731r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030420</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78459r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78459r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
- The audit daemon must be restarted for the changes to take effect.
--</fixtext><fix id="F-78459r9_fix" /><check system="C-72339r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
-+</fixtext><fix id="F-78459r10_fix" /><check system="C-72339r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw fchmod /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72109"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86733r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030430</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72109"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86733r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030430</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78461r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78461r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78461r8_fix" /><check system="C-72341r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78461r9_fix" /><check system="C-72341r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw fchmodat /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72111"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86735r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030440</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72111"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86735r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030440</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78463r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78463r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78463r8_fix" /><check system="C-72343r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78463r9_fix" /><check system="C-72343r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw setxattr /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72113"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86737r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030450</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72113"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86737r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030450</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78465r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78465r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78465r7_fix" /><check system="C-72345r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78465r8_fix" /><check system="C-72345r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw fsetxattr /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72115"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86739r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030460</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72115"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86739r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030460</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78467r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78467r11_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78467r10_fix" /><check system="C-72347r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78467r11_fix" /><check system="C-72347r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw lsetxattr /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72117"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86741r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030470</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72117"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86741r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030470</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78469r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78469r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78469r7_fix" /><check system="C-72349r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78469r8_fix" /><check system="C-72349r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw removexattr /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72119"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86743r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030480</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72119"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86743r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030480</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78471r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78471r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78471r6_fix" /><check system="C-72351r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78471r7_fix" /><check system="C-72351r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw fremovexattr /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72121"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86745r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030490</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72121"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86745r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030490</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78473r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78473r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78473r7_fix" /><check system="C-72353r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78473r8_fix" /><check system="C-72353r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw lremovexattr /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
---a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=4294967295 -k perm_mod
-+-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
- 
--If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72123"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86747r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030500</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72123"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86747r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030500</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78475r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78475r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules:
- 
---a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78475r7_fix" /><check system="C-72355r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78475r8_fix" /><check system="C-72355r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw creat /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
- If both the "b32" and "b64" audit rules are not defined for the "creat" syscall, this is a finding.
- 
- If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
- 
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72125"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86749r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030510</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72125"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86749r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030510</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78477r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78477r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78477r7_fix" /><check system="C-72357r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78477r8_fix" /><check system="C-72357r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw open /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
- If both the "b32" and "b64" audit rules are not defined for the "open" syscall, this is a finding.
- 
- If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
- 
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72127"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86751r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030520</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72127"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86751r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030520</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78479r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78479r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78479r8_fix" /><check system="C-72359r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78479r9_fix" /><check system="C-72359r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw openat /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
- If both the "b32" and "b64" audit rules are not defined for the "openat" syscall, this is a finding.
- 
- If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
- 
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72129"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86753r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030530</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72129"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86753r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030530</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78481r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78481r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78481r8_fix" /><check system="C-72361r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78481r9_fix" /><check system="C-72361r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw open_by_handle_at /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
- If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_at" syscall, this is a finding.
- 
- If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
- 
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72131"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86755r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030540</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72131"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86755r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030540</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78483r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78483r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78483r7_fix" /><check system="C-72363r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78483r8_fix" /><check system="C-72363r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw truncate /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
- If both the "b32" and "b64" audit rules are not defined for the "truncate" syscall, this is a finding.
- 
- If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
- 
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72133"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86757r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030550</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72133"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86757r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030550</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78485r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78485r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78485r8_fix" /><check system="C-72365r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78485r9_fix" /><check system="C-72365r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw ftruncate /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
- 
---a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=4294967295 -k access
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
- 
- If both the "b32" and "b64" audit rules are not defined for the "ftruncate" syscall, this is a finding.
- 
- If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
- 
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72135"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86759r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030560</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72135"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86759r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030560</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78487r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78487r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78487r5_fix" /><check system="C-72367r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78487r6_fix" /><check system="C-72367r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/sbin/semanage /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72137"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86761r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030570</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72137"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86761r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030570</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78489r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78489r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78489r6_fix" /><check system="C-72369r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78489r7_fix" /><check system="C-72369r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/sbin/setsebool /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72139"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86763r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030580</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72139"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86763r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030580</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78491r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78491r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78491r6_fix" /><check system="C-72371r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78491r7_fix" /><check system="C-72371r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/bin/chcon /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72141"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86765r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030590</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72141"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86765r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030590</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78493r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78493r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78493r7_fix" /><check system="C-72373r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78493r8_fix" /><check system="C-72373r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw /usr/sbin/setfiles /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
- If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72145"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86769r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030610</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -2658,131 +2661,145 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
- 
- -w /var/log/lastlog -p wa -k logins 
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72149"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86773r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030630</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72149"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86773r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030630</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78501r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated.  Daemons are not user sessions and have the loginuid set to -1.  The auid representation is an unsigned 32-bit integer, which equals 4294967295.  The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78501r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78501r6_fix" /><check system="C-72381r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78501r7_fix" /><check system="C-72381r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/bin/passwd /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72151"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86775r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030640</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72151"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86775r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030640</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78503r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78503r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78503r8_fix" /><check system="C-72383r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78503r9_fix" /><check system="C-72383r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72153"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86777r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030650</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72153"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86777r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030650</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78505r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78505r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--The audit daemon must be restarted for the changes to take effect. </fixtext><fix id="F-78505r5_fix" /><check system="C-72385r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
-+The audit daemon must be restarted for the changes to take effect. </fixtext><fix id="F-78505r6_fix" /><check system="C-72385r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/bin/gpasswd /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72155"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86779r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030660</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chage command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72155"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86779r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030660</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chage command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78507r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78507r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78507r5_fix" /><check system="C-72387r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78507r6_fix" /><check system="C-72387r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/bin/chage /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72157"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86781r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030670</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72157"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86781r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030670</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78509r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78509r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78509r5_fix" /><check system="C-72389r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78509r6_fix" /><check system="C-72389r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
- 
- Check the file system rule in "/etc/audit/audit.rules" with the following command:
- 
- # grep -i /usr/sbin/userhelper /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=4294967295 -k privileged-passwd
-+-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72159"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86783r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030680</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the su command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72159"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86783r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030680</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the su command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78511r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78511r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change 
-+-a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change 
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78511r6_fix" /><check system="C-72391r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78511r7_fix" /><check system="C-72391r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw /usr/bin/su /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72161"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86785r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030690</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72161"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86785r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030690</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78513r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78513r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change 
-+-a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change 
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78513r5_fix" /><check system="C-72393r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78513r6_fix" /><check system="C-72393r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur.
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw /usr/bin/sudo /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
- If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72163"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86787r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030700</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
-@@ -2808,169 +2825,187 @@ Check for modification of the following files being audited by performing the fo
- 
- -w /etc/sudoers.d/ -p wa -k privileged-actions
- 
--If the commands do not return output that match the examples, this is a finding.</check-content></check></Rule></Group><Group id="V-72165"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86789r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030710</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the commands do not return output that match the examples, this is a finding.</check-content></check></Rule></Group><Group id="V-72165"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86789r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030710</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78519r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78519r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78519r5_fix" /><check system="C-72399r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78519r6_fix" /><check system="C-72399r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -i /usr/bin/newgrp /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72167"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86791r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030720</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72167"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86791r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030720</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78521r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78521r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78521r5_fix" /><check system="C-72401r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78521r6_fix" /><check system="C-72401r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur.
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -i /usr/bin/chsh /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=4294967295 -k privileged-priv_change
-+-a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72171"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86795r7_rule" severity="medium" weight="10.0"><version>RHEL-07-030740</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72171"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86795r8_rule" severity="medium" weight="10.0"><version>RHEL-07-030740</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78525r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78525r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
- 
- Add or update the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
---a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
---a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
-+-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78525r9_fix" /><check system="C-72405r11_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78525r10_fix" /><check system="C-72405r12_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
- 
- Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw "mount" /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
---a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
---a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
-+-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
- 
- If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.
- 
--If all uses of the "mount" command are not being audited, this is a finding.</check-content></check></Rule></Group><Group id="V-72173"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86797r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030750</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the umount command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If all uses of the "mount" command are not being audited, this is a finding.</check-content></check></Rule></Group><Group id="V-72173"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86797r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030750</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the umount command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78527r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78527r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount
-+-a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78527r5_fix" /><check system="C-72407r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78527r6_fix" /><check system="C-72407r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.
- 
- Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw "/usr/bin/umount" /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=4294967295 -k privileged-mount 
-+-a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount 
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72175"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86799r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030760</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72175"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86799r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030760</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78529r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78529r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=4294967295 -k privileged-postfix
-+-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78529r5_fix" /><check system="C-72409r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78529r6_fix" /><check system="C-72409r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw /usr/sbin/postdrop /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=4294967295 -k privileged-postfix
-+-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72177"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86801r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030770</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72177"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86801r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030770</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78531r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78531r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=4294967295 -k privileged-postfix
-+-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78531r5_fix" /><check system="C-72411r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78531r6_fix" /><check system="C-72411r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw /usr/sbin/postqueue /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=4294967295 -k privileged-postfix
-+-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72179"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86803r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030780</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72179"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86803r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030780</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78533r4_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78533r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=4294967295 -k privileged-ssh
-+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78533r4_fix" /><check system="C-72413r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78533r5_fix" /><check system="C-72413r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=4294967295 -k privileged-ssh
-+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72183"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86807r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030800</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72183"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86807r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030800</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
- 
- At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
- 
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78537r4_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78537r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=4294967295 -k privileged-cron
-+-a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78537r4_fix" /><check system="C-72417r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78537r5_fix" /><check system="C-72417r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
- 
- Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
- 
- # grep -iw /usr/bin/crontab /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=4294967295 -k privileged-cron
-+-a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72185"><title>SRG-OS-000471-GPOS-00215</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86809r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030810</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72185"><title>SRG-OS-000471-GPOS-00215</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86809r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030810</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78539r4_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78539r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
- 
---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=4294967295 -k privileged-pam
-+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78539r4_fix" /><check system="C-72419r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78539r5_fix" /><check system="C-72419r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
- 
- Check the auditing rules in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules
- 
---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=4294967295 -k privileged-pam 
-+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam 
- 
- If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72187"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86811r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030820</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
- 
-@@ -3016,23 +3051,25 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
- 
- -a always,exit -F arch=b64 -S delete_module -k module-change
- 
--If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72191"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86815r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030840</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
-+If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72191"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86815r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030840</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
- 
- Audit records can be generated from various components within the information system (e.g., module or policy filter).
- 
--Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78545r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78545r11_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
- 
- Add or update the following rule in "/etc/audit/rules.d/audit.rules":
- 
---w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change
-+-w /usr/bin/kmod -p x -F auid!=unset -k module-change
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78545r10_fix" /><check system="C-72425r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78545r11_fix" /><check system="C-72425r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
- 
- Check the auditing rules in "/etc/audit/audit.rules" with the following command:
- 
- # grep -iw kmod /etc/audit/audit.rules
- 
---w /usr/bin/kmod -p x -F auid!=4294967295 -k module-change
-+-w /usr/bin/kmod -p x -F auid!=unset -k module-change
- 
- If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72197"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86821r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030870</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
- 
-@@ -3052,105 +3089,115 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
- 
- -w /etc/passwd -p wa -k identity
- 
--If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72199"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86823r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030880</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72199"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86823r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030880</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
- 
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78553r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78553r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
- 
- Add the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78553r7_fix" /><check system="C-72433r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78553r8_fix" /><check system="C-72433r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw rename /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72201"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86825r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030890</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
- 
--If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72201"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86825r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030890</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
- 
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78555r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78555r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
- 
- Add the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78555r8_fix" /><check system="C-72435r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78555r9_fix" /><check system="C-72435r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw renameat /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
- 
--If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72203"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86827r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030900</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72203"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86827r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030900</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
- 
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78557r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78557r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
- 
- Add the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78557r9_fix" /><check system="C-72437r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78557r10_fix" /><check system="C-72437r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw rmdir /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72205"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86829r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030910</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
- 
--If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72205"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86829r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030910</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
- 
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78559r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78559r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
- 
- Add the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78559r7_fix" /><check system="C-72439r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78559r8_fix" /><check system="C-72439r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw unlink /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72207"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86831r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030920</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
- 
--If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72207"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86831r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030920</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
- 
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78561r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78561r11_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
- 
- Add the following rules in "/etc/audit/rules.d/audit.rules":
- 
---a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
- 
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78561r10_fix" /><check system="C-72441r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78561r11_fix" /><check system="C-72441r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
- 
- Check the file system rules in "/etc/audit/audit.rules" with the following commands:
- 
- # grep -iw unlinkat /etc/audit/audit.rules
- 
---a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
- 
---a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=4294967295 -k delete
-+-a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
- 
- If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72209"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86833r2_rule" severity="medium" weight="10.0"><version>RHEL-07-031000</version><title>The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.</title><description>&lt;VulnDiscussion&gt;Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78563r2_fix">Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system:
- *.* @@&lt;log aggregation system name&gt;</fixtext><fix id="F-78563r2_fix" /><check system="C-72443r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify "rsyslog" is configured to send all messages to a log aggregation server.
-@@ -3245,29 +3292,31 @@ Inspect the "Ciphers" configuration with the following command:
- # grep -i ciphers /etc/ssh/sshd_config
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr
- 
--If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72223"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86847r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040160</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 
-+If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72223"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86847r5_rule" severity="medium" weight="10.0"><version>RHEL-07-040160</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 
- 
--Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001133</ident><ident system="http://iase.disa.mil/cci">CCI-002361</ident><fixtext fixref="F-78577r5_fix">Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
-+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
-+
-+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><ident system="http://iase.disa.mil/cci">CCI-001133</ident><ident system="http://iase.disa.mil/cci">CCI-002361</ident><fixtext fixref="F-78577r6_fix">Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
- 
- Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
- 
- #!/bin/bash
- 
--TMOUT=600
-+TMOUT=900
- readonly TMOUT
--export TMOUT</fixtext><fix id="F-78577r5_fix" /><check system="C-72457r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.
-+export TMOUT</fixtext><fix id="F-78577r6_fix" /><check system="C-72457r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.
- 
- Check the value of the system inactivity timeout with the following command:
- 
- # grep -i tmout /etc/profile.d/*
- 
--etc/profile.d/tmout.sh:TMOUT=600
-+etc/profile.d/tmout.sh:TMOUT=900
- 
- /etc/profile.d/tmout.sh:readonly TMOUT
- 
- /etc/profile.d/tmout.sh:export TMOUT
- 
--If "TMOUT" is not set to "600" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-72225"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86849r5_rule" severity="medium" weight="10.0"><version>RHEL-07-040170</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-+If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-72225"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86849r5_rule" severity="medium" weight="10.0"><version>RHEL-07-040170</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
- 
- System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
- 
-@@ -4729,63 +4778,32 @@ Verify that the "root" account is set as the "superusers":
-     set superusers="root"
-     export superusers
- 
--If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-81009"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95721r2_rule" severity="low" weight="10.0"><version>RHEL-07-021022</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option.</title><description>&lt;VulnDiscussion&gt;The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001764</ident><fixtext fixref="F-87843r2_fix">Configure the system so that /dev/shm is mounted with the "nodev" option.</fixtext><fix id="F-87843r2_fix" /><check system="C-80723r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "nodev" option is configured for /dev/shm:
--
-+If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-81013"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95725r3_rule" severity="low" weight="10.0"><version>RHEL-07-021024</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
- 
--# cat /etc/fstab | grep /dev/shm
--tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
--
--If any results are returned and the "nodev" option is not listed, this is a finding.
--
--Verify "/dev/shm" is mounted with the "nodev" option:
-+The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
- 
--# mount | grep "/dev/shm" | grep nodev
-+The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001764</ident><fixtext fixref="F-87847r3_fix">Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
- 
--If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-81011"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95723r2_rule" severity="low" weight="10.0"><version>RHEL-07-021023</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001764</ident><fixtext fixref="F-87845r2_fix">Configure the system so that /dev/shm is mounted with the "nosuid" option.</fixtext><fix id="F-87845r2_fix" /><check system="C-80725r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "nosuid" option is configured for /dev/shm:
-+tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</fixtext><fix id="F-87847r3_fix" /><check system="C-80727r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm:
- 
- # cat /etc/fstab | grep /dev/shm
- 
- tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
- 
--If any results are returned and the "nosuid" option is not listed, this is a finding.
-+If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding.
- 
--Verify "/dev/shm" is mounted with the "nosuid" option:
-+Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options:
- 
--# mount | grep "/dev/shm" | grep nosuid
-+# mount | grep /dev/shm
- 
--If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-81013"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95725r2_rule" severity="low" weight="10.0"><version>RHEL-07-021024</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option.</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001764</ident><fixtext fixref="F-87847r2_fix">Configure the system so that /dev/shm is mounted with the "noexec" option.</fixtext><fix id="F-87847r2_fix" /><check system="C-80727r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "noexec" option is configured for /dev/shm:
-+tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
- 
--# cat /etc/fstab | grep /dev/shm
--
--tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
--
--If any results are returned and the "noexec" option is not listed, this is a finding.
--
--Verify "/dev/shm" is mounted with the "noexec" option:
--
--# mount | grep "/dev/shm" | grep noexec
--
--If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-81015"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95727r1_rule" severity="medium" weight="10.0"><version>RHEL-07-030200</version><title>The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.
-+</check-content></check></Rule></Group><Group id="V-81017"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95729r2_rule" severity="medium" weight="10.0"><version>RHEL-07-030201</version><title>The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
- Off-loading is a common process in information systems with limited audit storage capacity.
- 
--Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off-load the logs from the system being audited.
--
--Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-87849r2_fix">Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of "active" to "yes".
--
--The audit daemon must be restarted for changes to take effect:
--
--# service auditd restart</fixtext><fix id="F-87849r2_fix" /><check system="C-80729r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the "au-remote" plugin is active on the system:
--
--# grep "active" /etc/audisp/plugins.d/au-remote.conf
--
--active = yes
--
--If the "active" setting is not set to "yes", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-81017"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95729r1_rule" severity="medium" weight="10.0"><version>RHEL-07-030201</version><title>The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
--
--Off-loading is a common process in information systems with limited audit storage capacity.
--
--Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited.
-+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited.
- 
- Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-87851r2_fix">Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:
- 
-@@ -4795,7 +4813,7 @@ type = always
- 
- The audit daemon must be restarted for changes to take effect:
- 
--# service auditd restart</fixtext><fix id="F-87851r2_fix" /><check system="C-80731r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon:
-+# service auditd restart</fixtext><fix id="F-87851r2_fix" /><check system="C-80731r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon:
- 
- # cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#"
- 
-@@ -4805,11 +4823,9 @@ path = /sbin/audisp-remote
- type = always
- format = string
- 
--If the "direction" setting is not set to "out", or the line is commented out, this is a finding.
-+If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.
- 
--If the "path" setting is not set to "/sbin/audisp-remote", or the line is commented out, this is a finding.
--
--If the "type" setting is not set to "always", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-81019"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95731r1_rule" severity="medium" weight="10.0"><version>RHEL-07-030210</version><title>The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.</check-content></check></Rule></Group><Group id="V-81019"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95731r1_rule" severity="medium" weight="10.0"><version>RHEL-07-030210</version><title>The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
- 
- Off-loading is a common process in information systems with limited audit storage capacity.
- 
-@@ -4881,11 +4897,7 @@ Check that the operating system implements the accept source route variable with
- # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter
- net.ipv4.conf.default.rp_filter = 1
- 
--If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-92255"><title>SRG-OS-000196</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-102357r1_rule" severity="medium" weight="10.0"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description>&lt;VulnDiscussion&gt;Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001263</ident><fixtext fixref="F-98477r1_fix">Install and enable the latest McAfee HIPS package, available from USCYBERCOM.
--
--Note: If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official.</fixtext><fix id="F-98477r1_fix" /><check system="C-91435r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Ask the SA or ISSO if a host-based intrusion detection application is loaded on the system. Per OPORD 16-0080, the preferred intrusion detection system is McAfee HBSS available through the U.S. Cyber Command (USCYBERCOM).
--
--If another host-based intrusion detection application is in use, such as SELinux, this must be documented and approved by the local Authorizing Official.
-+If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-92255"><title>SRG-OS-000196</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-102357r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description>&lt;VulnDiscussion&gt;Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001263</ident><fixtext fixref="F-98477r2_fix">Install and enable the latest McAfee HIPS package or McAfee ENSL.</fixtext><fix id="F-98477r2_fix" /><check system="C-91435r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.
- 
- Procedure:
- Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:
diff --git a/SOURCES/scap-security-guide-0.1.53-update_tftpd_uses_secure_mode-PR_6051.patch b/SOURCES/scap-security-guide-0.1.53-update_tftpd_uses_secure_mode-PR_6051.patch
deleted file mode 100644
index b77e10b..0000000
--- a/SOURCES/scap-security-guide-0.1.53-update_tftpd_uses_secure_mode-PR_6051.patch
+++ /dev/null
@@ -1,335 +0,0 @@
-From f3837e672c45e341da3f0d4425627a96104a6983 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 8 Sep 2020 13:25:45 +0200
-Subject: [PATCH 1/6] introduce variable
-
----
- .../obsolete/tftp/tftpd_secure_directory.var       | 14 ++++++++++++++
- .../obsolete/tftp/tftpd_uses_secure_mode/rule.yml  |  7 +++----
- 2 files changed, 17 insertions(+), 4 deletions(-)
- create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
-new file mode 100644
-index 0000000000..6a5e29caa4
---- /dev/null
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
-@@ -0,0 +1,14 @@
-+documentation_complete: true
-+
-+title: 'TFTP server secure directory'
-+
-+description: "Specify the directory which is used by TFTP server as a root directory when running in secure mode."
-+
-+type: string
-+
-+operator: equals
-+
-+interactive: true
-+
-+options:
-+    default: /var/lib/tftpboot
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
-index ed64b15bef..10b8ab3a2b 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
-@@ -8,8 +8,8 @@ description: |-
-     If running the <tt>tftp</tt> service is necessary, it should be configured
-     to change its root directory at startup. To do so, ensure
-     <tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in
--    the following example (which is also the default):
--    <pre>server_args = -s /var/lib/tftpboot</pre>
-+    the following example:
-+    <pre>server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
- 
- rationale: |-
-     Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
-@@ -33,7 +33,6 @@ references:
-     srg@rhel6: SRG-OS-999999
-     disa: CCI-000366
-     nist: CM-6(b),AC-6,CM-7(a)
--
-     nist-csf: PR.AC-3,PR.AC-4,PR.DS-5,PR.IP-1,PR.PT-3,PR.PT-4
-     srg: SRG-OS-000480-GPOS-00227
-     stigid@rhel7: RHEL-07-040720
-@@ -56,4 +55,4 @@ ocil: |-
-     The output should indicate the <tt>server_args</tt> variable is configured
-     with the <tt>-s</tt> flag, matching the example below:
-     <pre>$ grep "server_args" /etc/xinetd.d/tftp
--    server_args = -s /var/lib/tftpboot</pre>
-+    server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
-
-From bd3d3f90681f505ceff934e9d4c4d618bbc07474 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 8 Sep 2020 13:26:06 +0200
-Subject: [PATCH 2/6] update oval
-
----
- .../tftp/tftpd_uses_secure_mode/oval/shared.xml        | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-index 363b499afa..9f42fcd043 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-@@ -17,10 +17,18 @@
-   </definition>
-   <ind:textfilecontent54_test check="all" comment="tftpd secure mode" id="test_tftpd_uses_secure_mode" version="1">
-     <ind:object object_ref="object_tftpd_uses_secure_mode" />
-+    <ind:state state_ref="state_tftpd_uses_secure_mode" />
-   </ind:textfilecontent54_test>
-   <ind:textfilecontent54_object id="object_tftpd_uses_secure_mode" version="1">
-     <ind:filepath>/etc/xinetd.d/tftp</ind:filepath>
--    <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=.*[\s]+\-s[\s]+.+$</ind:pattern>
-+    <ind:pattern operation="pattern match">^[\s]*server_args[\s]+=[\s]+.*?-s[\s]+([/\.\w]+).*$</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
-+
-+  <ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">
-+    <ind:subexpression datatype="int" operation="equals" var_check="all"
-+    var_ref="tftpd_secure_directory" />
-+  </ind:textfilecontent54_state>
-+
-+    <external_variable comment="TFTP server secure directory" datatype="string" id="tftpd_secure_directory" version="1" />
- </def-group>
-
-From 2a1e67365de4ea7b78ace2fb730b7192d9cb8a43 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 8 Sep 2020 13:26:26 +0200
-Subject: [PATCH 3/6] update bash remediation
-
----
- .../tftp/tftpd_uses_secure_mode/bash/shared.sh     | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
- create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
-new file mode 100644
-index 0000000000..491d8e90d6
---- /dev/null
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
-@@ -0,0 +1,14 @@
-+#!/bin/bash
-+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019
-+
-+. /usr/share/scap-security-guide/remediation_functions
-+
-+{{{ bash_instantiate_variables ("tftpd_secure_directory") }}}
-+
-+if grep -q 'server_args' /etc/xinetd.d/tftp; then
-+    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp
-+else
-+    echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp
-+fi
-+
-+
-
-From 649880f746bd80cb3e6a9ae3908ce422e03c1690 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 8 Sep 2020 13:26:43 +0200
-Subject: [PATCH 4/6] add tests
-
----
- .../tftp/tftpd_uses_secure_mode/tests/correct.pass.sh    | 9 +++++++++
- .../tftpd_uses_secure_mode/tests/line_missing.fail.sh    | 7 +++++++
- .../tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh      | 9 +++++++++
- 3 files changed, 25 insertions(+)
- create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh
- create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh
- create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh
-new file mode 100644
-index 0000000000..392e68740f
---- /dev/null
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/correct.pass.sh
-@@ -0,0 +1,9 @@
-+#!/bin/bash
-+
-+yum -y install tftp-server
-+
-+if grep -q 'server_args' /etc/xinetd.d/tftp; then
-+	sed -i 's/.*server_args.*/server_args = -s \/var\/lib\/tftpboot/' /etc/xinetd.d/tftp
-+else
-+	echo "server_args = -s /var/lib/tftpboot" >> /etc/xinetd.d/tftp
-+fi
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh
-new file mode 100644
-index 0000000000..a342248240
---- /dev/null
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/line_missing.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+
-+yum -y install tftp-server
-+
-+if grep -q 'server_args' /etc/xinetd.d/tftp; then
-+	sed -i '/.*server_args.*/d' /etc/xinetd.d/tftp
-+fi
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh
-new file mode 100644
-index 0000000000..d9a9b4b622
---- /dev/null
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/tests/wrong.fail.sh
-@@ -0,0 +1,9 @@
-+#!/bin/bash
-+
-+yum -y install tftp-server
-+
-+if grep -q 'server_args' /etc/xinetd.d/tftp; then
-+	sed -i 's/.*server_args.*/server_args = --something/' /etc/xinetd.d/tftp
-+else
-+	echo "server_args = --something" >> /etc/xinetd.d/tftp
-+fi
-
-From 57554f1ba9fb7464c808f00d4bd26475451243b9 Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Tue, 8 Sep 2020 13:27:03 +0200
-Subject: [PATCH 5/6] add ansible remediation
-
----
- .../tftpd_uses_secure_mode/ansible/shared.yml | 31 +++++++++++++++++++
- 1 file changed, 31 insertions(+)
- create mode 100644 linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
-new file mode 100644
-index 0000000000..9f5bdea58e
---- /dev/null
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
-@@ -0,0 +1,31 @@
-+# platform = Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 6,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,WRLinux 1019
-+# reboot = false
-+# complexity = low
-+# strategy = configure
-+# disruption = low
-+
-+{{{ ansible_instantiate_variables("tftpd_secure_directory") }}}
-+
-+- name: "Find out if the file exists and contains the line configuring server arguments"
-+  find:
-+    path: "/etc/xinetd.d"
-+    patterns: "tftp"
-+    contains: '^[\s]+server_args.*$'
-+  register: tftpd_secure_config_line
-+
-+- name: "Ensure that TFTP server is configured to start with secure directory"
-+  lineinfile:
-+    path: "/etc/xinetd.d/tftp"
-+    regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$'
-+    line: '\1 -s {{ tftpd_secure_directory }} \3'
-+    state: present
-+    backrefs: true
-+  when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0
-+
-+- name: "Insert correct config line to start TFTP server with secure directory"
-+  lineinfile:
-+    path: "/etc/xinetd.d/tftp"
-+    line: "server_args = -s {{ tftpd_secure_directory }}"
-+    state: present
-+    create: true
-+  when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0
-
-From df97d24f0cfd1a182925d1ddf0d72a02caa943bf Mon Sep 17 00:00:00 2001
-From: Vojtech Polasek <vpolasek@redhat.com>
-Date: Wed, 9 Sep 2020 09:36:25 +0200
-Subject: [PATCH 6/6] rename variable
-
----
- .../obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml | 6 +++---
- .../obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh     | 6 +++---
- .../obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml    | 4 ++--
- .../services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml  | 4 ++--
- ..._secure_directory.var => var_tftpd_secure_directory.var} | 0
- 5 files changed, 10 insertions(+), 10 deletions(-)
- rename linux_os/guide/services/obsolete/tftp/{tftpd_secure_directory.var => var_tftpd_secure_directory.var} (100%)
-
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
-index 9f5bdea58e..604491357e 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/ansible/shared.yml
-@@ -4,7 +4,7 @@
- # strategy = configure
- # disruption = low
- 
--{{{ ansible_instantiate_variables("tftpd_secure_directory") }}}
-+{{{ ansible_instantiate_variables("var_tftpd_secure_directory") }}}
- 
- - name: "Find out if the file exists and contains the line configuring server arguments"
-   find:
-@@ -17,7 +17,7 @@
-   lineinfile:
-     path: "/etc/xinetd.d/tftp"
-     regexp: '^[\s]*(server_args[\s]+=[\s]+.*?)(-s[\s]+[/\.\w]+)*(.*)$'
--    line: '\1 -s {{ tftpd_secure_directory }} \3'
-+    line: '\1 -s {{ var_tftpd_secure_directory }} \3'
-     state: present
-     backrefs: true
-   when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched > 0
-@@ -25,7 +25,7 @@
- - name: "Insert correct config line to start TFTP server with secure directory"
-   lineinfile:
-     path: "/etc/xinetd.d/tftp"
--    line: "server_args = -s {{ tftpd_secure_directory }}"
-+    line: "server_args = -s {{ var_tftpd_secure_directory }}"
-     state: present
-     create: true
-   when: tftpd_secure_config_line is defined and tftpd_secure_config_line.matched == 0
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
-index 491d8e90d6..3f0881a320 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/bash/shared.sh
-@@ -3,12 +3,12 @@
- 
- . /usr/share/scap-security-guide/remediation_functions
- 
--{{{ bash_instantiate_variables ("tftpd_secure_directory") }}}
-+{{{ bash_instantiate_variables ("var_tftpd_secure_directory") }}}
- 
- if grep -q 'server_args' /etc/xinetd.d/tftp; then
--    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $tftpd_secure_directory \3;" /etc/xinetd.d/tftp
-+    sed -i -E "s;^([[:blank:]]*server_args[[:blank:]]+=[[:blank:]]+.*?)(-s[[:blank:]]+[[:graph:]]+)*(.*)$;\1 -s $var_tftpd_secure_directory \3;" /etc/xinetd.d/tftp
- else
--    echo "server_args = -s $tftpd_secure_directory" >> /etc/xinetd.d/tftp
-+    echo "server_args = -s $var_tftpd_secure_directory" >> /etc/xinetd.d/tftp
- fi
- 
- 
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-index 9f42fcd043..2268a49467 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/oval/shared.xml
-@@ -27,8 +27,8 @@
- 
-   <ind:textfilecontent54_state id="state_tftpd_uses_secure_mode" version="1">
-     <ind:subexpression datatype="int" operation="equals" var_check="all"
--    var_ref="tftpd_secure_directory" />
-+    var_ref="var_tftpd_secure_directory" />
-   </ind:textfilecontent54_state>
- 
--    <external_variable comment="TFTP server secure directory" datatype="string" id="tftpd_secure_directory" version="1" />
-+    <external_variable comment="TFTP server secure directory" datatype="string" id="var_tftpd_secure_directory" version="1" />
- </def-group>
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
-index 10b8ab3a2b..002e78535e 100644
---- a/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
-+++ b/linux_os/guide/services/obsolete/tftp/tftpd_uses_secure_mode/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     to change its root directory at startup. To do so, ensure
-     <tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in
-     the following example:
--    <pre>server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
-+    <pre>server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}</pre>
- 
- rationale: |-
-     Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
-@@ -55,4 +55,4 @@ ocil: |-
-     The output should indicate the <tt>server_args</tt> variable is configured
-     with the <tt>-s</tt> flag, matching the example below:
-     <pre>$ grep "server_args" /etc/xinetd.d/tftp
--    server_args = -s {{{ sub_var_value("tftpd_secure_directory") }}}</pre>
-+    server_args = -s {{{ sub_var_value("var_tftpd_secure_directory") }}}</pre>
-diff --git a/linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var b/linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var
-similarity index 100%
-rename from linux_os/guide/services/obsolete/tftp/tftpd_secure_directory.var
-rename to linux_os/guide/services/obsolete/tftp/var_tftpd_secure_directory.var
diff --git a/SOURCES/scap-security-guide-0.1.53-value_macros-PR_6048.patch b/SOURCES/scap-security-guide-0.1.53-value_macros-PR_6048.patch
deleted file mode 100644
index 560b25c..0000000
--- a/SOURCES/scap-security-guide-0.1.53-value_macros-PR_6048.patch
+++ /dev/null
@@ -1,3147 +0,0 @@
-From da0a661b8a5754feecab58a577783faa918172bd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 4 Sep 2020 12:04:27 +0200
-Subject: [PATCH 1/3] Replace XCCDF value substitution code by a macro.
-
-The macro hides the actual implementation of the substitution,
-it "just works", and it opens ways how to support variables
-even outside of the SCAP content, where there is no scanner
-to do the acutal substitution.
-
-Renamed the macro to xccdf_value, kept the old one for backward compatibility.
----
- .../rule.yml                                     |  8 ++++----
- .../rule.yml                                     |  2 +-
- .../keystone/keystone_lockout_duration/rule.yml  |  2 +-
- .../keystone_lockout_failure_attempts/rule.yml   |  2 +-
- .../rule.yml                                     |  2 +-
- .../container_keystone_lockout_duration/rule.yml |  2 +-
- .../rule.yml                                     |  2 +-
- .../rule.yml                                     |  4 ++--
- .../httpd_enable_loglevel/rule.yml               |  4 ++--
- .../postfix_client_configure_mail_alias/rule.yml |  2 +-
- .../postfix_client_configure_relayhost/rule.yml  |  4 ++--
- .../postfix_network_listening_disabled/rule.yml  |  4 ++--
- .../ntp/chronyd_or_ntpd_set_maxpoll/rule.yml     |  6 +++---
- .../ssh_server/sshd_disable_compression/rule.yml |  2 +-
- .../ssh/ssh_server/sshd_rekey_limit/rule.yml     |  4 ++--
- .../ssh_server/sshd_set_idle_timeout/rule.yml    |  4 ++--
- .../ssh/ssh_server/sshd_set_keepalive/rule.yml   |  4 ++--
- .../ssh_server/sshd_set_max_auth_tries/rule.yml  |  4 ++--
- .../ssh_server/sshd_set_max_sessions/rule.yml    |  4 ++--
- .../sshd_use_approved_ciphers/rule.yml           |  2 +-
- .../ssh_server/sshd_use_approved_macs/rule.yml   |  2 +-
- .../ssh_server/sshd_use_priv_separation/rule.yml |  4 ++--
- .../services/sssd/sssd_memcache_timeout/rule.yml |  8 ++++----
- .../sssd/sssd_ssh_known_hosts_timeout/rule.yml   |  8 ++++----
- .../accounts_password_pam_unix_remember/rule.yml |  8 ++++----
- .../rule.yml                                     |  6 +++---
- .../rule.yml                                     |  4 ++--
- .../rule.yml                                     |  6 +++---
- .../rule.yml                                     |  4 ++--
- .../rule.yml                                     |  2 +-
- .../rule.yml                                     |  6 +++---
- .../rule.yml                                     |  4 ++--
- .../rule.yml                                     |  4 ++--
- .../rule.yml                                     |  2 +-
- .../rule.yml                                     |  2 +-
- .../accounts_password_pam_difok/rule.yml         |  2 +-
- .../rule.yml                                     |  4 ++--
- .../accounts_password_pam_maxrepeat/rule.yml     |  4 ++--
- .../accounts_password_pam_minclass/rule.yml      |  2 +-
- .../accounts_password_pam_minlen/rule.yml        |  4 ++--
- .../accounts_password_pam_ocredit/rule.yml       |  2 +-
- .../accounts_password_pam_retry/rule.yml         |  2 +-
- .../configure_opensc_card_drivers/rule.yml       |  8 ++++----
- .../force_opensc_card_drivers/rule.yml           |  8 ++++----
- .../account_disable_post_pw_expiration/rule.yml  |  6 +++---
- .../accounts_maximum_age_login_defs/rule.yml     |  4 ++--
- .../accounts_minimum_age_login_defs/rule.yml     |  4 ++--
- .../accounts_password_minlen_login_defs/rule.yml |  4 ++--
- .../rule.yml                                     |  4 ++--
- .../accounts_logon_fail_delay/rule.yml           |  4 ++--
- .../rule.yml                                     |  4 ++--
- .../accounts-session/accounts_tmout/rule.yml     |  4 ++--
- .../accounts_umask_etc_bashrc/rule.yml           |  6 +++---
- .../accounts_umask_etc_csh_cshrc/rule.yml        |  4 ++--
- .../accounts_umask_etc_login_defs/rule.yml       |  4 ++--
- .../accounts_umask_etc_profile/rule.yml          |  4 ++--
- .../rule.yml                                     |  4 ++--
- .../rule.yml                                     |  4 ++--
- .../auditd_data_retention_flush/rule.yml         |  2 +-
- .../auditd_data_retention_max_log_file/rule.yml  |  2 +-
- .../auditd_data_retention_num_logs/rule.yml      |  2 +-
- .../rsyslog_files_groupownership/rule.yml        |  8 ++++----
- .../rsyslog_files_ownership/rule.yml             |  8 ++++----
- .../rsyslog_remote_loghost/rule.yml              | 16 ++++++++--------
- .../rule.yml                                     |  4 ++--
- .../daemon_umask/umask_for_daemons/rule.yml      |  4 ++--
- .../system/selinux/selinux_policytype/rule.yml   |  6 +++---
- .../guide/system/selinux/selinux_state/rule.yml  |  6 +++---
- .../dconf_gnome_screensaver_idle_delay/rule.yml  |  2 +-
- .../dconf_gnome_screensaver_lock_delay/rule.yml  |  6 +++---
- .../gconf_gnome_screensaver_idle_delay/rule.yml  |  6 +++---
- .../rule.yml                                     |  6 +++---
- .../crypto/configure_crypto_policy/rule.yml      |  6 +++---
- .../crypto/ssh_client_rekey_limit/rule.yml       |  6 +++---
- shared/macros.jinja                              |  7 ++++++-
- 75 files changed, 168 insertions(+), 163 deletions(-)
-
-diff --git a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
-index 74da1f4c8b..91bd3ab560 100644
---- a/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
-+++ b/applications/openshift/kubelet/kubelet_enable_streaming_connections/rule.yml
-@@ -11,13 +11,13 @@ description: |-
- {{%- if product == "ocp4" %}}
-     file <tt>/etc/kubernetes/kubernetes.conf</tt>
-     on the kubelet node(s) and set the below parameter:
--    <pre>streamingConnectionIdleTimeout: <sub idref="var_streaming_connection_timeouts"/></pre>
-+    <pre>streamingConnectionIdleTimeout: {{{ xccdf_value("var_streaming_connection_timeouts") }}}</pre>
- {{% else %}}
-     file <tt>/etc/origin/node/node-config.yaml</tt>
-     on the kubelet node(s) and set the below parameter:
-     <pre>kubeletArguments:
-       streaming-connection-idle-timeout:
--      - '<sub idref="var_streaming_connection_timeouts"/>'</pre>
-+      - '{{{ xccdf_value("var_streaming_connection_timeouts") }}}'</pre>
- {{%- endif %}}
- 
- rationale: |-
-@@ -33,10 +33,10 @@ ocil: |-
-     Run the following command on the kubelet node(s):
- {{%- if product == "ocp4" %}}
-     <pre>$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubernetes.conf</pre>
--    The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.
-+    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
- {{% else %}}
-     <pre>$ sudo grep -A1 streaming-connection-idle-timeout /etc/origin/node/node-config.yaml</pre>
--    The output should return <tt><sub idref="var_streaming_connection_timeouts"/></tt>.
-+    The output should return <tt>{{{ xccdf_value("var_streaming_connection_timeouts") }}}</tt>.
- {{%- endif %}}
- 
- identifiers:
-diff --git a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml
-index 6f8a7c9474..5a06f2984f 100644
---- a/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml
-+++ b/applications/openstack/keystone/keystone_disable_user_account_days_inactive/rule.yml
-@@ -32,4 +32,4 @@ ocil: |-
-     <pre>$ grep disable_user_account_days_inactive /etc/keystone/keystone.conf</pre>
-     <br />
-     If properly configured, the output should be:
--    <pre>disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" /></pre>
-+    <pre>disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}</pre>
-diff --git a/applications/openstack/keystone/keystone_lockout_duration/rule.yml b/applications/openstack/keystone/keystone_lockout_duration/rule.yml
-index 30a823e0fe..50057c14d1 100644
---- a/applications/openstack/keystone/keystone_lockout_duration/rule.yml
-+++ b/applications/openstack/keystone/keystone_lockout_duration/rule.yml
-@@ -38,4 +38,4 @@ ocil: |-
-     <pre>$ grep lockout_duration /etc/keystone/keystone.conf</pre>
-     <br />
-     If properly configured, the output should be:
--    <pre>lockout_duration=<sub idref="var_keystone_lockout_failure_duration" /></pre>
-+    <pre>lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}</pre>
-diff --git a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml
-index e77fb2d0c1..4927fb0abe 100644
---- a/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml
-+++ b/applications/openstack/keystone/keystone_lockout_failure_attempts/rule.yml
-@@ -33,4 +33,4 @@ ocil: |-
-     <pre>$ grep lockout_failure_attempts /etc/keystone/keystone.conf</pre>
-     <br />
-     If properly configured, the output should be:
--    <pre>lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" /></pre>
-+    <pre>lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}</pre>
-diff --git a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml
-index 9f98073edc..8bd564e66a 100644
---- a/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml
-+++ b/applications/openstack/keystone_container/container_keystone_disable_user_account_days_inactive/rule.yml
-@@ -31,4 +31,4 @@ ocil: |-
-     <pre>$ grep disable_user_account_days_inactive /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
-     <br />
-     If properly configured, the output should be:
--    <pre>disable_user_account_days_inactive = <sub idref="var_keystone_disable_user_account_days_inactive" /></pre>
-+    <pre>disable_user_account_days_inactive = {{{ xccdf_value("var_keystone_disable_user_account_days_inactive") }}}</pre>
-diff --git a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml
-index 98f33106c0..1c469e3e4f 100644
---- a/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml
-+++ b/applications/openstack/keystone_container/container_keystone_lockout_duration/rule.yml
-@@ -37,4 +37,4 @@ ocil: |-
-     <pre>$ grep lockout_duration /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
-     <br />
-     If properly configured, the output should be:
--    <pre>lockout_duration=<sub idref="var_keystone_lockout_failure_duration" /></pre>
-+    <pre>lockout_duration={{{ xccdf_value("var_keystone_lockout_failure_duration") }}}</pre>
-diff --git a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml
-index d9de1aebf6..8d48304685 100644
---- a/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml
-+++ b/applications/openstack/keystone_container/container_keystone_lockout_failure_attempts/rule.yml
-@@ -32,4 +32,4 @@ ocil: |-
-     <pre>$ grep lockout_failure_attempts /var/lib/config-data/puppet-generated/keystone/etc/keystone/keystone.conf</pre>
-     <br />
-     If properly configured, the output should be:
--    <pre>lockout_failure_attempts=<sub idref="var_keystone_lockout_failure_attempts" /></pre>
-+    <pre>lockout_failure_attempts={{{ xccdf_value("var_keystone_lockout_failure_attempts") }}}</pre>
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml
-index aaf7e21583..3a9b317b75 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_configure_max_keepalive_requests/rule.yml
-@@ -6,9 +6,9 @@ title: 'Configure The Number of Allowed Simultaneous Requests'
- 
- description: |-
-     The <tt>MaxKeepAliveRequests</tt> directive should be set and configured to
--    <sub idref="var_max_keepalive_requests" /> or greater by setting the following
-+    {{{ xccdf_value("var_max_keepalive_requests") }}} or greater by setting the following
-     in <tt>/etc/httpd/conf/httpd.conf</tt>:
--    <pre>MaxKeepAliveRequests <sub idref="var_max_keepalive_requests" /></pre>
-+    <pre>MaxKeepAliveRequests {{{ xccdf_value("var_max_keepalive_requests") }}}</pre>
- 
- rationale: |-
-     Resource exhaustion can occur when an unlimited number of concurrent requests
-diff --git a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml
-index 112039a2d8..e8bb96b214 100644
---- a/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml
-+++ b/linux_os/guide/services/http/securing_httpd/httpd_enable_loglevel/rule.yml
-@@ -5,9 +5,9 @@ prodtype: rhel7,rhel8
- title: 'Enable HTTPD LogLevel'
- 
- description: |-
--    <tt>LogLevel</tt> should be enabled and set to <sub idref="var_httpd_loglevel" />.
-+    <tt>LogLevel</tt> should be enabled and set to {{{ xccdf_value("var_httpd_loglevel") }}}.
-     Add or edit the following in <tt>/etc/httpd/conf/httpd.conf</tt>:
--    <pre>LogLevel <sub idref="var_httpd_loglevel" /></pre>
-+    <pre>LogLevel {{{ xccdf_value("var_httpd_loglevel") }}}</pre>
- 
- rationale: |-
-     The server error logs are invaluable because they can also be used to identify
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
-index 0650606bad..b86f6e7c98 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/rule.yml
-@@ -4,7 +4,7 @@ title: 'Configure System to Forward All Mail For The Root Account'
- 
- description: |-
-     Set up an alias for root that forwards to a monitored email address:
--    <pre>$ sudo echo "root: <sub idref="var_postfix_root_mail_alias" />" &gt;&gt; /etc/aliases
-+    <pre>$ sudo echo "root: {{{ xccdf_value("var_postfix_root_mail_alias") }}}" &gt;&gt; /etc/aliases
-     $ sudo newaliases</pre>
- 
- rationale: |-
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
-index 0b4e2d2322..0faafeb0c2 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_relayhost/rule.yml
-@@ -6,7 +6,7 @@ description: |-
-     Set up a relay host that will act as a gateway for all outbound email.
-     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
-     <tt>relayhost</tt> line appears:
--    <pre>relayhost = <sub idref="var_postfix_relayhost" /></pre>
-+    <pre>relayhost = {{{ xccdf_value("var_postfix_relayhost") }}}</pre>
- 
- rationale: |-
-     A central outbound email location ensures messages sent from any network host
-@@ -20,4 +20,4 @@ ocil_clause: 'it is not'
- ocil: |-
-     Run the following command to ensure postfix routes mail to this system:
-     <pre>$ grep relayhost /etc/postfix/main.cf</pre>
--    If properly configured, the output should show only <tt><sub idref="var_postfix_relayhost" /></tt>.
-+    If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_relayhost") }}}</tt>.
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
-index 8deb83a2da..cba179b8d7 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/rule.yml
-@@ -7,7 +7,7 @@ title: 'Disable Postfix Network Listening'
- description: |-
-     Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following
-     <tt>inet_interfaces</tt> line appears:
--    <pre>inet_interfaces = <sub idref="var_postfix_inet_interfaces" /></pre>
-+    <pre>inet_interfaces = {{{ xccdf_value("var_postfix_inet_interfaces") }}}</pre>
- 
- 
- rationale: |-
-@@ -41,4 +41,4 @@ ocil_clause: 'it does not'
- ocil: |-
-     Run the following command to ensure postfix accepts mail messages from only the local system:
-     <pre>$ grep inet_interfaces /etc/postfix/main.cf</pre>
--    If properly configured, the output should show only <tt><sub idref="var_postfix_inet_interfaces" /></tt>.
-+    If properly configured, the output should show only <tt>{{{ xccdf_value("var_postfix_inet_interfaces") }}}</tt>.
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
-index ba3772a5af..d5f8b9125e 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/rule.yml
-@@ -6,11 +6,11 @@ title: 'Configure Time Service Maxpoll Interval'
- 
- description: |-
-     The <tt>maxpoll</tt> should be configured to
--    <sub idref="var_time_service_set_maxpoll" /> in <tt>/etc/ntp.conf</tt> or
-+    {{{ xccdf_value("var_time_service_set_maxpoll") }}} in <tt>/etc/ntp.conf</tt> or
-     <tt>/etc/chrony.conf</tt> to continuously poll time servers. To configure
-     <tt>maxpoll</tt> in <tt>/etc/ntp.conf</tt> or <tt>/etc/chrony.conf</tt>
-     add the following:
--    <pre>maxpoll <sub idref="var_time_service_set_maxpoll" /></pre>
-+    <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>
- 
- rationale: |-
-     Inaccurate time stamps make it more difficult to correlate
-@@ -46,4 +46,4 @@ ocil: |-
-     To verify that <tt>maxpoll</tt> has been set properly, perform the following:
-     <pre>$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf</pre>
-     The output should return
--    <pre>maxpoll <sub idref="var_time_service_set_maxpoll" /></pre>.
-+    <pre>maxpoll {{{ xccdf_value("var_time_service_set_maxpoll") }}}</pre>.
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
-index e63866bb8b..fe7e67c1c2 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     it should be disabled. To disable compression or delay compression until after
-     a user has successfully authenticated, add or correct the following line in the
-     <tt>/etc/ssh/sshd_config</tt> file:
--    <pre>Compression <sub idref="var_sshd_disable_compression"/></pre>
-+    <pre>Compression {{{ xccdf_value("var_sshd_disable_compression") }}}</pre>
- 
- rationale: |-
-     If compression is allowed in an SSH connection prior to authentication,
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
-index ce191e48e7..d7941f9c0e 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_rekey_limit/rule.yml
-@@ -7,7 +7,7 @@ description: |-
-     the session key of the is renegotiated, both in terms of
-     amount of data that may be transmitted and the time
-     elapsed. To decrease the default limits, put line
--    <tt>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
-+    <tt>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/sshd_config</tt>.
- 
- rationale: |-
-     By decreasing the limit based on the amount of data and enabling
-@@ -30,4 +30,4 @@ ocil: |-
-     following command:
-     <pre>$ sudo grep RekeyLimit /etc/ssh/sshd_config</pre>
-     If configured properly, output should be
--    <pre>RekeyLimit {{{ sub_var_value("var_rekey_limit_size") }}} {{{ sub_var_value("var_rekey_limit_time") }}}</pre>
-+    <pre>RekeyLimit {{{ xccdf_value("var_rekey_limit_size") }}} {{{ xccdf_value("var_rekey_limit_time") }}}</pre>
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
-index 250addfe2f..5149de069d 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/rule.yml
-@@ -8,7 +8,7 @@ description: |-
-     <br /><br />
-     To set an idle timeout interval, edit the following line in <tt>/etc/ssh/sshd_config</tt> as
-     follows:
--    <pre>ClientAliveInterval <b><sub idref="sshd_idle_timeout_value" /></b></pre>
-+    <pre>ClientAliveInterval <b>{{{ xccdf_value("sshd_idle_timeout_value") }}}</b></pre>
-     <br/><br/>
-     The timeout <b>interval</b> is given in seconds. For example, have a timeout
-     of 10 minutes, set <b>interval</b> to 600.
-@@ -61,4 +61,4 @@ ocil: |-
-     Run the following command to see what the timeout interval is:
-     <pre>$ sudo grep ClientAliveInterval /etc/ssh/sshd_config</pre>
-     If properly configured, the output should be:
--    <pre>ClientAliveInterval <sub idref="sshd_idle_timeout_value" /></pre>
-+    <pre>ClientAliveInterval {{{ xccdf_value("sshd_idle_timeout_value") }}}</pre>
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
-index 95628aac85..5354ff5b0c 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/rule.yml
-@@ -5,7 +5,7 @@ title: 'Set SSH Client Alive Max Count'
- description: |-
-     To ensure the SSH idle timeout occurs precisely when the <tt>ClientAliveInterval</tt> is set,
-     edit <tt>/etc/ssh/sshd_config</tt> as follows:
--    <pre>ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/></pre>
-+    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
- 
- rationale: |-
-     This ensures a user login will be terminated as soon as the <tt>ClientAliveInterval</tt>
-@@ -48,4 +48,4 @@ ocil: |-
-     To ensure the SSH idle timeout will occur when the <tt>ClientAliveInterval</tt> is set, run the following command:
-     <pre>$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config</pre>
-     If properly configured, output should be:
--    <pre>ClientAliveCountMax <sub idref="var_sshd_set_keepalive"/></pre>
-+    <pre>ClientAliveCountMax {{{ xccdf_value("var_sshd_set_keepalive") }}}</pre>
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
-index 037bb1603d..d6e1f30b19 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/rule.yml
-@@ -6,7 +6,7 @@ description: |-
-     The <tt>MaxAuthTries</tt> parameter specifies the maximum number of authentication attempts
-     permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
-     to set MaxAUthTries edit <tt>/etc/ssh/sshd_config</tt> as follows:
--    <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
-+    <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>
- 
- rationale: |-
-     Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
-@@ -31,4 +31,4 @@ ocil: |-
-     To ensure the <tt>MaxAuthTries</tt> parameter is set, run the following command:
-     <pre>$ sudo grep MaxAuthTries /etc/ssh/sshd_config</pre>
-     If properly configured, output should be:
--    <pre>MaxAuthTries <sub idref="sshd_max_auth_tries_value"/></pre>
-+    <pre>MaxAuthTries {{{ xccdf_value("sshd_max_auth_tries_value") }}}</pre>
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
-index 3f74e662de..2782b71905 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/rule.yml
-@@ -5,7 +5,7 @@ title: 'Set SSH MaxSessions limit'
- description: |-
-     The <tt>MaxSessions</tt> parameter specifies the maximum number of open sessions permitted
-     from a given connection. To set MaxSessions edit
--    <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions <sub idref="var_sshd_max_sessions" /></pre>
-+    <tt>/etc/ssh/sshd_config</tt> as follows: <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>
- 
- rationale: |-
-     To protect a system from denial of service due to a large number of concurrent
-@@ -27,4 +27,4 @@ ocil: |-
-     Run the following command to see what the max sessions number is:
-     <pre>$ sudo grep MaxSessions /etc/ssh/sshd_config</pre>
-     If properly configured, the output should be:
--    <pre>MaxSessions <sub idref="var_sshd_max_sessions" /></pre>
-+    <pre>MaxSessions {{{ xccdf_value("var_sshd_max_sessions") }}}</pre>
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
-index 985bbd0b8b..c2204193dc 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
-@@ -31,7 +31,7 @@ description: |-
-     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
-     {{% endif %}}
- {{% endif %}}
--    The rule is parametrized to use the following ciphers: <code>{{{ sub_var_value("sshd_approved_ciphers") }}}</code>.
-+    The rule is parametrized to use the following ciphers: <code>{{{ xccdf_value("sshd_approved_ciphers") }}}</code>.
- 
- rationale: |-
-     Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
-index 4b563de550..b7adaca34b 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
-@@ -32,7 +32,7 @@ description: |-
-     {{{ weblink(link="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf") }}}
-     {{% endif %}}
- {{% endif %}}
--    The rule is parametrized to use the following MACs: <code>{{{ sub_var_value("sshd_approved_macs") }}}</code>.
-+    The rule is parametrized to use the following MACs: <code>{{{ xccdf_value("sshd_approved_macs") }}}</code>.
- 
- rationale: |-
-     DoD Information Systems are required to use FIPS-approved cryptographic hash
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
-index 60813a75a2..14d1acfd22 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/rule.yml
-@@ -6,7 +6,7 @@ description: |-
-     When enabled, SSH will create an unprivileged child process that
-     has the privilege of the authenticated user. To enable privilege separation in
-     SSH, add or correct the following line in the <tt>/etc/ssh/sshd_config</tt> file:
--    <pre>UsePrivilegeSeparation <sub idref="var_sshd_priv_separation" /></pre>
-+    <pre>UsePrivilegeSeparation {{{ xccdf_value("var_sshd_priv_separation") }}}</pre>
- 
- rationale: |-
-     SSH daemon privilege separation causes the SSH process to drop root privileges
-@@ -41,4 +41,4 @@ ocil: |-
-     To check if UsePrivilegeSeparation is enabled or set correctly, run the
-     following command:
-     <pre>$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config</pre>
--    If configured properly, output should be <tt><sub idref="var_sshd_priv_separation" /></tt>.
-+    If configured properly, output should be <tt>{{{ xccdf_value("var_sshd_priv_separation") }}}</tt>.
-diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
-index 00cda4f144..35ec8c497c 100644
---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/rule.yml
-@@ -6,14 +6,14 @@ title: 'Configure SSSD''s Memory Cache to Expire'
- 
- description: |-
-     SSSD's memory cache should be configured to set to expire records after
--    <tt><sub idref="var_sssd_memcache_timeout" /></tt> seconds.
-+    <tt>{{{ xccdf_value("var_sssd_memcache_timeout") }}}</tt> seconds.
-     To configure SSSD to expire memory cache, set <tt>memcache_timeout</tt> to
--    <tt><sub idref="var_sssd_memcache_timeout" /></tt> under the
-+    <tt>{{{ xccdf_value("var_sssd_memcache_timeout") }}}</tt> under the
-     <tt>[nss]</tt> section in <tt>/etc/sssd/sssd.conf</tt>.
- 
-     For example:
-     <pre>[nss]
--    memcache_timeout = <sub idref="var_sssd_memcache_timeout" />
-+    memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}
-     </pre>
- 
- rationale: |-
-@@ -46,4 +46,4 @@ ocil_clause: 'it does not exist or is not configured properly'
- ocil: |-
-     To verify that SSSD's in-memory cache expires after a day, run the following command:
-     <pre>$ sudo grep memcache_timeout /etc/sssd/sssd.conf</pre>
--    If configured properly, output should be <pre>memcache_timeout = <sub idref="var_sssd_memcache_timeout" /></pre>.
-+    If configured properly, output should be <pre>memcache_timeout = {{{ xccdf_value("var_sssd_memcache_timeout") }}}</pre>.
-diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
-index ce83991f57..00f1f3b485 100644
---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
-+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/rule.yml
-@@ -6,12 +6,12 @@ title: 'Configure SSSD to Expire SSH Known Hosts'
- 
- description: |-
-     SSSD should be configured to expire keys from known SSH hosts after
--    <tt><sub idref="var_sssd_ssh_known_hosts_timeout" /></tt> seconds.
-+    <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> seconds.
-     To configure SSSD to known SSH hosts, set <tt>ssh_known_hosts_timeout</tt>
--    to <tt><sub idref="var_sssd_ssh_known_hosts_timeout" /></tt> under the
-+    to <tt>{{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</tt> under the
-     <tt>[ssh]</tt> section in <tt>/etc/sssd/sssd.conf</tt>. For example:
-     <pre>[ssh]
--    ssh_known_hosts_timeout = <sub idref="var_sssd_ssh_known_hosts_timeout" />
-+    ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}
-     </pre>
- 
- rationale: |-
-@@ -44,4 +44,4 @@ ocil: |-
-     To verify that SSSD expires known SSH host keys, run the following command:
-     <pre>$ sudo grep ssh_known_hosts_timeout /etc/sssd/sssd.conf</pre>
-     If configured properly, output should be
--    <pre>ssh_known_hosts_timeout = <sub idref="var_sssd_ssh_known_hosts_timeout" /></pre>
-+    <pre>ssh_known_hosts_timeout = {{{ xccdf_value("var_sssd_ssh_known_hosts_timeout") }}}</pre>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
-index 7c7b14860c..f6857da463 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/rule.yml
-@@ -9,14 +9,14 @@ description: |-
-     accomplished by using the <tt>remember</tt> option for the <tt>pam_unix</tt>
-     or <tt>pam_pwhistory</tt> PAM modules.
-     <br /><br />
--    In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember=<sub idref="var_password_pam_unix_remember" /></tt>
-+    In the file <tt>/etc/pam.d/system-auth</tt>, append <tt>remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</tt>
-     to the line which refers to the <tt>pam_unix.so</tt> or <tt>pam_pwhistory.so</tt>module, as shown below:
-     <ul>
-     <li>for the <tt>pam_unix.so</tt> case:
--    <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
-+    <pre>password sufficient pam_unix.so <i>...existing_options...</i> remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</pre>
-     </li>
-     <li>for the <tt>pam_pwhistory.so</tt> case:
--    <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember=<sub idref="var_password_pam_unix_remember" /></pre>
-+    <pre>password requisite pam_pwhistory.so <i>...existing_options...</i> remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</pre>
-     </li>
-     </ul>
-     The DoD STIG requirement is 5 passwords.
-@@ -56,6 +56,6 @@ ocil: |-
-     To verify the password reuse setting is compliant, run the following command:
-     <pre>$ grep remember /etc/pam.d/system-auth</pre>
-     The output should show the following at the end of the line:
--    <pre>remember=<sub idref="var_password_pam_unix_remember" /></pre>
-+    <pre>remember={{{ xccdf_value("var_password_pam_unix_remember") }}}</pre>
- 
- platform: pam
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
-index 8eeb24a9c5..15eba70d6a 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml
-@@ -11,9 +11,9 @@ description: |-
-     <br /><br />
-     <ul>
-     <li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
--    <pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
-+    <pre>auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
-     <li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
--    <pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
-+    <pre>auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
-     <li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-     <pre>account required pam_faillock.so</pre></li>
-     </ul>
-@@ -56,6 +56,6 @@ ocil_clause: 'that is not the case'
- ocil: |-
-     To ensure the failed password attempt policy is configured correctly, run the following command:
-     <pre>$ grep pam_faillock /etc/pam.d/system-auth</pre>
--    The output should show <tt>deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /></tt>.
-+    The output should show <tt>deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}}</tt>.
- 
- platform: pam
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
-index 6f49ea9850..1780a66251 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml
-@@ -13,10 +13,10 @@ description: |-
-     <ul>
-     <li>Modify the following line in the <tt>AUTH</tt> section to add
-     <tt>even_deny_root</tt>:
--    <pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
-+    <pre>auth required pam_faillock.so preauth silent <b>even_deny_root</b> deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
-     <li>Modify the following line in the <tt>AUTH</tt> section to add
-     <tt>even_deny_root</tt>:
--    <pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+    <pre>auth [default=die] pam_faillock.so authfail <b>even_deny_root</b> deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre>
-     </li>
-     </ul>
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
-index f891d8e600..708e98e7f3 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml
-@@ -14,11 +14,11 @@ description: |-
-     <ul>
-     <li>Add the following line immediately <tt>before</tt> the
-         <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
--    <pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre>
-+    <pre>auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre>
-     </li>
-     <li>Add the following line immediately <tt>after</tt> the
-         <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
--    <pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" />
-+    <pre>auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}
-     </pre>
-     </li>
-     <li>Add the following line immediately <tt>before</tt> the
-@@ -63,7 +63,7 @@ ocil: |-
-     To ensure the failed password attempt policy is configured correctly,
-     run the following command:
-     <pre>$ grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth</pre>
--    For each file, the output should show <tt>fail_interval=&lt;interval-in-seconds&gt;</tt> where <tt>interval-in-seconds</tt> is <tt><sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></tt> or greater.
-+    For each file, the output should show <tt>fail_interval=&lt;interval-in-seconds&gt;</tt> where <tt>interval-in-seconds</tt> is <tt>{{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</tt> or greater.
-     If the <tt>fail_interval</tt> parameter is not set, the default setting
-     of 900 seconds is acceptable.
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
-index c3c7fa1ccc..b992cf93bd 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml
-@@ -11,9 +11,9 @@ description: |-
-     <br /><br />
-     <ul>
-     <li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
--    <pre>auth required pam_faillock.so preauth silent deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
-+    <pre>auth required pam_faillock.so preauth silent deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
-     <li> add the following line immediately <tt>after</tt> the <tt>pam_unix.so</tt> statement in the <tt>AUTH</tt> section:
--    <pre>auth [default=die] pam_faillock.so authfail deny=<sub idref="var_accounts_passwords_pam_faillock_deny" /> unlock_time=<sub idref="var_accounts_passwords_pam_faillock_unlock_time" /> fail_interval=<sub idref="var_accounts_passwords_pam_faillock_fail_interval" /></pre></li>
-+    <pre>auth [default=die] pam_faillock.so authfail deny={{{ xccdf_value("var_accounts_passwords_pam_faillock_deny") }}} unlock_time={{{ xccdf_value("var_accounts_passwords_pam_faillock_unlock_time") }}} fail_interval={{{ xccdf_value("var_accounts_passwords_pam_faillock_fail_interval") }}}</pre></li>
-     <li> add the following line immediately <tt>before</tt> the <tt>pam_unix.so</tt> statement in the <tt>ACCOUNT</tt> section:
-     <pre>account required pam_faillock.so</pre></li>
-     </ul>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
-index fde8c8a188..168960bd4e 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_difok/rule.yml
-@@ -7,7 +7,7 @@ title: 'Set Password Strength Minimum Different Characters'
- description: |-
-     The pam_cracklib module's <tt>difok</tt> parameter controls requirements for
-     usage of different characters during a password change.
--    Add <tt>difok=<i><sub idref="var_password_pam_difok" /></i></tt> after pam_cracklib.so to require differing
-+    Add <tt>difok=<i>{{{ xccdf_value("var_password_pam_difok") }}}</i></tt> after pam_cracklib.so to require differing
-     characters when changing passwords. The DoD requirement is <tt>4</tt>.
- 
- rationale: |-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
-index 8171db26bd..8865b29f36 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_maxrepeat/rule.yml
-@@ -7,9 +7,9 @@ title: 'Set Password to Maximum of Three Consecutive Repeating Characters'
- description: |-
-     The pam_cracklib module's <tt>maxrepeat</tt> parameter controls requirements for
-     consecutive repeating characters. When set to a positive number, it will reject passwords
--    which contain more than that number of consecutive characters. Add <tt>maxrepeat=<sub idref="var_password_pam_maxrepeat" /></tt>
--    after pam_cracklib.so to prevent a run of (<sub idref="var_password_pam_maxrepeat" /> + 1) or more identical characters:<br />
--    <pre>password required pam_cracklib.so maxrepeat=<sub idref="var_password_pam_maxrepeat" /></pre>
-+    which contain more than that number of consecutive characters. Add <tt>maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}</tt>
-+    after pam_cracklib.so to prevent a run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters:<br />
-+    <pre>password required pam_cracklib.so maxrepeat={{{ xccdf_value("var_password_pam_maxrepeat") }}}</pre>
- 
- rationale: 'Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.'
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
-index 9723f28793..3c87a58cc6 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minclass/rule.yml
-@@ -17,8 +17,8 @@ description: |-
-     * Digits
-     * Special characters (for example, punctuation)
-     </pre>
--    Add <tt>minclass=<i><sub idref="var_password_pam_minclass" /></i></tt> after pam_cracklib.so entry into the
--    <tt>/etc/pam.d/system-auth</tt> file in order to require <sub idref="var_password_pam_minclass" />  differing categories of
-+    Add <tt>minclass=<i>{{{ xccdf_value("var_password_pam_minclass") }}}</i></tt> after pam_cracklib.so entry into the
-+    <tt>/etc/pam.d/system-auth</tt> file in order to require {{{ xccdf_value("var_password_pam_minclass") }}}  differing categories of
-     characters when changing passwords.
-     For example to require at least three character classes to be used in password, use <tt>minclass=3</tt>.
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml
-index cb902bccd7..1088af68ee 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_minlen/rule.yml
-@@ -6,7 +6,7 @@ title: 'Set Password Minimum Length'
- 
- description: |-
-     The pam_cracklib module's <tt>minlen</tt> parameter controls requirements for
--    minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
-+    minimum characters required in a password. Add <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>
-     after pam_pwquality to set minimum password length requirements.
- 
- rationale: |-
-@@ -38,4 +38,4 @@ ocil_clause: 'minlen is not found or not set to the required value (or higher)'
- ocil: |-
-     To check how many characters are required in a password, run the following command:
-     <pre>$ grep cracklib /etc/pam.d/system-auth</pre>
--    Your output should contain <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
-+    Your output should contain <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
-index 9c6d8a5b31..f8cb083106 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_ocredit/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     usage of special (or ``other'') characters in a password. When set to a negative number, any password will be required to
-     contain that many special characters. When set to a positive number, pam_cracklib will grant +1 additional
-     length credit for each special character.
--    Add <tt>ocredit=<sub idref="var_password_pam_ocredit" /></tt> after pam_cracklib.so to require use of a special character in passwords.
-+    Add <tt>ocredit={{{ xccdf_value("var_password_pam_ocredit") }}}</tt> after pam_cracklib.so to require use of a special character in passwords.
- 
- rationale: |-
-     Requiring a minimum number of special characters makes password guessing attacks
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml
-index e0555d7224..cc1a9f72c7 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pamcracklib/cracklib_accounts_password_pam_retry/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     <br /><br />
-     Edit the <tt>pam_cracklib.so</tt> statement in
-     <tt>/etc/pam.d/system-auth</tt> to show
--    <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value
-+    <tt>retry={{{ xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value
-     if site policy is more restrictive.
-     <br /><br />
-     The DoD requirement is a maximum of 3 prompts per session.
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
-index 965b10a57a..fb64b61520 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_difok/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     in a password that must not be present in and old password during a password change.
-     <br /><br />
-     Modify the <tt>difok</tt> setting in <tt>/etc/security/pwquality.conf</tt>
--    to equal <sub idref="var_password_pam_difok" /> to require differing characters
-+    to equal {{{ xccdf_value("var_password_pam_difok") }}} to require differing characters
-     when changing passwords.
- 
- rationale: |-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
-index 0d59eefef9..d449c97950 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxclassrepeat/rule.yml
-@@ -8,8 +8,8 @@ description: |-
-     The pam_pwquality module's <tt>maxclassrepeat</tt> parameter controls requirements for
-     consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
-     which contain more than that number of consecutive characters from the same character class. Modify the
--    <tt>maxclassrepeat</tt> setting in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref="var_password_pam_maxclassrepeat" />
--    to prevent a run of (<sub idref="var_password_pam_maxclassrepeat" /> + 1) or more identical characters.
-+    <tt>maxclassrepeat</tt> setting in <tt>/etc/security/pwquality.conf</tt> to equal {{{ xccdf_value("var_password_pam_maxclassrepeat") }}}
-+    to prevent a run of ({{{ xccdf_value("var_password_pam_maxclassrepeat") }}} + 1) or more identical characters.
- 
- rationale: |-
-     Use of a complex password helps to increase the time and resources required to comrpomise the password.
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
-index 59637552ae..cb2755b255 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_maxrepeat/rule.yml
-@@ -8,8 +8,8 @@ description: |-
-     The pam_pwquality module's <tt>maxrepeat</tt> parameter controls requirements for
-     consecutive repeating characters. When set to a positive number, it will reject passwords
-     which contain more than that number of consecutive characters. Modify the <tt>maxrepeat</tt> setting
--    in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref="var_password_pam_maxrepeat" /> to prevent a
--    run of (<sub idref="var_password_pam_maxrepeat" /> + 1) or more identical characters.
-+    in <tt>/etc/security/pwquality.conf</tt> to equal {{{ xccdf_value("var_password_pam_maxrepeat") }}} to prevent a
-+    run of ({{{ xccdf_value("var_password_pam_maxrepeat") }}} + 1) or more identical characters.
- 
- rationale: |-
-     Use of a complex password helps to increase the time and resources required to compromise the password.
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
-index 7dc06b20e9..c6ac4e654b 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minclass/rule.yml
-@@ -19,7 +19,7 @@ description: |-
-     * Special characters (for example, punctuation)
-     </pre>
-     Modify the <tt>minclass</tt> setting in <tt>/etc/security/pwquality.conf</tt> entry
--    to require <sub idref="var_password_pam_minclass" />
-+    to require {{{ xccdf_value("var_password_pam_minclass") }}}
-     differing categories of characters when changing passwords.
- 
- rationale: |-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
-index c507413b67..0c1066a550 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_minlen/rule.yml
-@@ -6,7 +6,7 @@ title: 'Ensure PAM Enforces Password Requirements - Minimum Length'
- 
- description: |-
-     The pam_pwquality module's <tt>minlen</tt> parameter controls requirements for
--    minimum characters required in a password. Add <tt>minlen=<sub idref="var_password_pam_minlen" /></tt>
-+    minimum characters required in a password. Add <tt>minlen={{{ xccdf_value("var_password_pam_minlen") }}}</tt>
-     after pam_pwquality to set minimum password length requirements.
- 
- rationale: |-
-@@ -49,7 +49,7 @@ ocil_clause: 'minlen is not found, or not equal to or greater than the required
- ocil: |-
-     To check how many characters are required in a password, run the following command:
-     <pre>$ grep minlen /etc/security/pwquality.conf</pre>
--    Your output should contain <tt>minlen = <sub idref="var_password_pam_minlen" /></tt>
-+    Your output should contain <tt>minlen = {{{ xccdf_value("var_password_pam_minlen") }}}</tt>
- 
- platform: pam
- 
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
-index b9b93d69b1..cbc1ca50ee 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_ocredit/rule.yml
-@@ -10,7 +10,7 @@ description: |-
-     any password will be required to contain that many special characters.
-     When set to a positive number, pam_pwquality will grant +1
-     additional length credit for each special character. Modify the <tt>ocredit</tt> setting
--    in <tt>/etc/security/pwquality.conf</tt> to equal <sub idref="var_password_pam_ocredit" />
-+    in <tt>/etc/security/pwquality.conf</tt> to equal {{{ xccdf_value("var_password_pam_ocredit") }}}
-     to require use of a special character in passwords.
- 
- rationale: |-
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-index a64ee575a1..6b1534adde 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/rule.yml
-@@ -7,7 +7,7 @@ title: 'Ensure PAM Enforces Password Requirements - Authentication Retry Prompts
- description: |-
-     To configure the number of retry prompts that are permitted per-session:
-     Edit the <tt>pam_pwquality.so</tt> statement in <tt>/etc/pam.d/system-auth</tt> to
--    show <tt>retry=<sub idref="var_password_pam_retry" /></tt>, or a lower value if
-+    show <tt>retry={{{ xccdf_value("var_password_pam_retry") }}}</tt>, or a lower value if
-     site policy is more restrictive.
-     The DoD requirement is a maximum of 3 prompts per session.
- 
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml
-index 57958bce13..476cffcd62 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/rule.yml
-@@ -8,13 +8,13 @@ description: |-
-     The OpenSC smart card tool can auto-detect smart card drivers; however,
-     setting the smart card drivers in use by your organization helps to prevent
-     users from using unauthorized smart cards. The default smart card driver for this
--    profile is <tt><sub idref="var_smartcard_drivers" /></tt>.
-+    profile is <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt>.
-     To configure the OpenSC driver, edit the <tt>/etc/opensc-<i>ARCH</i>.conf</tt> (where
-     <i>ARCH</i> is the architecture of your operating system) file. Look for a
-     line similar to:
-     <pre># card_drivers = old, internal;</pre>
-     and change it to:
--    <pre>card_drivers = <sub idref="var_smartcard_drivers" />;</pre>
-+    <pre>card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
- 
- rationale: |-
-     Smart card login provides two-factor authentication stronger than
-@@ -45,9 +45,9 @@ references:
- ocil_clause: 'the smart card driver is not configured correctly'
- 
- ocil: |-
--    To verify that <tt><sub idref="var_smartcard_drivers" /></tt> is configured
-+    To verify that <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt> is configured
-     as the smart card driver, run the following command changing <i>ARCH</i> for
-     the architecture of your operating system:
-     <pre>$ grep card_drivers /etc/opensc-<i>ARCH</i></pre>
-     The output should return something similar to:
--    <pre>card_drivers = <sub idref="var_smartcard_drivers" />;</pre>
-+    <pre>card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
-index ad65316007..261698320c 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/rule.yml
-@@ -9,13 +9,13 @@ description: |-
-     forcing the smart card driver in use by your organization, opensc will no longer
-     autodetect or use other drivers unless specified. This helps to prevent
-     users from using unauthorized smart cards. The default smart card driver for this
--    profile is <tt><sub idref="var_smartcard_drivers" /></tt>.
-+    profile is <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt>.
-     To force the OpenSC driver, edit the <tt>/etc/opensc-<i>ARCH</i>.conf</tt> (where
-     <i>ARCH</i> is the architecture of your operating system) file. Look for a line
-     similar to:
-     <pre># force_card_driver = customcos;</pre>
-     and change it to:
--    <pre>force_card_driver = <sub idref="var_smartcard_drivers" />;</pre>
-+    <pre>force_card_driver = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
- 
- rationale: |-
-     Smart card login provides two-factor authentication stronger than
-@@ -46,9 +46,9 @@ references:
- ocil_clause: 'the smart card driver is not configured correctly'
- 
- ocil: |-
--    To verify that <tt><sub idref="var_smartcard_drivers" /></tt> is configured
-+    To verify that <tt>{{{ xccdf_value("var_smartcard_drivers") }}}</tt> is configured
-     as the smart card driver, run the following command changing <i>ARCH</i> for
-     the architecture of your operating system:
-     <pre>$ grep force_card_driver /etc/opensc-<i>ARCH</i></pre>
-     The output should return something similar to:
--    <pre>force_card_drivers = <sub idref="var_smartcard_drivers" />;</pre>
-+    <pre>force_card_drivers = {{{ xccdf_value("var_smartcard_drivers") }}};</pre>
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-index 45c199ad4a..cfa59edd38 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/rule.yml
-@@ -9,9 +9,9 @@ description: |-
-     signifies inactivity) until an account is permanently disabled, add or correct
-     the following lines in <tt>/etc/default/useradd</tt>, substituting
-     <tt><i>NUM_DAYS</i></tt> appropriately:
--    <pre>INACTIVE=<i><sub idref="var_account_disable_post_pw_expiration" /></i></pre>
-+    <pre>INACTIVE=<i>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</i></pre>
-     A value of 35 is recommended; however, this profile expects that the value is set to
--    <tt><sub idref="var_account_disable_post_pw_expiration" /></tt>.
-+    <tt>{{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</tt>.
-     If a password is currently on the
-     verge of expiration, then 35 days remain until the account is automatically
-     disabled. However, if the password will not expire for another 60 days, then 95
-@@ -63,6 +63,6 @@ ocil: |-
-     The output should indicate the <tt>INACTIVE</tt> configuration option is set
-     to an appropriate integer as shown in the example below:
-     <pre>$ grep "INACTIVE" /etc/default/useradd
--    INACTIVE=<sub idref="var_account_disable_post_pw_expiration" /></pre>
-+    INACTIVE={{{ xccdf_value("var_account_disable_post_pw_expiration") }}}</pre>
- 
- platform: login_defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-index 0619423d0c..ccf95260dc 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/rule.yml
-@@ -6,10 +6,10 @@ description: |-
-     To specify password maximum age for new accounts,
-     edit the file <tt>/etc/login.defs</tt>
-     and add or correct the following line:
--    <pre>PASS_MAX_DAYS <sub idref="var_accounts_maximum_age_login_defs" /></pre>
-+    <pre>PASS_MAX_DAYS {{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}</pre>
-     A value of 180 days is sufficient for many environments.
-     The DoD requirement is 60.
--    The profile requirement is <tt><sub idref="var_accounts_maximum_age_login_defs" /></tt>.
-+    The profile requirement is <tt>{{{ xccdf_value("var_accounts_maximum_age_login_defs") }}}</tt>.
- 
- rationale: |-
-     Any password, no matter how complex, can eventually be cracked. Therefore, passwords
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
-index 543e88e822..ceca9550a7 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/rule.yml
-@@ -6,10 +6,10 @@ description: |-
-     To specify password minimum age for new accounts,
-     edit the file <tt>/etc/login.defs</tt>
-     and add or correct the following line:
--    <pre>PASS_MIN_DAYS <sub idref="var_accounts_minimum_age_login_defs" /></pre>
-+    <pre>PASS_MIN_DAYS {{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}</pre>
-     A value of 1 day is considered sufficient for many
-     environments. The DoD requirement is 1.
--    The profile requirement is <tt><sub idref="var_accounts_minimum_age_login_defs" /></tt>.
-+    The profile requirement is <tt>{{{ xccdf_value("var_accounts_minimum_age_login_defs") }}}</tt>.
- 
- rationale: |-
-     Enforcing a minimum password lifetime helps to prevent repeated password
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
-index 2f18ce638a..39864bb79d 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml
-@@ -5,12 +5,12 @@ title: 'Set Password Minimum Length in login.defs'
- description: |-
-     To specify password length requirements for new accounts, edit the file
-     <tt>/etc/login.defs</tt> and add or correct the following line:
--    <pre>PASS_MIN_LEN <sub idref="var_accounts_password_minlen_login_defs" /></pre>
-+    <pre>PASS_MIN_LEN {{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</pre>
-     <br /><br />
-     The DoD requirement is <tt>15</tt>. 
-     The FISMA requirement is <tt>12</tt>.
-     The profile requirement is
--    <tt><sub idref="var_accounts_password_minlen_login_defs" /></tt>.
-+    <tt>{{{ xccdf_value("var_accounts_password_minlen_login_defs") }}}</tt>.
-     If a program consults <tt>/etc/login.defs</tt> and also another PAM module
-     (such as <tt>pam_pwquality</tt>) during a password change operation, then
-     the most restrictive must be satisfied. See PAM section for more
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
-index 1048b7c143..3ba2a7049f 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/rule.yml
-@@ -7,9 +7,9 @@ description: |-
-     expiration that a warning will be issued to users,
-     edit the file <tt>/etc/login.defs</tt> and add or correct
-      the following line:
--    <pre>PASS_WARN_AGE <sub idref="var_accounts_password_warn_age_login_defs" /></pre>
-+    <pre>PASS_WARN_AGE {{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}</pre>
-     The DoD requirement is 7.
--    The profile requirement is <tt><sub idref="var_accounts_password_warn_age_login_defs" /></tt>.
-+    The profile requirement is <tt>{{{ xccdf_value("var_accounts_password_warn_age_login_defs") }}}</tt>.
- 
- rationale: |-
-     Setting the password warning age enables users to
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-index 9a359b22c5..08f81100f4 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/rule.yml
-@@ -5,7 +5,7 @@ title: 'Ensure the Logon Failure Delay is Set Correctly in login.defs'
- description: |-
-     To ensure the logon failure delay controlled by <tt>/etc/login.defs</tt> is set properly,
-     add or correct the <tt>FAIL_DELAY</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
--    <pre>FAIL_DELAY <sub idref="var_accounts_fail_delay" /></pre>
-+    <pre>FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>
- 
- rationale: |-
-     Increasing the time between a failed authentication attempt and re-prompting to
-@@ -37,6 +37,6 @@ ocil: |-
-     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs</pre>
-     All output must show the value of <tt>FAIL_DELAY</tt> set as shown in the below:
-     <pre>$ sudo grep -i "FAIL_DELAY" /etc/login.defs
--    FAIL_DELAY <sub idref="var_accounts_fail_delay" /></pre>
-+    FAIL_DELAY {{{ xccdf_value("var_accounts_fail_delay") }}}</pre>
- 
- platform: login_defs
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
-index 3486578e66..2fc9427ce3 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/rule.yml
-@@ -8,7 +8,7 @@ description: |-
-     concurrent sessions by a single user via multiple accounts. To set the number of concurrent
-     sessions per user add the following line in <tt>/etc/security/limits.conf</tt> or
-     a file under <tt>/etc/security/limits.d/</tt>:
--    <pre>* hard maxlogins <sub idref="var_accounts_max_concurrent_login_sessions" /></pre>
-+    <pre>* hard maxlogins {{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}</pre>
- 
- rationale: |-
-     Limiting simultaneous user logins can insulate the system from denial of service
-@@ -46,6 +46,6 @@ ocil: |-
-     configured for all users on the system:
-     <pre># grep "maxlogins" /etc/security/limits.conf</pre>
-     You should receive output similar to the following:
--    <pre>*\t\thard\tmaxlogins\t<sub idref="var_accounts_max_concurrent_login_sessions" /></pre>
-+    <pre>*\t\thard\tmaxlogins\t{{{ xccdf_value("var_accounts_max_concurrent_login_sessions") }}}</pre>
- 
- platform: pam
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-index 6e21f653c7..eb64b12e51 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/rule.yml
-@@ -8,7 +8,7 @@ description: |-
-     Setting the <tt>TMOUT</tt> option in <tt>/etc/profile</tt> ensures that
-     all user sessions will terminate based on inactivity. The <tt>TMOUT</tt>
-     setting in <tt>/etc/profile</tt> should read as follows:
--    <pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
-+    <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
- 
- rationale: |-
-     Terminating an idle session within a short time period reduces
-@@ -48,4 +48,4 @@ ocil: |-
-     on the system:
-     <pre>$ sudo grep TMOUT /etc/profile</pre>
-     The output should return the following:
--    <pre>TMOUT=<sub idref="var_accounts_tmout" /></pre>
-+    <pre>TMOUT={{{ xccdf_value("var_accounts_tmout") }}}</pre>
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-index 391a2bcc42..e9beb8f4bd 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/rule.yml
-@@ -8,7 +8,7 @@ description: |-
-     To ensure the default umask for users of the Bash shell is set properly,
-     add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
-     as follows:
--    <pre>umask <sub idref="var_accounts_user_umask" /></pre>
-+    <pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
- 
- rationale: |-
-     The umask value influences the permissions assigned to files when they are created.
-@@ -44,5 +44,5 @@ ocil: |-
-     <pre># grep "umask" /etc/bashrc</pre>
-     All output must show the value of <tt>umask</tt> set as shown below:
-     <pre># grep "umask" /etc/bashrc
--    umask <sub idref="var_accounts_user_umask" />
--    umask <sub idref="var_accounts_user_umask" /></pre>
-+    umask {{{ xccdf_value("var_accounts_user_umask") }}}
-+    umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
-index 5b8bc81ab3..347e881d5e 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/rule.yml
-@@ -7,7 +7,7 @@ title: 'Ensure the Default C Shell Umask is Set Correctly'
- description: |-
-     To ensure the default umask for users of the C shell is set properly,
-     add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read as follows:
--    <pre>umask <sub idref="var_accounts_user_umask" /></pre>
-+    <pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
- 
- rationale: |-
-     The umask value influences the permissions assigned to files when they are created.
-@@ -42,4 +42,4 @@ ocil: |-
-     <pre># grep "umask" /etc/csh.cshrc</pre>
-     All output must show the value of <tt>umask</tt> set as shown in the below:
-     <pre># grep "umask" /etc/csh.cshrc
--    umask <sub idref="var_accounts_user_umask" /></pre>
-+    umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
-index ecb2dfb1f1..088e9ce2a8 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/rule.yml
-@@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in login.defs'
- description: |-
-     To ensure the default umask controlled by <tt>/etc/login.defs</tt> is set properly,
-     add or correct the <tt>UMASK</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
--    <pre>UMASK <sub idref="var_accounts_user_umask" /></pre>
-+    <pre>UMASK {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
- 
- rationale: |-
-     The umask value influences the permissions assigned to files when they are created.
-@@ -42,6 +42,6 @@ ocil: |-
-     <pre># grep -i "UMASK" /etc/login.defs</pre>
-     All output must show the value of <tt>umask</tt> set as shown in the below:
-     <pre># grep -i "UMASK" /etc/login.defs
--    umask <sub idref="var_accounts_user_umask" /></pre>
-+    umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
- 
- platform: login_defs
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
-index bf48d81899..43ab898b5d 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml
-@@ -5,7 +5,7 @@ title: 'Ensure the Default Umask is Set Correctly in /etc/profile'
- description: |-
-     To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly,
-     add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows:
--    <pre>umask <sub idref="var_accounts_user_umask" /></pre>
-+    <pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
- 
- rationale: |-
-     The umask value influences the permissions assigned to files when they are created.
-@@ -42,4 +42,4 @@ ocil: |-
-     <pre># grep "umask" /etc/profile</pre>
-     All output must show the value of <tt>umask</tt> set as shown in the below:
-     <pre># grep "umask" /etc/profile
--    umask <sub idref="var_accounts_user_umask" /></pre>
-+    umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
-index c317700e71..c19af71bb5 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/rule.yml
-@@ -16,7 +16,7 @@ description: |-
-     </pre>
-     with an IP address or hostname of the system that the audispd plugin should
-     send audit records to. For example
--    <pre>remote_server = <i><sub idref="var_audispd_remote_server" /></i></pre>
-+    <pre>remote_server = <i>{{{ xccdf_value("var_audispd_remote_server") }}}</i></pre>
- 
- rationale: |-
-     Information stored in one location is vulnerable to accidental or incidental
-@@ -48,5 +48,5 @@ ocil: |-
-     <pre>$ sudo grep -i remote_server /etc/audisp/audisp-remote.conf</pre>
- {{% endif %}}
-     The output should return something similar to
--    <pre>remote_server = <i><sub idref="var_audispd_remote_server" /></i></pre>
-+    <pre>remote_server = <i>{{{ xccdf_value("var_audispd_remote_server") }}}</i></pre>
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
-index a071e6dda5..66de6e73a5 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/rule.yml
-@@ -7,7 +7,7 @@ description: |-
-     a designated account in certain situations. Add or correct the following line
-     in <tt>/etc/audit/auditd.conf</tt> to ensure that administrators are notified
-     via email for those situations:
--    <pre>action_mail_acct = <sub idref="var_auditd_action_mail_acct" /></pre>
-+    <pre>action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}</pre>
- 
- rationale: |-
-     Email sent to the root account is typically aliased to the
-@@ -49,5 +49,5 @@ ocil: |-
-     Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to
-     determine if the system is configured to send email to an
-     account when it needs to notify an administrator:
--    <pre>action_mail_acct = <sub idref="var_auditd_action_mail_acct" /></pre>
-+    <pre>action_mail_acct = {{{ xccdf_value("var_auditd_action_mail_acct") }}}</pre>
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
-index b4038d13bd..1db8b82dda 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     synchronously write audit event data to disk. Add or correct the following
-     line in <tt>/etc/audit/auditd.conf</tt> to ensure that audit event data is
-     fully synchronized with the log files on the disk:
--    <pre>flush = <sub idref="var_auditd_flush" /></pre>
-+    <pre>flush = {{{ xccdf_value("var_auditd_flush") }}}</pre>
- 
- rationale: |-
-     Audit data should be synchronously written to disk to ensure
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
-index 73107df695..1bdafa9215 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/rule.yml
-@@ -6,7 +6,7 @@ description: |-
-     Determine the amount of audit data (in megabytes)
-     which should be retained in each log file. Edit the file
-     <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line, substituting
--    the correct value of <sub idref="var_auditd_max_log_file" /> for <i>STOREMB</i>:
-+    the correct value of {{{ xccdf_value("var_auditd_max_log_file") }}} for <i>STOREMB</i>:
-     <pre>max_log_file = <i>STOREMB</i></pre>
-     Set the value to <tt>6</tt> (MB) or higher for general-purpose systems.
-     Larger values, of course,
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
-index 01bb0ad7a2..34e2a2b60f 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/rule.yml
-@@ -6,7 +6,7 @@ description: |-
-     Determine how many log files
-     <tt>auditd</tt> should retain when it rotates logs.
-     Edit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following
--    line, substituting <i>NUMLOGS</i> with the correct value of <sub idref="var_auditd_num_logs" />:
-+    line, substituting <i>NUMLOGS</i> with the correct value of {{{ xccdf_value("var_auditd_num_logs") }}}:
-     <pre>num_logs = <i>NUMLOGS</i></pre>
-     Set the value to 5 for general-purpose systems.
-     Note that values less than 2 result in no log rotation.
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
-index 3331f5188a..74a87bb659 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_groupownership/rule.yml
-@@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate Group'
- 
- description: |-
-     The group-owner of all log files written by
--    <tt>rsyslog</tt> should be <tt><sub idref="file_groupowner_logfiles_value" /></tt>.
-+    <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
-     These log files are determined by the second part of each Rule line in
-     <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
-     For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
-     run the following command to inspect the file's group owner:
-     <pre>$ ls -l <i>LOGFILE</i></pre>
--    If the owner is not <tt><sub idref="file_groupowner_logfiles_value" /></tt>, run the following command to
-+    If the owner is not <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>, run the following command to
-     correct this:
--    <pre>$ sudo chgrp <sub idref="file_groupowner_logfiles_value" /> <i>LOGFILE</i></pre>
-+    <pre>$ sudo chgrp {{{ xccdf_value("file_groupowner_logfiles_value") }}} <i>LOGFILE</i></pre>
- 
- rationale: |-
-     The log files generated by rsyslog contain valuable information regarding system
-@@ -43,7 +43,7 @@ references:
- ocil_clause: 'the group-owner is not correct'
- 
- ocil: |-
--    The group-owner of all log files written by <tt>rsyslog</tt> should be <tt><sub idref="file_groupowner_logfiles_value" /></tt>.
-+    The group-owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_groupowner_logfiles_value") }}}</tt>.
-     These log files are determined by the second part of each Rule line in
-     <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
-     To see the group-owner of a given log file, run the following command:
-diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
-index a034c0a193..506b6457ca 100644
---- a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
-+++ b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_files_ownership/rule.yml
-@@ -4,15 +4,15 @@ title: 'Ensure Log Files Are Owned By Appropriate User'
- 
- description: |-
-     The owner of all log files written by
--    <tt>rsyslog</tt> should be <tt><sub idref="file_owner_logfiles_value" /></tt>.
-+    <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
-     These log files are determined by the second part of each Rule line in
-     <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
-     For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>,
-     run the following command to inspect the file's owner:
-     <pre>$ ls -l <i>LOGFILE</i></pre>
--    If the owner is not <tt><sub idref="file_owner_logfiles_value" /></tt>, run the following command to
-+    If the owner is not <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>, run the following command to
-     correct this:
--    <pre>$ sudo chown <sub idref="file_owner_logfiles_value" /> <i>LOGFILE</i></pre>
-+    <pre>$ sudo chown {{{ xccdf_value("file_owner_logfiles_value") }}} <i>LOGFILE</i></pre>
- 
- rationale: |-
-     The log files generated by rsyslog contain valuable information regarding system
-@@ -43,7 +43,7 @@ references:
- ocil_clause: 'the owner is not correct'
- 
- ocil: |-
--    The owner of all log files written by <tt>rsyslog</tt> should be <tt><sub idref="file_owner_logfiles_value" /></tt>.
-+    The owner of all log files written by <tt>rsyslog</tt> should be <tt>{{{ xccdf_value("file_owner_logfiles_value") }}}</tt>.
-     These log files are determined by the second part of each Rule line in
-     <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>.
-     To see the owner of a given log file, run the following command:
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-index 642bf1ee0e..c27707569f 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/rule.yml
-@@ -10,21 +10,21 @@ description: |-
-     Along with these other directives, the system can be configured
-     to forward its logs to a particular log server by
-     adding or correcting one of the following lines,
--    substituting <tt><i><sub idref="rsyslog_remote_loghost_address" /></i></tt> appropriately.
-+    substituting <tt><i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></tt> appropriately.
-     The choice of protocol depends on the environment of the system;
-     although TCP and RELP provide more reliable message delivery,
-     they may not be supported in all environments.
-     <br />
-     To use UDP for log message delivery:
--    <pre>*.* @<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
-+    <pre>*.* @<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
-     <br />
-     To use TCP for log message delivery:
--    <pre>*.* @@<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
-+    <pre>*.* @@<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
-     <br />
-     To use RELP for log message delivery:
--    <pre>*.* :omrelp:<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
-+    <pre>*.* :omrelp:<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
-     <br />
--    There must be a resolvable DNS CNAME or Alias record set to "<sub idref="rsyslog_remote_loghost_address" />" for logs to be sent correctly to the centralized logging utility.
-+    There must be a resolvable DNS CNAME or Alias record set to "{{{ xccdf_value("rsyslog_remote_loghost_address") }}}" for logs to be sent correctly to the centralized logging utility.
- 
- rationale: |-
-     A log server (loghost) receives syslog messages from one or more
-@@ -67,8 +67,8 @@ ocil: |-
-     To ensure logs are sent to a remote host, examine the file
-     <tt>/etc/rsyslog.conf</tt>.
-     If using UDP, a line similar to the following should be present:
--    <pre> *.* @<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
-+    <pre> *.* @<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
-     If using TCP, a line similar to the following should be present:
--    <pre> *.* @@<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
-+    <pre> *.* @@<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
-     If using RELP, a line similar to the following should be present:
--    <pre> *.* :omrelp:<i><sub idref="rsyslog_remote_loghost_address" /></i></pre>
-+    <pre> *.* :omrelp:<i>{{{ xccdf_value("rsyslog_remote_loghost_address") }}}</i></pre>
-diff --git a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml
-index 7e96bbd35d..e68faf00ca 100644
---- a/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml
-+++ b/linux_os/guide/system/network/network-kernel/network_host_and_router_parameters/sysctl_net_ipv4_tcp_invalid_ratelimit/rule.yml
-@@ -15,7 +15,7 @@ description: |-
-     Set the system to implement rate-limiting measures by adding the following line to
-     <tt>/etc/sysctl.conf</tt> or a configuration file in the <tt>/etc/sysctl.d/</tt> directory
-     (or modify the line to have the required value):
--    <pre>net.ipv4.tcp_invalid_ratelimit = <sub idref="sysctl_net_ipv4_tcp_invalid_ratelimit_value" /></pre>
-+    <pre>net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}</pre>
-     Issue the following command to make the changes take effect:
-     <pre># sysctl --system</pre>
- 
-@@ -51,7 +51,7 @@ ocil: |-
-     on impacted network interfaces, run the following command:
-     <pre># grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/*</pre>
-     The command should output the following line:
--    <pre>/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = <sub idref="sysctl_net_ipv4_tcp_invalid_ratelimit_value" /></pre>
-+    <pre>/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = {{{ xccdf_value("sysctl_net_ipv4_tcp_invalid_ratelimit_value") }}}</pre>
-     The file where the line has been found can differ, but it must be either <tt>/etc/sysctl.conf</tt>
-     or a file located under the <tt>/etc/sysctl.d/</tt> directory.
- 
-diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml
-index a14fc555af..64c6c3668d 100644
---- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml
-+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/rule.yml
-@@ -11,7 +11,7 @@ description: |-
-     a umask of <tt>077</tt> in their own init scripts. By default, the umask of
-     <tt>022</tt> is set which prevents creation of group- or world-writable files.
-     To set the umask for daemons expected by the profile, edit the following line:
--    <pre>umask <i><sub idref="var_umask_for_daemons" /></i></pre>
-+    <pre>umask <i>{{{ xccdf_value("var_umask_for_daemons") }}}</i></pre>
- 
- rationale: |-
-     The umask influences the permissions assigned to files created by a
-@@ -40,7 +40,7 @@ ocil_clause: 'it does not'
- ocil: |-
-     To check the value of the <tt>umask</tt>, run the following command:
-     <pre>$ grep umask /etc/init.d/functions</pre>
--    The output should show <tt><sub idref="var_umask_for_daemons" /></tt>.
-+    The output should show <tt>{{{ xccdf_value("var_umask_for_daemons") }}}</tt>.
- 
- warnings:
-     - functionality: |-
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
-index bbc6b3a992..d861f5f9e2 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
-+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     general-purpose desktops and servers, as well as systems in many other roles.
-     To configure the system to use this policy, add or correct the following line
-     in <tt>/etc/selinux/config</tt>:
--    <pre>SELINUXTYPE=<sub idref="var_selinux_policy_name" /></pre>
-+    <pre>SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}</pre>
-     Other policies, such as <tt>mls</tt>, provide additional security labeling
-     and greater confinement but are not compatible with many general-purpose
-     use cases.
-@@ -23,7 +23,7 @@ rationale: |-
-     temporarily place non-production systems in <tt>permissive</tt> mode. In such
-     temporary cases, SELinux policies should be developed, and once work
-     is completed, the system should be reconfigured to
--    <tt><sub idref="var_selinux_policy_name" /></tt>.
-+    <tt>{{{ xccdf_value("var_selinux_policy_name") }}}</tt>.
- 
- severity: high
- 
-@@ -57,4 +57,4 @@ ocil_clause: 'it does not'
- 
- ocil: |-
-     Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
--    <pre>SELINUXTYPE=<sub idref="var_selinux_policy_name" /></pre>
-+    <pre>SELINUXTYPE={{{ xccdf_value("var_selinux_policy_name") }}}</pre>
-diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
-index 2c90aadbd1..66c5fd65f8 100644
---- a/linux_os/guide/system/selinux/selinux_state/rule.yml
-+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
-@@ -5,10 +5,10 @@ prodtype: fedora,rhcos4,ol7,ol8,rhel6,rhel7,rhel8,rhv4,sle15,wrlinux1019
- title: 'Ensure SELinux State is Enforcing'
- 
- description: |-
--    The SELinux state should be set to <tt><sub idref="var_selinux_state" /></tt> at
-+    The SELinux state should be set to <tt>{{{ xccdf_value("var_selinux_state") }}}</tt> at
-     system boot time.  In the file <tt>/etc/selinux/config</tt>, add or correct the
-     following line to configure the system to boot into enforcing mode:
--    <pre>SELINUX=<sub idref="var_selinux_state" /></pre>
-+    <pre>SELINUX={{{ xccdf_value("var_selinux_state") }}}</pre>
- 
- rationale: |-
-     Setting the SELinux state to enforcing ensures SELinux is able to confine
-@@ -49,4 +49,4 @@ ocil_clause: 'SELINUX is not set to enforcing'
- 
- ocil: |-
-     Check the file <tt>/etc/selinux/config</tt> and ensure the following line appears:
--    <pre>SELINUX=<sub idref="var_selinux_state" /></pre>
-+    <pre>SELINUX={{{ xccdf_value("var_selinux_state") }}}</pre>
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
-index d2feba00b4..bec17bc68b 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/rule.yml
-@@ -54,7 +54,7 @@ ocil_clause: 'idle-delay is not equal to or less than the expected value'
- ocil: |-
-     To check the current idle time-out value, run the following command:
-     <pre>$ gsettings get org.gnome.desktop.session idle-delay</pre>
--    If properly configured, the output should be <tt>'uint32 <sub idref="inactivity_timeout_value" />'</tt>.
-+    If properly configured, the output should be <tt>'uint32 {{{ xccdf_value("inactivity_timeout_value") }}}'</tt>.
-     To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-     <pre>$ grep idle-delay /etc/dconf/db/local.d/locks/*</pre>
-     If properly configured, the output should be <tt>/org/gnome/desktop/session/idle-delay</tt>
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
-index c0a8de72c9..d8a596554c 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/rule.yml
-@@ -6,10 +6,10 @@ title: 'Set GNOME3 Screensaver Lock Delay After Activation Period'
- 
- description: |-
-     To activate the locking delay of the screensaver in the GNOME3 desktop when
--    the screensaver is activated, add or set <tt>lock-delay</tt> to <tt>uint32 <sub idref="var_screensaver_lock_delay" /></tt> in
-+    the screensaver is activated, add or set <tt>lock-delay</tt> to <tt>uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}</tt> in
-     <tt>/etc/dconf/db/local.d/00-security-settings</tt>. For example:
-     <pre>[org/gnome/desktop/screensaver]
--    lock-delay=uint32 <sub idref="var_screensaver_lock_delay" />
-+    lock-delay=uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}
-     </pre>
-     Once the setting has been added, add a lock to
-     <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
-@@ -48,7 +48,7 @@ ocil_clause: 'the screensaver lock delay is missing, or is set to a value greate
- ocil: |-
-     To check that the screen locks immediately when activated, run the following command:
-     <pre>$ gsettings get org.gnome.desktop.screensaver lock-delay</pre>
--    If properly configured, the output should be <tt>'uint32 <sub idref="var_screensaver_lock_delay" />'</tt>.
-+    If properly configured, the output should be <tt>'uint32 {{{ xccdf_value("var_screensaver_lock_delay") }}}'</tt>.
-     <br /><br />
-     To ensure that users cannot change how long until the the screensaver locks, run the following:
-     <pre>$ grep lock-delay /etc/dconf/db/local.d/locks/*</pre>
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml
-index 34eb02abf7..5525337fc6 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/rule.yml
-@@ -4,12 +4,12 @@ title: 'Set GNOME Login Inactivity Timeout'
- 
- description: |-
-     Run the following command to set the idle time-out value for
--    inactivity in the GNOME desktop to <sub idref="inactivity_timeout_value" /> minutes:
-+    inactivity in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes:
-     <pre>$ sudo gconftool-2 \
-       --direct \
-       --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
-       --type int \
--      --set /desktop/gnome/session/idle_delay <sub idref="inactivity_timeout_value" /></pre>
-+      --set /desktop/gnome/session/idle_delay {{{ xccdf_value("inactivity_timeout_value") }}}</pre>
- 
- rationale: |-
-     Setting the idle delay controls when the
-@@ -39,4 +39,4 @@ ocil_clause: 'it is not'
- ocil: |-
-     To check the current idle time-out value, run the following command:
-     <pre>$ gconftool-2 -g /desktop/gnome/session/idle_delay</pre>
--    If properly configured, the output should be <tt><sub idref="inactivity_timeout_value" /></tt>.
-+    If properly configured, the output should be <tt>{{{ xccdf_value("inactivity_timeout_value") }}}</tt>.
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml
-index 99eaf236f7..17fffec0ed 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_max_idle_time/rule.yml
-@@ -4,12 +4,12 @@ title: 'Set GNOME Login Maximum Allowed Inactivity'
- 
- description: |-
-     Run the following command to set the maximum allowed period of inactivity for an
--    inactive user in the GNOME desktop to <sub idref="inactivity_timeout_value" /> minutes:
-+    inactive user in the GNOME desktop to {{{ xccdf_value("inactivity_timeout_value") }}} minutes:
-     <pre>$ sudo gconftool-2 \
-       --direct \
-       --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
-       --type int \
--      --set /desktop/gnome/session/max_idle_time <sub idref="inactivity_timeout_value" /></pre>
-+      --set /desktop/gnome/session/max_idle_time {{{ xccdf_value("inactivity_timeout_value") }}}</pre>
- 
- rationale: |-
-     Terminating an idle session within a short time period reduces the window of
-@@ -23,4 +23,4 @@ ocil_clause: 'it is not'
- ocil: |-
-     To check the current idle time-out value, run the following command:
-     <pre>$ gconftool-2 -g /desktop/gnome/session/max_idle_time</pre>
--    If properly configured, the output should be <tt><sub idref="idle_timeout_value" /></tt>.
-+    If properly configured, the output should be <tt>{{{ xccdf_value("idle_timeout_value") }}}</tt>.
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
-index 0f9a919b16..243f079cc3 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/rule.yml
-@@ -5,9 +5,9 @@ prodtype: fedora,rhcos4,ol8,rhel8,rhv4
- title: 'Configure System Cryptography Policy'
- 
- description: |-
--    To configure the system cryptography policy to use ciphers only from the <tt><sub idref="var_system_crypto_policy" /></tt>
-+    To configure the system cryptography policy to use ciphers only from the <tt>{{{ xccdf_value("var_system_crypto_policy") }}}</tt>
-     policy, run the following command:
--    <pre>$ sudo update-crypto-policies --set <sub idref="var_system_crypto_policy" /></pre>
-+    <pre>$ sudo update-crypto-policies --set {{{ xccdf_value("var_system_crypto_policy") }}}</pre>
-     The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <tt>/etc/crypto-policies/back-ends</tt> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
-     Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
- 
-@@ -34,7 +34,7 @@ ocil: |-
-     To verify that cryptography policy has been configured correctly, run the
-     following command:
-     <pre>$ update-crypto-policies --show</pre>
--    The output should return <pre><sub idref="var_system_crypto_policy" /></pre>.
-+    The output should return <pre>{{{ xccdf_value("var_system_crypto_policy") }}}</pre>.
-     Run the command to check if the policy is correctly applied:
-     <pre>$ update-crypto-policies --is-applied</pre>
-     The output should be <pre>The configured policy is applied</pre>.
-diff --git a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-index 89725a33c3..735a68b264 100644
---- a/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/ssh_client_rekey_limit/rule.yml
-@@ -9,7 +9,7 @@ description: |-
-     the session key is renegotiated, both in terms of
-     amount of data that may be transmitted and the time
-     elapsed. To decrease the default limits, put line
--    <tt>RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{ sub_var_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
-+    <tt>RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}} {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</tt> to file <tt>/etc/ssh/ssh_config.d/02-rekey-limit.conf</tt>.
-     Make sure that there is no other <tt>RekeyLimit</tt> configuration preceding
-     the <tt>include</tt> directive in the main config file
-     <tt>/etc/ssh/ssh_config</tt>. Check also other files in
-@@ -37,8 +37,8 @@ ocil: |-
-     To check if RekeyLimit is set correctly, run the following command: <pre>$
-     sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf</pre> If configured
-     properly, output should be <pre>/etc/ssh/ssh_config.d/02-rekey-limit.conf:
--    RekeyLimit {{{ sub_var_value("var_ssh_client_rekey_limit_size") }}} {{{
--    sub_var_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
-+    RekeyLimit {{{ xccdf_value("var_ssh_client_rekey_limit_size") }}}
-+    {{{ xccdf_value("var_ssh_client_rekey_limit_time") }}}</pre> Check also the
-     main configuration file with the following command: <pre>sudo grep
-     RekeyLimit /etc/ssh/ssh_config</pre> The command should not return any
-     output.
-diff --git a/shared/macros.jinja b/shared/macros.jinja
-index c3bfcaff2f..e670423a9e 100644
---- a/shared/macros.jinja
-+++ b/shared/macros.jinja
-@@ -5,7 +5,7 @@ ocil_clause: "the required value is not set"
- 
- {{% macro openshift_cluster_setting(endpoint) -%}}
- This rule's check operates on the cluster configuration dump.
--Therefore, you need to use a tool that can query the OCP API, retreive the <code class="ocp-api-endpoint">{{{ endpoint }}}</code> API endpoint to the local <code class="ocp-dump-location">{{{ sub_var_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}}</code> file.
-+Therefore, you need to use a tool that can query the OCP API, retreive the <code class="ocp-api-endpoint">{{{ endpoint }}}</code> API endpoint to the local <code class="ocp-dump-location">{{{ xccdf_value("ocp_data_root") }}}/{{{ endpoint.lstrip("/") }}}</code> file.
- {{%- endmacro %}}
- 
- 
-@@ -42,6 +42,11 @@ ocil_clause: "the {{{ option }}} is not present in the output line, or there is
- 
- 
- {{% macro sub_var_value(varname) -%}}
-+{{{ xccdf_value(varname) }}}
-+{{%- endmacro %}}
-+
-+
-+{{% macro xccdf_value(varname) -%}}
- <sub idref="{{{ varname }}}" />
- {{%- endmacro %}}
- 
-
-From b3d3c2619b44e391f96a1741ac3f116cf6e1b6c7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 4 Sep 2020 12:21:18 +0200
-Subject: [PATCH 2/3] Replaced XCCDF value instantiation in Bash by a macro
- call.
-
-The former populate ... mechanism is not Bash, it is a special trick perforemd by our build system.
-This trick is confusing, its support in the build system is implemented as a complex code, and
-it doesnt support multiple values per remediation intuitively.
-
-This makes the build system involvement explicit, and it opens possibilities to perform implementation
-changes without breaking backward compatibility.
----
- .../postfix_client_configure_mail_alias/bash/shared.sh          | 2 +-
- .../services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh     | 2 +-
- .../ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh | 2 +-
- .../ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh    | 2 +-
- .../services/ntp/chronyd_specify_remote_server/bash/shared.sh   | 2 +-
- .../ssh/ssh_server/sshd_disable_compression/bash/shared.sh      | 2 +-
- .../ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh         | 2 +-
- .../services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh   | 2 +-
- .../ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh       | 2 +-
- .../ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh         | 2 +-
- .../ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh     | 2 +-
- .../ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh        | 2 +-
- .../ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh      | 2 +-
- .../sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh     | 1 -
- .../guide/services/sssd/sssd_memcache_timeout/bash/shared.sh    | 2 +-
- .../services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh   | 2 +-
- .../accounts/accounts-banners/banner_etc_issue/bash/shared.sh   | 2 +-
- .../accounts/accounts-banners/banner_etc_motd/bash/shared.sh    | 2 +-
- .../dconf_gnome_login_banner_text/bash/shared.sh                | 2 +-
- .../gconf_gdm_set_login_banner_text/bash/rhel6.sh               | 2 +-
- .../accounts_password_pam_unix_remember/bash/shared.sh          | 2 +-
- .../accounts_passwords_pam_faillock_deny/bash/shared.sh         | 2 +-
- .../accounts_passwords_pam_faillock_interval/bash/shared.sh     | 2 +-
- .../accounts_passwords_pam_faillock_unlock_time/bash/shared.sh  | 2 +-
- .../accounts_password_pam_retry/bash/shared.sh                  | 2 +-
- .../configure_opensc_card_drivers/bash/shared.sh                | 2 +-
- .../smart_card_login/force_opensc_card_drivers/bash/shared.sh   | 2 +-
- .../account_disable_post_pw_expiration/bash/shared.sh           | 2 +-
- .../accounts_maximum_age_login_defs/bash/shared.sh              | 2 +-
- .../accounts_minimum_age_login_defs/bash/fedora.sh              | 2 +-
- .../accounts_minimum_age_login_defs/bash/rhel6.sh               | 2 +-
- .../accounts_minimum_age_login_defs/bash/shared.sh              | 2 +-
- .../accounts_password_minlen_login_defs/bash/shared.sh          | 2 +-
- .../accounts_password_warn_age_login_defs/bash/fedora.sh        | 2 +-
- .../accounts_password_warn_age_login_defs/bash/rhel6.sh         | 2 +-
- .../accounts_password_warn_age_login_defs/bash/shared.sh        | 2 +-
- .../accounts_password_warn_age_login_defs/bash/wrlinux.sh       | 2 +-
- .../accounts-session/accounts_logon_fail_delay/bash/shared.sh   | 2 +-
- .../accounts_max_concurrent_login_sessions/bash/shared.sh       | 2 +-
- .../accounts/accounts-session/accounts_tmout/bash/shared.sh     | 2 +-
- .../user_umask/accounts_umask_etc_bashrc/bash/shared.sh         | 2 +-
- .../user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh      | 2 +-
- .../user_umask/accounts_umask_etc_login_defs/bash/shared.sh     | 2 +-
- .../user_umask/accounts_umask_etc_profile/bash/shared.sh        | 2 +-
- .../auditd_audispd_configure_remote_server/bash/shared.sh       | 2 +-
- .../auditd_data_disk_error_action/bash/shared.sh                | 2 +-
- .../auditd_data_disk_full_action/bash/shared.sh                 | 2 +-
- .../auditd_data_retention_action_mail_acct/bash/shared.sh       | 2 +-
- .../bash/shared.sh                                              | 2 +-
- .../auditd_data_retention_flush/bash/shared.sh                  | 2 +-
- .../auditd_data_retention_max_log_file/bash/shared.sh           | 2 +-
- .../auditd_data_retention_max_log_file_action/bash/shared.sh    | 2 +-
- .../auditd_data_retention_num_logs/bash/shared.sh               | 2 +-
- .../auditd_data_retention_space_left/bash/shared.sh             | 2 +-
- .../auditd_data_retention_space_left_action/bash/shared.sh      | 2 +-
- .../rsyslog_remote_loghost/bash/shared.sh                       | 2 +-
- .../configure_firewalld_ports/bash/shared.sh                    | 2 +-
- .../restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh   | 2 +-
- .../restrictions/daemon_umask/umask_for_daemons/bash/shared.sh  | 2 +-
- linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh | 2 +-
- linux_os/guide/system/selinux/selinux_state/bash/shared.sh      | 2 +-
- .../dconf_gnome_screensaver_idle_delay/bash/shared.sh           | 2 +-
- .../dconf_gnome_screensaver_lock_delay/bash/shared.sh           | 2 +-
- .../gconf_gnome_screensaver_idle_delay/bash/rhel6.sh            | 2 +-
- .../integrity/crypto/configure_crypto_policy/bash/shared.sh     | 2 +-
- .../sap_host/accounts_authorized_local_users/bash/shared.sh     | 2 +-
- .../bash/shared.sh                                              | 2 +-
- shared/templates/template_BASH_accounts_password                | 2 +-
- .../templates/template_BASH_mount_option_removable_partitions   | 2 +-
- shared/templates/template_BASH_sebool                           | 2 +-
- shared/templates/template_BASH_sysctl                           | 2 +-
- 71 files changed, 70 insertions(+), 71 deletions(-)
-
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
-index 12f7b5d693..5324e1c382 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_client_configure_mail_alias/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_sle
- . /usr/share/scap-security-guide/remediation_functions
--populate var_postfix_root_mail_alias
-+{{{ bash_instantiate_variables("var_postfix_root_mail_alias") }}}
- 
- replace_or_append '/etc/aliases' '^root' "$var_postfix_root_mail_alias" '@CCENUM@' '%s: %s'
- 
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
-index 56db8f5d17..b23deffb09 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_set_maxpoll/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_time_service_set_maxpoll
-+{{{ bash_instantiate_variables("var_time_service_set_maxpoll") }}}
- 
- 
- config_file="/etc/ntp.conf"
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh
-index 2297f4fb5a..9add69d367 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_multiple_servers/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_multiple_time_servers
-+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
- 
- config_file="/etc/ntp.conf"
- /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
-diff --git a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh
-index c11c443785..0a3f63640c 100644
---- a/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh
-+++ b/linux_os/guide/services/ntp/chronyd_or_ntpd_specify_remote_server/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_multiple_time_servers
-+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
- 
- config_file="/etc/ntp.conf"
- /usr/sbin/pidof ntpd || config_file="/etc/chrony.conf"
-diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
-index e566219788..571a339d48 100644
---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
-+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_all
- . /usr/share/scap-security-guide/remediation_functions
--populate var_multiple_time_servers
-+{{{ bash_instantiate_variables("var_multiple_time_servers") }}}
- 
- config_file="/etc/chrony.conf"
- 
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
-index 396445b908..408c97d45a 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_compression/bash/shared.sh
-@@ -3,6 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_sshd_disable_compression
-+{{{ bash_instantiate_variables("var_sshd_disable_compression") }}}
- 
- replace_or_append '/etc/ssh/sshd_config' '^Compression' "$var_sshd_disable_compression" '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
-index 06dfd3492a..0ff698a54c 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/bash/shared.sh
-@@ -1,5 +1,5 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv,multi_platform_sle
- . /usr/share/scap-security-guide/remediation_functions
--populate sshd_idle_timeout_value
-+{{{ bash_instantiate_variables("sshd_idle_timeout_value") }}}
- 
- replace_or_append '/etc/ssh/sshd_config' '^ClientAliveInterval' $sshd_idle_timeout_value '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
-index cbfb0f367e..f0be6ea6ce 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/bash/shared.sh
-@@ -3,6 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_sshd_set_keepalive
-+{{{ bash_instantiate_variables("var_sshd_set_keepalive") }}}
- 
- {{{ bash_sshd_config_set(parameter="ClientAliveCountMax", value="$var_sshd_set_keepalive") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
-index eebe07158c..2451c164cb 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/bash/shared.sh
-@@ -3,6 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate sshd_max_auth_tries_value
-+{{{ bash_instantiate_variables("sshd_max_auth_tries_value") }}}
- 
- {{{ bash_sshd_config_set(parameter="MaxAuthTries", value="$sshd_max_auth_tries_value") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
-index fc0a1d8b42..2fecde6a96 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/bash/shared.sh
-@@ -7,6 +7,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_sshd_max_sessions
-+{{{ bash_instantiate_variables("var_sshd_max_sessions") }}}
- 
- {{{ bash_sshd_config_set(parameter="MaxSessions", value="$var_sshd_max_sessions") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
-index 6d3bb06047..5facd9aa14 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/bash/shared.sh
-@@ -3,6 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate sshd_approved_ciphers
-+{{{ bash_instantiate_variables("sshd_approved_ciphers") }}}
- 
- replace_or_append '/etc/ssh/sshd_config' '^Ciphers' "$sshd_approved_ciphers" '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
-index 2972022b52..ec475c186d 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/bash/shared.sh
-@@ -3,6 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate sshd_approved_macs
-+{{{ bash_instantiate_variables("sshd_approved_macs") }}}
- 
- replace_or_append '/etc/ssh/sshd_config' '^MACs' "$sshd_approved_macs" '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
-index bf702ac80c..62180a1f83 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_priv_separation/bash/shared.sh
-@@ -6,6 +6,6 @@
- 
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
--populate var_sshd_priv_separation
-+{{{ bash_instantiate_variables("var_sshd_priv_separation") }}}
- 
- {{{ bash_sshd_config_set(parameter="UsePrivilegeSeparation", value="$var_sshd_priv_separation") }}}
-diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
-index f390b7be88..8bc689dae9 100644
---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
-+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/bash/shared.sh
-@@ -3,7 +3,7 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_sssd_memcache_timeout
-+{{{ bash_instantiate_variables("var_sssd_memcache_timeout") }}}
- 
- SSSD_CONF="/etc/sssd/sssd.conf"
- MEMCACHE_TIMEOUT_REGEX="[[:space:]]*\[nss]([^\n\[]*\n+)+?[[:space:]]*memcache_timeout"
-diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh
-index 4d1a14efdf..e957d1c689 100644
---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh
-+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/bash/shared.sh
-@@ -3,7 +3,7 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_sssd_ssh_known_hosts_timeout
-+{{{ bash_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}}
- 
- SSSD_CONF="/etc/sssd/sssd.conf"
- SSH_KNOWN_HOSTS_TIMEOUT_REGEX="[[:space:]]*\[ssh]([^\n\[]*\n+)+?[[:space:]]*ssh_known_hosts_timeout"
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
-index 30449d5e9d..f6d5f1603b 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate login_banner_text
-+{{{ bash_instantiate_variables("login_banner_text") }}}
- 
- # Multiple regexes transform the banner regex into a usable banner
- # 0 - Remove anchors around the banner text
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
-index d731063b5a..4a3844a7eb 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate login_banner_text
-+{{{ bash_instantiate_variables("login_banner_text") }}}
- 
- # Multiple regexes transform the banner regex into a usable banner
- # 0 - Remove anchors around the banner text
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
-index 85ddd893c6..0f60c14e36 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate login_banner_text
-+{{{ bash_instantiate_variables("login_banner_text") }}}
- 
- # Multiple regexes transform the banner regex into a usable banner
- # 0 - Remove anchors around the banner text
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh
-index d24dacb81c..15a5d79ebf 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/gconf_gdm_set_login_banner_text/bash/rhel6.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 6
- . /usr/share/scap-security-guide/remediation_functions
--populate login_banner_text
-+{{{ bash_instantiate_variables("login_banner_text") }}}
- 
- # Install GConf2 package if not installed
- if ! rpm -q GConf2; then
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
-index 1456d0f371..e0dabe67e0 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate var_password_pam_unix_remember
-+{{{ bash_instantiate_variables("var_password_pam_unix_remember") }}}
- 
- AUTH_FILES[0]="/etc/pam.d/system-auth"
- AUTH_FILES[1]="/etc/pam.d/password-auth"
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
-index 58ea0f37af..3157d341cb 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/bash/shared.sh
-@@ -1,5 +1,5 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_passwords_pam_faillock_deny
-+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
- 
- {{{ bash_set_faillock_option("deny", "$var_accounts_passwords_pam_faillock_deny") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
-index b03dd30d13..87310288c1 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/bash/shared.sh
-@@ -3,6 +3,6 @@
- # include our remediation functions library
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_accounts_passwords_pam_faillock_fail_interval
-+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}}
- 
- {{{ bash_set_faillock_option("fail_interval", "$var_accounts_passwords_pam_faillock_fail_interval") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
-index daaab487f6..7e36721d5f 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/bash/shared.sh
-@@ -1,5 +1,5 @@
- # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_passwords_pam_faillock_unlock_time
-+{{{ bash_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
- 
- {{{ bash_set_faillock_option("unlock_time", "$var_accounts_passwords_pam_faillock_unlock_time") }}}
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
-index a4e1c47a89..f69152b225 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
--populate var_password_pam_retry
-+{{{ bash_instantiate_variables("var_password_pam_retry") }}}
- 
- if grep -q "retry=" /etc/pam.d/system-auth ; then
- 	sed -i --follow-symlinks "s/\(retry *= *\).*/\1$var_password_pam_retry/" /etc/pam.d/system-auth
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh
-index 5a63a4258d..4e80be4faf 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/bash/shared.sh
-@@ -5,7 +5,7 @@
- # disruption = low
- 
- . /usr/share/scap-security-guide/remediation_functions
--populate var_smartcard_drivers
-+{{{ bash_instantiate_variables("var_smartcard_drivers") }}}
- 
- OPENSC_TOOL="/usr/bin/opensc-tool"
- 
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh
-index 421ec55598..7c763a8778 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/bash/shared.sh
-@@ -5,7 +5,7 @@
- # disruption = low
- 
- . /usr/share/scap-security-guide/remediation_functions
--populate var_smartcard_drivers
-+{{{ bash_instantiate_variables("var_smartcard_drivers") }}}
- 
- OPENSC_TOOL="/usr/bin/opensc-tool"
- 
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh
-index 299a519e24..c8c2a90e4c 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/bash/shared.sh
-@@ -1,5 +1,5 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate var_account_disable_post_pw_expiration
-+{{{ bash_instantiate_variables("var_account_disable_post_pw_expiration") }}}
- 
- replace_or_append '/etc/default/useradd' '^INACTIVE' "$var_account_disable_post_pw_expiration" '@CCENUM@' '%s=%s'
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
-index 9c61548d3a..135eb49d78 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_ol,multi_platform_rhv,multi_platform_fedora
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_maximum_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_maximum_age_login_defs") }}}
- 
- grep -q ^PASS_MAX_DAYS /etc/login.defs && \
-   sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS     $var_accounts_maximum_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh
-index ad2d515949..b9c6aade42 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/fedora.sh
-@@ -1,7 +1,7 @@
- # platform = multi_platform_fedora
- . /usr/share/scap-security-guide/remediation_functions
- declare var_accounts_minimum_age_login_defs
--populate var_accounts_minimum_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
- 
- grep -q ^PASS_MIN_DAYS /etc/login.defs && \
- sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh
-index 4221a32e15..8e28c756bf 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/rhel6.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 6
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_minimum_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
- 
- grep -q ^PASS_MIN_DAYS /etc/login.defs && \
-   sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh
-index 403a40ccb2..870b5b1c7c 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_ol,multi_platform_rhv
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_minimum_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
- 
- grep -q ^PASS_MIN_DAYS /etc/login.defs && \
-   sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS     $var_accounts_minimum_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
-index 688cf2d04f..eb4121394c 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/bash/shared.sh
-@@ -1,7 +1,7 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
- . /usr/share/scap-security-guide/remediation_functions
- declare var_accounts_password_minlen_login_defs
--populate var_accounts_password_minlen_login_defs
-+{{{ bash_instantiate_variables("var_accounts_password_minlen_login_defs") }}}
- 
- grep -q ^PASS_MIN_LEN /etc/login.defs && \
- sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh
-index 8289cbffd8..98a6381af4 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/fedora.sh
-@@ -1,7 +1,7 @@
- # platform = multi_platform_fedora
- . /usr/share/scap-security-guide/remediation_functions
- declare var_accounts_password_warn_age_login_defs
--populate var_accounts_password_warn_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
- 
- grep -q ^PASS_WARN_AGE /etc/login.defs && \
- sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh
-index 155a12d534..922158064b 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/rhel6.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 6
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_password_warn_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
- 
- grep -q ^PASS_WARN_AGE /etc/login.defs && \
-   sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE     $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
-index eaf461d0cd..800eecc802 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_password_warn_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
- 
- grep -q ^PASS_WARN_AGE /etc/login.defs && \
-   sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE     $var_accounts_password_warn_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh
-index 8f3524312c..fed1c7bafa 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/bash/wrlinux.sh
-@@ -1,7 +1,7 @@
- # platform = multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
- declare var_accounts_password_warn_age_login_defs
--populate var_accounts_password_warn_age_login_defs
-+{{{ bash_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
- 
- grep -q ^PASS_WARN_AGE /etc/login.defs && \
- sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh
-index 2a06038be4..a8a77c12b8 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/bash/shared.sh
-@@ -4,6 +4,6 @@
- . /usr/share/scap-security-guide/remediation_functions
- 
- # Set variables
--populate var_accounts_fail_delay
-+{{{ bash_instantiate_variables("var_accounts_fail_delay") }}}
- 
- replace_or_append '/etc/login.defs' '^FAIL_DELAY' "$var_accounts_fail_delay" '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh
-index 0d2f103b31..65066e77ce 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_max_concurrent_login_sessions/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_max_concurrent_login_sessions
-+{{{ bash_instantiate_variables("var_accounts_max_concurrent_login_sessions") }}}
- 
- if grep -q '^[^#]*\<maxlogins\>' /etc/security/limits.d/*.conf; then
- 	sed -i "/^[^#]*\<maxlogins\>/ s/maxlogins.*/maxlogins $var_accounts_max_concurrent_login_sessions/" /etc/security/limits.d/*.conf
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
-index 93c34fb59f..31b2872628 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_tmout
-+{{{ bash_instantiate_variables("var_accounts_tmout") }}}
- 
- if grep --silent ^TMOUT /etc/profile ; then
-         sed -i "s/^TMOUT.*/TMOUT=$var_accounts_tmout/g" /etc/profile
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh
-index c707ec31c7..a83016964e 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_user_umask
-+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
- 
- grep -q umask /etc/bashrc && \
-   sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/bashrc
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh
-index 0289a93c96..716dede405 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_user_umask
-+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
- 
- grep -q umask /etc/csh.cshrc && \
-   sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/csh.cshrc
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh
-index 0fcc273705..f74cbfe5af 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/bash/shared.sh
-@@ -1,5 +1,5 @@
- # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_user_umask
-+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
- 
- replace_or_append '/etc/login.defs' '^UMASK' "$var_accounts_user_umask" '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh
-index 198cba5772..12acd6e90f 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4,multi_platform_wrlinux,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_user_umask
-+{{{ bash_instantiate_variables("var_accounts_user_umask") }}}
- 
- grep -q umask /etc/profile && \
-   sed -i "s/umask.*/umask $var_accounts_user_umask/g" /etc/profile
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
-index 517f384f22..0e3d32fd36 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
--populate var_audispd_remote_server
-+{{{ bash_instantiate_variables("var_audispd_remote_server") }}}
- 
- {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
- AUDITCONFIG=/etc/audit/audisp-remote.conf
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh
-index 6b953f8d96..2b17ddd89b 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_rhel
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_disk_error_action
-+{{{ bash_instantiate_variables("var_auditd_disk_error_action") }}}
- 
- #
- # If disk_error_action present in /etc/audit/auditd.conf, change value
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
-index 3092d92076..adc4c21e5f 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/bash/shared.sh
-@@ -3,6 +3,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_auditd_disk_full_action
-+{{{ bash_instantiate_variables("var_auditd_disk_full_action") }}}
- 
- replace_or_append /etc/audit/auditd.conf '^disk_full_action' "$var_auditd_disk_full_action" "@CCENUM@"
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
-index b81a26fef3..ab056b0e54 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_action_mail_acct
-+{{{ bash_instantiate_variables("var_auditd_action_mail_acct") }}}
- 
- AUDITCONFIG=/etc/audit/auditd.conf
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh
-index c9435c91ec..0c23a906ea 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/bash/shared.sh
-@@ -1,7 +1,7 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_wrlinux
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_auditd_admin_space_left_action
-+{{{ bash_instantiate_variables("var_auditd_admin_space_left_action") }}}
- 
- AUDITCONFIG=/etc/audit/auditd.conf
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh
-index 17dea67b36..efe151c683 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_ol,multi_platform_rhel
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_flush
-+{{{ bash_instantiate_variables("var_auditd_flush") }}}
- 
- AUDITCONFIG=/etc/audit/auditd.conf
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
-index d1e044e5b6..9f40589027 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_max_log_file
-+{{{ bash_instantiate_variables("var_auditd_max_log_file") }}}
- 
- AUDITCONFIG=/etc/audit/auditd.conf
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
-index 1b51d54b5d..42f987dde4 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_max_log_file_action
-+{{{ bash_instantiate_variables("var_auditd_max_log_file_action") }}}
- 
- AUDITCONFIG=/etc/audit/auditd.conf
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh
-index 6d671e1b8d..797c28a0f8 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_all
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_num_logs
-+{{{ bash_instantiate_variables("var_auditd_num_logs") }}}
- 
- AUDITCONFIG=/etc/audit/auditd.conf
- 
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
-index 8dc69e8313..77e622c1ac 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_rhel,multi_platform_wrlinux,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_space_left
-+{{{ bash_instantiate_variables("var_auditd_space_left") }}}
- 
- grep -q "^space_left[[:space:]]*=.*$" /etc/audit/auditd.conf && \
-   sed -i "s/^space_left[[:space:]]*=.*$/space_left = $var_auditd_space_left/g" /etc/audit/auditd.conf || \
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh
-index e5f45efcf2..1d2b211cdf 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_ol,multi_platform_rhel
- . /usr/share/scap-security-guide/remediation_functions
--populate var_auditd_space_left_action
-+{{{ bash_instantiate_variables("var_auditd_space_left_action") }}}
- 
- #
- # If space_left_action present in /etc/audit/auditd.conf, change value
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh
-index 2557815651..836f0af279 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/bash/shared.sh
-@@ -2,6 +2,6 @@
- 
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate rsyslog_remote_loghost_address
-+{{{ bash_instantiate_variables("rsyslog_remote_loghost_address") }}}
- 
- replace_or_append '/etc/rsyslog.conf' '^\*\.\*' "@@$rsyslog_remote_loghost_address" '@CCENUM@' '%s %s'
-diff --git a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh
-index fcf387e592..0a698d3c9f 100644
---- a/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh
-+++ b/linux_os/guide/system/network/network-firewalld/ruleset_modifications/configure_firewalld_ports/bash/shared.sh
-@@ -8,7 +8,7 @@
- 
- {{{ bash_package_install("firewalld") }}}
- 
--populate firewalld_sshd_zone
-+{{{ bash_instantiate_variables("firewalld_sshd_zone") }}}
- 
- # This assumes that firewalld_sshd_zone is one of the pre-defined zones
- if [ ! -f /etc/firewalld/zones/${firewalld_sshd_zone}.xml ]; then
-diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh
-index 947872bb21..1a15167ab0 100644
---- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh
-+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/rhel6.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 6
- . /usr/share/scap-security-guide/remediation_functions
--populate var_umask_for_daemons
-+{{{ bash_instantiate_variables("var_umask_for_daemons") }}}
- 
- grep -q ^umask /etc/init.d/functions && \
-   sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
-diff --git a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh
-index 175e10c24c..f689f4b2a1 100644
---- a/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh
-+++ b/linux_os/guide/system/permissions/restrictions/daemon_umask/umask_for_daemons/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8
- . /usr/share/scap-security-guide/remediation_functions
--populate var_umask_for_daemons
-+{{{ bash_instantiate_variables("var_umask_for_daemons") }}}
- 
- grep -q ^umask /etc/init.d/functions && \
-   sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-index b4f79c97f9..d84c8acc3f 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-+++ b/linux_os/guide/system/selinux/selinux_policytype/bash/shared.sh
-@@ -7,6 +7,6 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_selinux_policy_name
-+{{{ bash_instantiate_variables("var_selinux_policy_name") }}}
- 
- {{{ bash_selinux_config_set(parameter="SELINUXTYPE", value="$var_selinux_policy_name") }}}
-diff --git a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-index 645a7acab4..ad53e52aac 100644
---- a/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-+++ b/linux_os/guide/system/selinux/selinux_state/bash/shared.sh
-@@ -7,7 +7,7 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_selinux_state
-+{{{ bash_instantiate_variables("var_selinux_state") }}}
- 
- {{{ bash_selinux_config_set(parameter="SELINUX", value="$var_selinux_state") }}}
- 
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
-index ef8af07aa0..ab0462e53f 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate inactivity_timeout_value
-+{{{ bash_instantiate_variables("inactivity_timeout_value") }}}
- 
- {{{ bash_dconf_settings("org/gnome/desktop/session", "idle-delay", "uint32 ${inactivity_timeout_value}", "local.d", "00-security-settings") }}}
- {{{ bash_dconf_lock("org/gnome/desktop/session", "idle-delay", "local.d", "00-security-settings-lock") }}}
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
-index 124c14737e..5c37b1d913 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_lock_delay/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_screensaver_lock_delay
-+{{{ bash_instantiate_variables("var_screensaver_lock_delay") }}}
- 
- {{{ bash_dconf_settings("org/gnome/desktop/screensaver", "lock-delay", "uint32 ${var_screensaver_lock_delay}", "local.d", "00-security-settings") }}}
- {{{ bash_dconf_lock("org/gnome/desktop/screensaver", "lock-delay", "local.d", "00-security-settings-lock") }}}
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh
-index e1947f3df0..77b8a647ca 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/gconf_gnome_screensaver_idle_delay/bash/rhel6.sh
-@@ -1,6 +1,6 @@
- # platform = Red Hat Enterprise Linux 6
- . /usr/share/scap-security-guide/remediation_functions
--populate inactivity_timeout_value
-+{{{ bash_instantiate_variables("inactivity_timeout_value") }}}
- 
- # Install GConf2 package if not installed
- if ! rpm -q GConf2; then
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
-index fb3ed9fe76..d37f1263d2 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/bash/shared.sh
-@@ -3,7 +3,7 @@
- # include remediation functions library
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_system_crypto_policy
-+{{{ bash_instantiate_variables("var_system_crypto_policy") }}}
- 
- stderr_of_call=$(update-crypto-policies --set ${var_system_crypto_policy} 2>&1 > /dev/null)
- rc=$?
-diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
-index 80193ae1e5..c342acf36d 100644
---- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
-+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_authorized_local_users_regex
-+{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}}
- 
- # never delete the root user
- default_os_user="root"
-diff --git a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh
-index c361e4c766..9d444d297d 100644
---- a/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh
-+++ b/linux_os/guide/system/software/sap_host/accounts_authorized_local_users_sidadm_orasid/bash/shared.sh
-@@ -1,6 +1,6 @@
- # platform = multi_platform_ol
- . /usr/share/scap-security-guide/remediation_functions
--populate var_accounts_authorized_local_users_regex
-+{{{ bash_instantiate_variables("var_accounts_authorized_local_users_regex") }}}
- 
- # never delete the root user
- default_os_user="root"
-diff --git a/shared/templates/template_BASH_accounts_password b/shared/templates/template_BASH_accounts_password
-index 688185365c..2de2652881 100644
---- a/shared/templates/template_BASH_accounts_password
-+++ b/shared/templates/template_BASH_accounts_password
-@@ -4,7 +4,7 @@
- # complexity = low
- # disruption = low
- . /usr/share/scap-security-guide/remediation_functions
--populate var_password_pam_{{{ VARIABLE }}}
-+{{{ bash_instantiate_variables("var_password_pam_" + VARIABLE) }}}
- 
- {{% if product == "rhel6" %}}
- {{# There is no package libpwquality for RHEL6 #}}
-diff --git a/shared/templates/template_BASH_mount_option_removable_partitions b/shared/templates/template_BASH_mount_option_removable_partitions
-index 5293bffc1a..5b0e8161c6 100644
---- a/shared/templates/template_BASH_mount_option_removable_partitions
-+++ b/shared/templates/template_BASH_mount_option_removable_partitions
-@@ -4,7 +4,7 @@
- # Include source function library.
- . /usr/share/scap-security-guide/remediation_functions
- 
--populate var_removable_partition
-+{{{ bash_instantiate_variables("var_removable_partition") }}}
- 
- device_regex="^\s*$var_removable_partition\s\+"
- mount_option="{{{ MOUNTOPTION }}}"
-diff --git a/shared/templates/template_BASH_sebool b/shared/templates/template_BASH_sebool
-index 96b71ba726..e9aab9d981 100644
---- a/shared/templates/template_BASH_sebool
-+++ b/shared/templates/template_BASH_sebool
-@@ -9,7 +9,7 @@
- {{% if SEBOOL_BOOL %}}
- setsebool -P {{{ SEBOOLID }}} {{{ SEBOOL_BOOL }}}
- {{% else %}}
--populate var_{{{ SEBOOLID }}}
-+{{{ bash_instantiate_variables("var_" + SEBOOLID) }}}
- 
- setsebool -P {{{ SEBOOLID }}} $var_{{{ SEBOOLID }}}
- {{% endif %}}
-diff --git a/shared/templates/template_BASH_sysctl b/shared/templates/template_BASH_sysctl
-index 4ee57967dc..a87d63d038 100644
---- a/shared/templates/template_BASH_sysctl
-+++ b/shared/templates/template_BASH_sysctl
-@@ -5,7 +5,7 @@
- # disruption = medium
- . /usr/share/scap-security-guide/remediation_functions
- {{%- if SYSCTLVAL == "" %}}
--populate sysctl_{{{ SYSCTLID }}}_value
-+{{{ bash_instantiate_variables("sysctl_" + SYSCTLID + "_value") }}}
- 
- #
- # Set runtime for {{{ SYSCTLVAR }}}
-
-From 359c54f7b59ad70a9ce9a1053a28ee91ec4a6fa2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
-Date: Fri, 4 Sep 2020 12:30:45 +0200
-Subject: [PATCH 3/3] Replaced XCCDF value instantiation in Ansible by a macro
- call.
-
-The former - (xccdf-var ...) mechanism is not Ansible, and jinja is well-established
-in our project as an interface between user input and final content.
----
- .../postfix_network_listening_disabled/ansible/shared.yml       | 2 +-
- .../ntp/chronyd_specify_remote_server/ansible/shared.yml        | 2 +-
- .../ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml   | 2 +-
- .../ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml     | 2 +-
- .../ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml        | 2 +-
- .../ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml   | 2 +-
- .../ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml     | 2 +-
- .../ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml | 2 +-
- .../ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml    | 2 +-
- .../services/sssd/sssd_memcache_timeout/ansible/shared.yml      | 2 +-
- .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml        | 2 +-
- .../accounts-banners/banner_etc_issue/ansible/shared.yml        | 2 +-
- .../accounts-banners/banner_etc_motd/ansible/shared.yml         | 2 +-
- .../dconf_gnome_login_banner_text/ansible/shared.yml            | 2 +-
- .../accounts_password_pam_unix_remember/ansible/shared.yml      | 2 +-
- .../accounts_passwords_pam_faillock_deny/ansible/shared.yml     | 2 +-
- .../accounts_passwords_pam_faillock_interval/ansible/shared.yml | 2 +-
- .../ansible/shared.yml                                          | 2 +-
- .../accounts_password_pam_retry/ansible/shared.yml              | 2 +-
- .../configure_opensc_card_drivers/ansible/shared.yml            | 2 +-
- .../force_opensc_card_drivers/ansible/shared.yml                | 2 +-
- .../account_disable_post_pw_expiration/ansible/shared.yml       | 2 +-
- .../accounts_maximum_age_login_defs/ansible/shared.yml          | 2 +-
- .../accounts_minimum_age_login_defs/ansible/shared.yml          | 2 +-
- .../accounts_password_minlen_login_defs/ansible/shared.yml      | 2 +-
- .../accounts_password_warn_age_login_defs/ansible/shared.yml    | 2 +-
- .../accounts_logon_fail_delay/ansible/shared.yml                | 2 +-
- .../accounts/accounts-session/accounts_tmout/ansible/shared.yml | 2 +-
- .../user_umask/accounts_umask_etc_bashrc/ansible/shared.yml     | 2 +-
- .../user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml  | 2 +-
- .../user_umask/accounts_umask_etc_login_defs/ansible/shared.yml | 2 +-
- .../user_umask/accounts_umask_etc_profile/ansible/shared.yml    | 2 +-
- .../auditd_audispd_configure_remote_server/ansible/shared.yml   | 2 +-
- .../auditd_data_disk_error_action/ansible/shared.yml            | 2 +-
- .../auditd_data_disk_full_action/ansible/shared.yml             | 2 +-
- .../auditd_data_retention_action_mail_acct/ansible/shared.yml   | 2 +-
- .../ansible/shared.yml                                          | 2 +-
- .../auditd_data_retention_flush/ansible/shared.yml              | 2 +-
- .../auditd_data_retention_max_log_file/ansible/shared.yml       | 2 +-
- .../ansible/shared.yml                                          | 2 +-
- .../auditd_data_retention_num_logs/ansible/shared.yml           | 2 +-
- .../auditd_data_retention_space_left/ansible/shared.yml         | 2 +-
- .../auditd_data_retention_space_left_action/ansible/shared.yml  | 2 +-
- .../rsyslog_remote_loghost/ansible/shared.yml                   | 2 +-
- .../dconf_gnome_screensaver_idle_delay/ansible/shared.yml       | 2 +-
- .../integrity/crypto/configure_crypto_policy/ansible/shared.yml | 2 +-
- .../template_ANSIBLE_mount_option_removable_partitions          | 2 +-
- 47 files changed, 47 insertions(+), 47 deletions(-)
-
-diff --git a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml
-index f3d2af7614..e1c9d00d20 100644
---- a/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml
-+++ b/linux_os/guide/services/mail/postfix_client/postfix_network_listening_disabled/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_postfix_inet_interfaces)
-+{{{ ansible_instantiate_variables("var_postfix_inet_interfaces") }}}
- 
- - name: "Gather list of packages"
-   package_facts:
-diff --git a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
-index 0c812bdc2a..37cc359263 100644
---- a/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
-+++ b/linux_os/guide/services/ntp/chronyd_specify_remote_server/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = low
--- (xccdf-var var_multiple_time_servers)
-+{{{ ansible_instantiate_variables("var_multiple_time_servers") }}}
- 
- - name: "Detect if chrony is already configured with pools or servers"
-   find:
-diff --git a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
-index 3985d03542..2553a4d2e5 100644
---- a/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/firewalld_sshd_port_enabled/ansible/shared.yml
-@@ -11,7 +11,7 @@
-   with_items:
-     - firewalld
- 
--- (xccdf-var sshd_listening_port)
-+{{{ ansible_instantiate_variables("sshd_listening_port") }}}
- 
- - name: Enable SSHD in firewalld (custom port)
-   firewalld:
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
-index affc65e2f5..2fdc9a2f22 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_idle_timeout/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var sshd_idle_timeout_value)
-+{{{ ansible_instantiate_variables("sshd_idle_timeout_value") }}}
- 
- {{{ ansible_sshd_set(parameter="ClientAliveInterval", value="{{ sshd_idle_timeout_value }}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
-index 52600fd46e..9ce28bafc7 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_keepalive/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_sshd_set_keepalive)
-+{{{ ansible_instantiate_variables("var_sshd_set_keepalive") }}}
- 
- {{{ ansible_sshd_set(parameter="ClientAliveCountMax", value="{{ var_sshd_set_keepalive }}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
-index 28f3ef0cd2..16e3130240 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_auth_tries/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var sshd_max_auth_tries_value)
-+{{{ ansible_instantiate_variables("sshd_max_auth_tries_value") }}}
- 
- {{{ ansible_sshd_set(parameter="MaxAuthTries", value="{{ sshd_max_auth_tries_value }}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
-index 6612c6a485..3f8b6f6013 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_max_sessions/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = configure
- # complexity = low
- # disruption = low
--- (xccdf-var var_sshd_max_sessions)
-+{{{ ansible_instantiate_variables("var_sshd_max_sessions") }}}
- 
- {{{ ansible_sshd_set(parameter="MaxSessions", value="{{ var_sshd_max_sessions }}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
-index 1ec8f045e8..89ac2df9db 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var sshd_approved_ciphers)
-+{{{ ansible_instantiate_variables("sshd_approved_ciphers") }}}
- 
- {{{ ansible_sshd_set(parameter="Ciphers", value="{{ sshd_approved_ciphers }}") }}}
-diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
-index 1a09a3197c..1a9b6990e9 100644
---- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
-+++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var sshd_approved_macs)
-+{{{ ansible_instantiate_variables("sshd_approved_macs") }}}
- 
- {{{ ansible_sshd_set(parameter="MACs", value="{{ sshd_approved_macs }}") }}}
-diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
-index a2213508a1..dd89d1f443 100644
---- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
-+++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var var_sssd_memcache_timeout)
-+{{{ ansible_instantiate_variables("var_sssd_memcache_timeout") }}}
- 
- - name: "Test for domain group"
-   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
-index ea487c60b3..5bbe0ecef8 100644
---- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
-+++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var var_sssd_ssh_known_hosts_timeout)
-+{{{ ansible_instantiate_variables("var_sssd_ssh_known_hosts_timeout") }}}
- 
- - name: "Test for domain group"
-   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
-index 21f0925268..f3a0c85ea5 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var login_banner_text)
-+{{{ ansible_instantiate_variables("login_banner_text") }}}
- 
- - name: "{{{ rule_title }}} - remove incorrect banner"
-   file:
-diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
-index dfc1c519b7..15eb3cc1cb 100644
---- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var login_banner_text)
-+{{{ ansible_instantiate_variables("login_banner_text") }}}
- 
- - name: "{{{ rule_title }}} - remove incorrect banner"
-   file:
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
-index 40cce05fbc..993916287c 100644
---- a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_login_banner_text/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var login_banner_text)
-+{{{ ansible_instantiate_variables("login_banner_text") }}}
- 
- - name: "{{{ rule_title }}}"
-   file:
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
-index 4198e524e8..75787c429d 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_unix_remember/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = medium
--- (xccdf-var var_password_pam_unix_remember)
-+{{{ ansible_instantiate_variables("var_password_pam_unix_remember") }}}
- 
- - name: "Do not allow users to reuse recent passwords - system-auth (change)"
-   replace:
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
-index d2b08c0e14..0622ae769c 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_passwords_pam_faillock_deny)
-+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_deny") }}}
- 
- - name: Add auth pam_faillock preauth deny before pam_unix.so
-   pamd:
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
-index 7961a9eb54..96adcef63d 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_passwords_pam_faillock_fail_interval)
-+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_fail_interval") }}}
- 
- - name: Add auth pam_faillock preauth fail_interval before pam_unix.so
-   pamd:
-diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
-index 9b49e56ba8..db44ce4f63 100644
---- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_passwords_pam_faillock_unlock_time)
-+{{{ ansible_instantiate_variables("var_accounts_passwords_pam_faillock_unlock_time") }}}
- 
- - name: Add auth pam_faillock preauth unlock_time before pam_unix.so
-   pamd:
-diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
-index 6795f08939..ab351a26e5 100644
---- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/accounts_password_pam_retry/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = medium
--- (xccdf-var var_password_pam_retry)
-+{{{ ansible_instantiate_variables("var_password_pam_retry") }}}
- 
- - name: "Set Password Retry Prompts Permitted Per-Session - system-auth (change)"
-   replace:
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml
-index 904d62c517..376027543b 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/configure_opensc_card_drivers/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = low
--- (xccdf-var var_smartcard_drivers)
-+{{{ ansible_instantiate_variables("var_smartcard_drivers") }}}
- 
- - name: Check existence of opensc conf
-   stat:
-diff --git a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml
-index 13058a7ad6..f05423c0cb 100644
---- a/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/force_opensc_card_drivers/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = low
--- (xccdf-var var_smartcard_drivers)
-+{{{ ansible_instantiate_variables("var_smartcard_drivers") }}}
- 
- - name: Check existence of opensc conf
-   stat:
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml
-index fe4826baed..11a6bc5467 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/account_disable_post_pw_expiration/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_account_disable_post_pw_expiration)
-+{{{ ansible_instantiate_variables("var_account_disable_post_pw_expiration") }}}
- 
- - name: Set Account Expiration Following Inactivity
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
-index 452ff3bb41..a85f9fc6fa 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_maximum_age_login_defs)
-+{{{ ansible_instantiate_variables("var_accounts_maximum_age_login_defs") }}}
- 
- - name: Set Password Maximum Age
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
-index 5c94bc8028..e394f26d7a 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_minimum_age_login_defs/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_minimum_age_login_defs)
-+{{{ ansible_instantiate_variables("var_accounts_minimum_age_login_defs") }}}
- 
- - name: Set Password Minimum Age
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
-index 247aee3bff..eee37bda68 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_password_minlen_login_defs)
-+{{{ ansible_instantiate_variables("var_accounts_password_minlen_login_defs") }}}
- 
- - name: "Set Password Minimum Length in login.defs"
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml
-index b5eb75ecf9..1091f8c854 100644
---- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_warn_age_login_defs/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_password_warn_age_login_defs)
-+{{{ ansible_instantiate_variables("var_accounts_password_warn_age_login_defs") }}}
- 
- - name: "Set Password Warning Age"
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml
-index d3e4742c79..0b45abb25d 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_logon_fail_delay/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # reboot = true
--- (xccdf-var var_accounts_fail_delay)
-+{{{ ansible_instantiate_variables("var_accounts_fail_delay") }}}
- 
- - name: Set accounts logon fail delay
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
-index d17154b57e..2c3049006d 100644
---- a/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/accounts_tmout/ansible/shared.yml
-@@ -3,6 +3,6 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_tmout)
-+{{{ ansible_instantiate_variables("var_accounts_tmout") }}}
- 
- {{{ ansible_etc_profile_set(parameter='TMOUT', value='{{ var_accounts_tmout }}') }}}
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
-index 43e03834a4..0255963a14 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_user_umask)
-+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- 
- - name: Set user umask in /etc/bashrc
-   replace:
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
-index 7c6b465f83..fa956cff6a 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_user_umask)
-+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- 
- - name: Set user umask in /etc/csh.cshrc
-   replace:
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
-index 449364f304..309b68a58f 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_user_umask)
-+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- 
- - name: Ensure the Default UMASK is Set Correctly
-   lineinfile:
-diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml
-index 1b7d188c9e..fe12edac8b 100644
---- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml
-+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_accounts_user_umask)
-+{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
- 
- - name: Set user umask in /etc/profile
-   replace:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml
-index 3296b9deb2..b3f245c998 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_configure_remote_server/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = low
--- (xccdf-var var_audispd_remote_server)
-+{{{ ansible_instantiate_variables("var_audispd_remote_server") }}}
- 
- {{% if product in ["rhel8", "fedora", "ol8", "rhv4"] %}}
- {{% set audisp_config_file_path = "/etc/audit/audisp-remote.conf" %}}
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml
-index beba66af07..06f4a10c6f 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_disk_error_action)
-+{{{ ansible_instantiate_variables("var_auditd_disk_error_action") }}}
- 
- - name: Configure auditd Disk Error Action on Disk Error
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
-index 2b72085912..60b1e912ce 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_disk_full_action)
-+{{{ ansible_instantiate_variables("var_auditd_disk_full_action") }}}
- 
- - name: Configure auditd Disk Full Action when Disk Space Is Full
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
-index 6a6d0ce4a4..48fe7aced4 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_action_mail_acct/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_action_mail_acct)
-+{{{ ansible_instantiate_variables("var_auditd_action_mail_acct") }}}
- 
- - name: Configure auditd mail_acct Action on Low Disk Space
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml
-index ff63a15de8..93d076fa6f 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_admin_space_left_action)
-+{{{ ansible_instantiate_variables("var_auditd_admin_space_left_action") }}}
- 
- - name: Configure auditd admin_space_left Action on Low Disk Space
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml
-index 4a5f45c14b..f909e5ec22 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_flush/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_flush)
-+{{{ ansible_instantiate_variables("var_auditd_flush") }}}
- 
- - name: Configure auditd Flush Priority
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml
-index d497d27e20..65c77aa3cd 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_max_log_file)
-+{{{ ansible_instantiate_variables("var_auditd_max_log_file") }}}
- 
- - name: Configure auditd Max Log File Size
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml
-index 48df854986..595959e029 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_max_log_file_action)
-+{{{ ansible_instantiate_variables("var_auditd_max_log_file_action") }}}
- 
- - name: Configure auditd max_log_file_action Upon Reaching Maximum Log Size
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml
-index 8dfa5ce0cd..6fe9e0145e 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_num_logs/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_num_logs)
-+{{{ ansible_instantiate_variables("var_auditd_num_logs") }}}
- 
- - name: Configure auditd Number of Logs Retained
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
-index f4af7a6aa9..6db7ffbd34 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_space_left)
-+{{{ ansible_instantiate_variables("var_auditd_space_left") }}}
- 
- - name: Configure auditd space_left on Low Disk Space
-   lineinfile:
-diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml
-index 5b4a101a1c..04062e34a6 100644
---- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml
-+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_data_retention_space_left_action/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_auditd_space_left_action)
-+{{{ ansible_instantiate_variables("var_auditd_space_left_action") }}}
- 
- - name: Configure auditd space_left Action on Low Disk Space
-   lineinfile:
-diff --git a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml
-index 316171df9b..407e1be3ab 100644
---- a/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml
-+++ b/linux_os/guide/system/logging/rsyslog_sending_messages/rsyslog_remote_loghost/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var rsyslog_remote_loghost_address)
-+{{{ ansible_instantiate_variables("rsyslog_remote_loghost_address") }}}
- 
- - name: "Set rsyslog remote loghost"
-   lineinfile:
-diff --git a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml
-index e8a802d48c..81270d1adb 100644
---- a/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_screen_locking/dconf_gnome_screensaver_idle_delay/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = unknown
- # complexity = low
- # disruption = medium
--- (xccdf-var inactivity_timeout_value)
-+{{{ ansible_instantiate_variables("inactivity_timeout_value") }}}
- 
- - name: "Set GNOME3 Screensaver Inactivity Timeout"
-   ini_file:
-diff --git a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
-index 9d3f9c0c65..09b6dbc855 100644
---- a/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
-+++ b/linux_os/guide/system/software/integrity/crypto/configure_crypto_policy/ansible/shared.yml
-@@ -3,7 +3,7 @@
- # strategy = restrict
- # complexity = low
- # disruption = low
--- (xccdf-var var_system_crypto_policy)
-+{{{ ansible_instantiate_variables("var_system_crypto_policy") }}}
- 
- - name: "{{{ rule_title }}}"
-   lineinfile:
-diff --git a/shared/templates/template_ANSIBLE_mount_option_removable_partitions b/shared/templates/template_ANSIBLE_mount_option_removable_partitions
-index 374499261d..346f5fe3de 100644
---- a/shared/templates/template_ANSIBLE_mount_option_removable_partitions
-+++ b/shared/templates/template_ANSIBLE_mount_option_removable_partitions
-@@ -3,7 +3,7 @@
- # strategy = configure
- # complexity = low
- # disruption = high
--- (xccdf-var var_removable_partition)
-+{{{ ansible_instantiate_variables("var_removable_partition") }}}
- 
- - name: Ensure permission {{{ MOUNTOPTION }}} are set on var_removable_partition
-   lineinfile:
diff --git a/SOURCES/scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch b/SOURCES/scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch
deleted file mode 100644
index 0ae8796..0000000
--- a/SOURCES/scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From c11311736558613b13ae051a2908c31eee0b6a43 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 25 Nov 2020 16:52:14 +0100
-Subject: [PATCH] Add new rule dir_perms_world_writable_system_owned_group.
-
-Change old STIG reference ID from dir_perms_world_writable_system_owned
-because this rule actually checks for UID and not the GID as it was
-expected.
----
- .../oval/shared.xml                           | 10 ++---
- .../rule.yml                                  |  8 ++--
- .../oval/shared.xml                           | 22 +++++++++
- .../rule.yml                                  | 45 +++++++++++++++++++
- rhel7/profiles/stig.profile                   |  1 +
- shared/references/cce-redhat-avail.txt        |  1 -
- 6 files changed, 77 insertions(+), 10 deletions(-)
- create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
- create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
-
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
-index eae7e654a2..8b03bfe0ec 100644
---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
-@@ -6,16 +6,16 @@
-     </criteria>
-   </definition>
-   <unix:file_test check="all" comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_uid_gt_value" version="1">
--    <unix:object object_ref="all_local_directories" />
--    <unix:state state_ref="state_gid_is_user_and_world_writable" />
-+    <unix:object object_ref="all_local_directories_uid" />
-+    <unix:state state_ref="state_uid_is_user_and_world_writable" />
-   </unix:file_test>
--  <unix:file_object comment="all local directories" id="all_local_directories" version="1">
-+  <unix:file_object comment="all local directories" id="all_local_directories_uid" version="1">
-     <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-     <unix:path operation="equals">/</unix:path>
-     <unix:filename xsi:nil="true" />
--    <filter action="include">state_gid_is_user_and_world_writable</filter>
-+    <filter action="include">state_uid_is_user_and_world_writable</filter>
-   </unix:file_object>
--  <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
-+  <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_uid_is_user_and_world_writable" version="1">
-     <unix:user_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:user_id>
-     <unix:owrite datatype="boolean">true</unix:owrite>
-   </unix:file_state>
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
-index 100b22943..5271903fe 100644
---- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
-@@ -7,10 +7,10 @@ title: 'Ensure All World-Writable Directories Are Owned by a System Account'
- description: |-
-     All directories in local partitions which are
-     world-writable should be owned by root or another
--    system account.  If any world-writable directories are not
-+    system account. If any world-writable directories are not
-     owned by a system account, this should be investigated.
-     Following this, the files should be deleted or assigned to an
--    appropriate group.
-+    appropriate owner.
- 
- rationale: |-
-     Allowing a user account to own a world-writable directory is
-@@ -25,14 +25,14 @@ identifiers:
-     cce@rhel7: CCE-80136-5
- 
- references:
--    stigid@ol7: OL07-00-021030
-+    stigid@ol7: OL07-00-021031
-     stigid@rhel6: RHEL-06-000337
-     srg@rhel6: SRG-OS-999999
-     disa: CCI-000366
-     nist: CM-6(a),AC-6(1)
-     nist-csf: PR.AC-4,PR.DS-5
-     srg: SRG-OS-000480-GPOS-00227
--    stigid@rhel7: RHEL-07-021030
-+    stigid@rhel7: RHEL-07-021031
-     isa-62443-2013: 'SR 2.1,SR 5.2'
-     isa-62443-2009: 4.3.3.7.3
-     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
-new file mode 100644
-index 0000000000..3ac40ecb2d
---- /dev/null
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
-@@ -0,0 +1,22 @@
-+<def-group>
-+  <definition class="compliance" id="dir_perms_world_writable_system_owned_group" version="1">
-+    {{{ oval_metadata("All world writable directories should be group owned by a system user.") }}}
-+    <criteria comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" negate="true">
-+      <criterion comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_gid_gt_value" />
-+    </criteria>
-+  </definition>
-+  <unix:file_test check="all" comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_gid_gt_value" version="1">
-+    <unix:object object_ref="all_local_directories_gid" />
-+    <unix:state state_ref="state_gid_is_user_and_world_writable" />
-+  </unix:file_test>
-+  <unix:file_object comment="all local directories" id="all_local_directories_gid" version="1">
-+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
-+    <unix:path operation="equals">/</unix:path>
-+    <unix:filename xsi:nil="true" />
-+    <filter action="include">state_gid_is_user_and_world_writable</filter>
-+  </unix:file_object>
-+  <unix:file_state comment="gid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
-+    <unix:group_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:group_id>
-+    <unix:owrite datatype="boolean">true</unix:owrite>
-+  </unix:file_state>
-+</def-group>
-diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
-new file mode 100644
-index 0000000000..1e3c60b7e3
---- /dev/null
-+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
-@@ -0,0 +1,45 @@
-+documentation_complete: true
-+
-+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
-+
-+title: 'Ensure All World-Writable Directories Are Group Owned by a System Account'
-+
-+description: |-
-+    All directories in local partitions which are
-+    world-writable should be group owned by root or another
-+    system account. If any world-writable directories are not
-+    group owned by a system account, this should be investigated.
-+    Following this, the files should be deleted or assigned to an
-+    appropriate group.
-+
-+rationale: |-
-+    Allowing a user account to group own a world-writable directory is
-+    undesirable because it allows the owner of that directory to remove
-+    or replace any files that may be placed in the directory by other
-+    users.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel7: CCE-83923-3
-+
-+references:
-+    stigid@ol7: OL07-00-021030
-+    disa: CCI-000366
-+    nist: CM-6(a),AC-6(1)
-+    nist-csf: PR.AC-4,PR.DS-5
-+    srg: SRG-OS-000480-GPOS-00227
-+    stigid@rhel7: RHEL-07-021030
-+    isa-62443-2013: 'SR 2.1,SR 5.2'
-+    isa-62443-2009: 4.3.3.7.3
-+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
-+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
-+    cis-csc: 12,13,14,15,16,18,3,5
-+
-+ocil_clause: 'there is output'
-+
-+ocil: |-
-+    The following command will discover and print world-writable directories that
-+    are not group owned by a system account, given the assumption that only system
-+    accounts have a gid lower than 500.  Run it once for each local partition <i>PART</i>:
-+    <pre>$ sudo find <i>PART</i> -xdev -type d -perm -0002 -gid +499 -print</pre>
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 4698785a49..a16e990202 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -155,6 +155,7 @@ selections:
-     - mount_option_nosuid_removable_partitions
-     - mount_option_nosuid_remote_filesystems
-     - dir_perms_world_writable_system_owned
-+    - dir_perms_world_writable_system_owned_group
-     - accounts_umask_interactive_users
-     - rsyslog_cron_logging
-     - file_owner_cron_allow
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index c38943b07c..c5d1ff963f 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -473,7 +473,6 @@ CCE-83919-1
- CCE-83920-9
- CCE-83921-7
- CCE-83922-5
--CCE-83923-3
- CCE-83924-1
- CCE-83925-8
- CCE-83926-6
diff --git a/SOURCES/scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch b/SOURCES/scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch
deleted file mode 100644
index 9b52226..0000000
--- a/SOURCES/scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1c0f141f863736b2c5c47d6d9f20b75c8cbf8318 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 10 Nov 2020 18:10:17 +0100
-Subject: [PATCH] Fix bash_dconf_settings to grep whole keyword alike.
-
----
- .../dconf_gnome_disable_automount/tests/wrong_value.fail.sh    | 3 +++
- shared/macros-bash.jinja                                       | 2 +-
- 2 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
-index 35c6e417ad..0272781515 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
-@@ -5,3 +5,6 @@
- 
- install_dconf_and_gdm_if_needed
- clean_dconf_settings
-+
-+add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"
-+add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings"
-diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
-index ee48bec12d..0add877cbc 100644
---- a/shared/macros-bash.jinja
-+++ b/shared/macros-bash.jinja
-@@ -181,7 +181,7 @@ then
-     printf '%s=%s\n' "{{{ key }}}" "{{{ value }}}" >> ${DCONFFILE}
- else
-     escaped_value="$(sed -e 's/\\/\\\\/g' <<< "{{{ value }}}")"
--    if grep -q "^\\s*{{{ key }}}" "${SETTINGSFILES[@]}"
-+    if grep -q "^\\s*{{{ key }}}\\s*=" "${SETTINGSFILES[@]}"
-     then
-         sed -i "s/\\s*{{{ key }}}\\s*=\\s*.*/{{{ key }}}=${escaped_value}/g" "${SETTINGSFILES[@]}"
-     else
diff --git a/SOURCES/scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch b/SOURCES/scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch
deleted file mode 100644
index 8b2c416..0000000
--- a/SOURCES/scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-From 3224a958477cda26e302bcc310ffac755938948a Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 25 Nov 2020 12:29:04 +0100
-Subject: [PATCH] Add xwindows_runlevel_target to RHEL7 STIG profile.
-
----
- rhel7/profiles/stig.profile | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 0d723117a5..4698785a49 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -287,6 +287,7 @@ selections:
-     - sshd_enable_x11_forwarding
-     - tftpd_uses_secure_mode
-     - package_xorg-x11-server-common_removed
-+    - xwindows_runlevel_target
-     - sysctl_net_ipv4_ip_forward
-     - mount_option_krb_sec_remote_filesystems
-     - snmpd_not_default_password
diff --git a/SOURCES/scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch b/SOURCES/scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch
deleted file mode 100644
index e6aa9a3..0000000
--- a/SOURCES/scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch
+++ /dev/null
@@ -1,1010 +0,0 @@
-From bf1b010001f16a428a0e3401347df0a37ce52e90 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 6 Aug 2020 15:43:31 +0200
-Subject: [PATCH 1/8] Break dconf_gnome_disable_automount down into three
- separate rules.
-
----
- .../tests/empty.fail.sh                       |  9 +++
- .../ansible/shared.yml                        | 31 ----------
- .../bash/shared.sh                            |  4 --
- .../oval/shared.xml                           | 60 +------------------
- .../dconf_gnome_disable_automount/rule.yml    | 25 +++-----
- .../tests/correct_value.pass.sh               | 11 ++++
- .../ansible/shared.yml                        | 19 ++++++
- .../bash/shared.sh                            |  5 ++
- .../oval/shared.xml                           | 50 ++++++++++++++++
- .../rule.yml                                  | 57 ++++++++++++++++++
- .../tests/correct_value.pass.sh               | 12 ++++
- .../tests/wrong_value.fail.sh                 |  7 +++
- .../ansible/shared.yml                        | 20 +++++++
- .../bash/shared.sh                            |  5 ++
- .../oval/shared.xml                           | 50 ++++++++++++++++
- .../dconf_gnome_disable_autorun/rule.yml      | 57 ++++++++++++++++++
- .../tests/correct_value.pass.sh               | 10 ++++
- .../tests/wrong_value.fail.sh                 |  7 +++
- shared/references/cce-redhat-avail.txt        |  4 --
- 19 files changed, 328 insertions(+), 115 deletions(-)
- create mode 100644 linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh
-new file mode 100644
-index 0000000000..cb84c5262b
---- /dev/null
-+++ b/linux_os/guide/system/accounts/accounts-banners/gui_login_banner/dconf_gnome_banner_enabled/tests/empty.fail.sh
-@@ -0,0 +1,9 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_ncp
-+
-+source $SHARED/dconf_test_functions.sh
-+
-+install_dconf_and_gdm_if_needed
-+
-+clean_dconf_settings
-+
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
-index c13d706df3..eeb7b8f301 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
-@@ -17,34 +17,3 @@
-     regexp: '^/org/gnome/desktop/media-handling/automount'
-     line: '/org/gnome/desktop/media-handling/automount'
-     create: yes
--
--- name: "Disable GNOME3 Automounting - automount-open"
--  ini_file:
--    dest: /etc/dconf/db/local.d/00-security-settings
--    section: org/gnome/desktop/media-handling
--    option: automount-open
--    value: "false"
--    create: yes
--
--- name: "Prevent user modification of GNOME3 Automounting - automount-open"
--  lineinfile:
--    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
--    regexp: '^/org/gnome/desktop/media-handling/automount-open'
--    line: '/org/gnome/desktop/media-handling/automount-open'
--    create: yes
--
--- name: "Disable GNOME3 Automounting - autorun-never"
--  ini_file:
--    dest: /etc/dconf/db/local.d/00-security-settings
--    section: org/gnome/desktop/media-handling
--    option: autorun-never
--    value: "true"
--    create: yes
--
--- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
--  lineinfile:
--    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
--    regexp: '^/org/gnome/desktop/media-handling/autorun-never'
--    line: '/org/gnome/desktop/media-handling/autorun-never'
--    create: yes
--
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh
-index aa7c692c87..5a52153613 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/bash/shared.sh
-@@ -2,8 +2,4 @@
- 
- 
- {{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount", "false", "local.d", "00-security-settings") }}}
--{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}
--{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}
- {{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount", "local.d", "00-security-settings-lock") }}}
--{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}
--{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-index fb359a2278..c05b1d8e1b 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-@@ -1,19 +1,15 @@
- <def-group>
--  <definition class="compliance" id="dconf_gnome_disable_automount" version="1">
-+  <definition class="compliance" id="dconf_gnome_disable_automount" version="2">
-     {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
-       devices and removable media (such as DVDs, CDs and USB flash drives)
-       whenever they are inserted into the system. Disable automount and autorun
-       within GNOME3.") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
--      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
-+      <criteria comment="Disable GNOME3 automount and prevent user from changing it" operator="AND">
-         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
-         <criterion comment="Disable automount in GNOME3" test_ref="test_dconf_gnome_disable_automount" />
--        <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />
--        <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
-         <criterion comment="Prevent user from changing automount setting" test_ref="test_prevent_user_gnome_automount" />
--        <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />
--        <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
-       </criteria>
-     </criteria>
-   </definition>
-@@ -43,56 +39,4 @@
-     <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount$</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_test check="all" check_existence="all_exist"
--  comment="Disable automount-open in GNOME"
--  id="test_dconf_gnome_disable_automount_open" version="1">
--    <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />
--  </ind:textfilecontent54_test>
--  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open"
--  version="1">
--    <ind:path>/etc/dconf/db/local.d/</ind:path>
--    <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_test check="all" check_existence="all_exist"
--  comment="Prevent user from changing automount-open setting"
--  id="test_prevent_user_gnome_automount_open" version="1">
--    <ind:object object_ref="obj_prevent_user_gnome_automount_open" />
--  </ind:textfilecontent54_test>
--  <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open"
--  version="1">
--    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
--    <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_test check="all" check_existence="all_exist"
--  comment="Disable autorun in GNOME"
--  id="test_dconf_gnome_disable_autorun" version="1">
--    <ind:object object_ref="obj_dconf_gnome_disable_autorun" />
--  </ind:textfilecontent54_test>
--  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_autorun"
--  version="1">
--    <ind:path>/etc/dconf/db/local.d/</ind:path>
--    <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
--
--  <ind:textfilecontent54_test check="all" check_existence="all_exist"
--  comment="Prevent user from changing autorun setting"
--  id="test_prevent_user_gnome_autorun" version="1">
--    <ind:object object_ref="obj_prevent_user_gnome_autorun" />
--  </ind:textfilecontent54_test>
--  <ind:textfilecontent54_object id="obj_prevent_user_gnome_autorun"
--  version="1">
--    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
--    <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
--    <ind:instance datatype="int">1</ind:instance>
--  </ind:textfilecontent54_object>
- </def-group>
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml
-index 551f6cacdf..b7e7192bc0 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/rule.yml
-@@ -7,20 +7,15 @@ title: 'Disable GNOME3 Automounting'
- description: |-
-     The system's default desktop environment, GNOME3, will mount
-     devices and removable media (such as DVDs, CDs and USB flash drives) whenever
--    they are inserted into the system. To disable automount and autorun within GNOME3, add or set
--    <tt>automount</tt> to <tt>false</tt>, <tt>automount-open</tt> to <tt>false</tt>, and
--    <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
-+    they are inserted into the system. To disable automount within GNOME3, add or set
-+    <tt>automount</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
-     For example:
-     <pre>[org/gnome/desktop/media-handling]
--    automount=false
--    automount-open=false
--    autorun-never=true</pre>
-+    automount=false</pre>
-     Once the settings have been added, add a lock to
-     <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
-     For example:
--    <pre>/org/gnome/desktop/media-handling/automount
--    /org/gnome/desktop/media-handling/automount-open
--    /org/gnome/desktop/media-handling/autorun-never</pre>
-+    <pre>/org/gnome/desktop/media-handling/automount</pre>
-     After the settings have been set, run <tt>dconf update</tt>.
- 
- rationale: |-
-@@ -48,16 +43,10 @@ ocil_clause: 'GNOME automounting is not disabled'
- 
- ocil: |-
-     These settings can be verified by running the following:
--    <pre>$ gsettings get org.gnome.desktop.media-handling automount
--    $ gsettings get org.gnome.desktop.media-handling automount-open
--    $ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
-+    <pre>$ gsettings get org.gnome.desktop.media-handling automount</pre>
-     If properly configured, the output for <tt>automount</tt> should be <tt>false</tt>.
--    If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.
--    If properly configured, the output for <tt>autorun-never</tt> should be <tt>true</tt>.
--    To ensure that users cannot enable automount and autorun in GNOME3, run the following:
--    <pre>$ grep 'automount\|autorun' /etc/dconf/db/local.d/locks/*</pre>
-+    To ensure that users cannot enable automount in GNOME3, run the following:
-+    <pre>$ grep 'automount' /etc/dconf/db/local.d/locks/*</pre>
-     If properly configured, the output for <tt>automount</tt> should be <tt>/org/gnome/desktop/media-handling/automount</tt>
--    If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/auto-open</tt>
--    If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
- 
- platform: machine
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..685f5925c5
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
-@@ -0,0 +1,11 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/dconf_test_functions.sh
-+
-+yum -y install dconf
-+clean_dconf_settings
-+
-+add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings"
-+add_dconf_lock "org/gnome/desktop/media-handling" "automount" "local.d" "00-security-settings"
-+
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
-new file mode 100644
-index 0000000000..680d148347
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
-@@ -0,0 +1,19 @@
-+# platform = multi_platform_rhel,multi_platform_fedora
-+# reboot = false
-+# strategy = unknown
-+# complexity = low
-+# disruption = medium
-+- name: "Disable GNOME3 Automounting - automount-open"
-+  ini_file:
-+    dest: /etc/dconf/db/local.d/00-security-settings
-+    section: org/gnome/desktop/media-handling
-+    option: automount-open
-+    value: "false"
-+    create: yes
-+
-+- name: "Prevent user modification of GNOME3 Automounting - automount-open"
-+  lineinfile:
-+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
-+    regexp: '^/org/gnome/desktop/media-handling/automount-open'
-+    line: '/org/gnome/desktop/media-handling/automount-open'
-+    create: yes
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh
-new file mode 100644
-index 0000000000..7a1497507b
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/bash/shared.sh
-@@ -0,0 +1,5 @@
-+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
-+
-+
-+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "automount-open", "false", "local.d", "00-security-settings") }}}
-+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "automount-open", "local.d", "00-security-settings-lock") }}}
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-new file mode 100644
-index 0000000000..84264fa8f4
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-@@ -0,0 +1,50 @@
-+<def-group>
-+  <definition class="compliance" id="dconf_gnome_disable_automount_open" version="1">
-+    <metadata>
-+      <title>Disable GNOME3 automount-open</title>
-+      <affected family="unix">
-+        <platform>Red Hat Enterprise Linux 7</platform>
-+        <platform>Red Hat Enterprise Linux 8</platform>
-+        <platform>multi_platform_fedora</platform>
-+      </affected>
-+      <description>The system's default desktop environment, GNOME3, will mount
-+      devices and removable media (such as DVDs, CDs and USB flash drives)
-+      whenever they are inserted into the system. Disable automount-open
-+      within GNOME3.</description>
-+    </metadata>
-+    <criteria operator="OR">
-+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-+      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
-+        <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
-+        <criterion comment="Disable automount-open in GNOME3" test_ref="test_dconf_gnome_disable_automount_open" />
-+        <criterion comment="Prevent user from changing automount-open setting" test_ref="test_prevent_user_gnome_automount_open" />
-+      </criteria>
-+    </criteria>
-+  </definition>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="Disable automount-open in GNOME"
-+  id="test_dconf_gnome_disable_automount_open" version="1">
-+    <ind:object object_ref="obj_dconf_gnome_disable_automount_open" />
-+  </ind:textfilecontent54_test>
-+  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_automount_open"
-+  version="1">
-+    <ind:path>/etc/dconf/db/local.d/</ind:path>
-+    <ind:filename operation="pattern match">^.*$</ind:filename>
-+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
-+    <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="Prevent user from changing automount-open setting"
-+  id="test_prevent_user_gnome_automount_open" version="1">
-+    <ind:object object_ref="obj_prevent_user_gnome_automount_open" />
-+  </ind:textfilecontent54_test>
-+  <ind:textfilecontent54_object id="obj_prevent_user_gnome_automount_open"
-+  version="1">
-+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
-+    <ind:filename operation="pattern match">^.*$</ind:filename>
-+    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/automount-open$</ind:pattern>
-+    <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+</def-group>
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
-new file mode 100644
-index 0000000000..07ce263102
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
-@@ -0,0 +1,57 @@
-+documentation_complete: true
-+
-+prodtype: fedora,rhel7,rhel8
-+
-+title: 'Disable GNOME3 Automount Opening'
-+
-+description: |-
-+    The system's default desktop environment, GNOME3, will mount
-+    devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-+    they are inserted into the system. To disable automount-open within GNOME3, add or set
-+    <tt>automount-open</tt> to <tt>false</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
-+    For example:
-+    <pre>[org/gnome/desktop/media-handling]
-+    automount-open=false</pre>
-+    Once the settings have been added, add a lock to
-+    <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
-+    For example:
-+    <pre>/org/gnome/desktop/media-handling/automount-open</pre>
-+    After the settings have been set, run <tt>dconf update</tt>.
-+
-+rationale: |-
-+    Disabling automatic mounting in GNOME3 can prevent
-+    the introduction of malware via removable media.
-+    It will, however, also prevent desktop users from legitimate use
-+    of removable media.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel7: CCE-83692-4
-+    cce@rhel8: CCE-83693-2
-+
-+references:
-+    cui: 3.1.7
-+    nist: CM-7(a),CM-7(b),CM-6(a)
-+    nist-csf: PR.AC-3,PR.AC-6
-+    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'
-+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4
-+    cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
-+    iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
-+    cis-csc: 12,16
-+    stig@rhel7: RHEL-07-020111
-+    disa: CCI-001958
-+    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
-+
-+
-+ocil_clause: 'GNOME automounting is not disabled'
-+
-+ocil: |-
-+    These settings can be verified by running the following:
-+    <pre>$ gsettings get org.gnome.desktop.media-handling automount-open</pre>
-+    If properly configured, the output for <tt>automount-open</tt>should be <tt>false</tt>.
-+    To ensure that users cannot enable automount opening in GNOME3, run the following:
-+    <pre>$ grep 'automount-open' /etc/dconf/db/local.d/locks/*</pre>
-+    If properly configured, the output for <tt>automount-open</tt> should be <tt>/org/gnome/desktop/media-handling/automount-open</tt>
-+
-+platform: machine
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..b9995bf679
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
-@@ -0,0 +1,12 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/dconf_test_functions.sh
-+
-+yum -y install dconf
-+clean_dconf_settings
-+
-+add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"
-+add_dconf_lock "org/gnome/desktop/media-handling" "automount-open" "local.d" "00-security-settings"
-+
-+
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..33a439cbb6
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/dconf_test_functions.sh
-+
-+yum -y install dconf
-+clean_dconf_settings
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
-new file mode 100644
-index 0000000000..036246e3be
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
-@@ -0,0 +1,20 @@
-+# platform = multi_platform_rhel,multi_platform_fedora
-+# reboot = false
-+# strategy = unknown
-+# complexity = low
-+# disruption = medium
-+- name: "Disable GNOME3 Automounting - autorun-never"
-+  ini_file:
-+    dest: /etc/dconf/db/local.d/00-security-settings
-+    section: org/gnome/desktop/media-handling
-+    option: autorun-never
-+    value: "true"
-+    create: yes
-+
-+- name: "Prevent user modification of GNOME3 Automounting - autorun-never"
-+  lineinfile:
-+    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
-+    regexp: '^/org/gnome/desktop/media-handling/autorun-never'
-+    line: '/org/gnome/desktop/media-handling/autorun-never'
-+    create: yes
-+
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh
-new file mode 100644
-index 0000000000..4c3bcb9547
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/bash/shared.sh
-@@ -0,0 +1,5 @@
-+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_fedora
-+
-+
-+{{{ bash_dconf_settings("org/gnome/desktop/media-handling", "autorun-never", "true", "local.d", "00-security-settings") }}}
-+{{{ bash_dconf_lock("org/gnome/desktop/media-handling", "autorun-never", "local.d", "00-security-settings-lock") }}}
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-new file mode 100644
-index 0000000000..4c9840c644
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-@@ -0,0 +1,50 @@
-+<def-group>
-+  <definition class="compliance" id="dconf_gnome_disable_autorun" version="1">
-+    <metadata>
-+      <title>Disable GNOME3 Automounting</title>
-+      <affected family="unix">
-+        <platform>Red Hat Enterprise Linux 7</platform>
-+        <platform>Red Hat Enterprise Linux 8</platform>
-+        <platform>multi_platform_fedora</platform>
-+      </affected>
-+      <description>The system's default desktop environment, GNOME3, will mount
-+      devices and removable media (such as DVDs, CDs and USB flash drives)
-+      whenever they are inserted into the system. Disable automount and autorun
-+      within GNOME3.</description>
-+    </metadata>
-+    <criteria operator="OR">
-+      <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-+      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
-+        <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
-+        <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
-+        <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
-+      </criteria>
-+    </criteria>
-+  </definition>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="Disable autorun in GNOME"
-+  id="test_dconf_gnome_disable_autorun" version="1">
-+    <ind:object object_ref="obj_dconf_gnome_disable_autorun" />
-+  </ind:textfilecontent54_test>
-+  <ind:textfilecontent54_object id="obj_dconf_gnome_disable_autorun"
-+  version="1">
-+    <ind:path>/etc/dconf/db/local.d/</ind:path>
-+    <ind:filename operation="pattern match">^.*$</ind:filename>
-+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
-+    <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+
-+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
-+  comment="Prevent user from changing autorun setting"
-+  id="test_prevent_user_gnome_autorun" version="1">
-+    <ind:object object_ref="obj_prevent_user_gnome_autorun" />
-+  </ind:textfilecontent54_test>
-+  <ind:textfilecontent54_object id="obj_prevent_user_gnome_autorun"
-+  version="1">
-+    <ind:path>/etc/dconf/db/local.d/locks/</ind:path>
-+    <ind:filename operation="pattern match">^.*$</ind:filename>
-+    <ind:pattern operation="pattern match">^/org/gnome/desktop/media-handling/autorun-never$</ind:pattern>
-+    <ind:instance datatype="int">1</ind:instance>
-+  </ind:textfilecontent54_object>
-+</def-group>
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
-new file mode 100644
-index 0000000000..92fa209fb5
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
-@@ -0,0 +1,57 @@
-+documentation_complete: true
-+
-+prodtype: fedora,rhel7,rhel8
-+
-+title: 'Disable GNOME3 Automount running'
-+
-+description: |-
-+    The system's default desktop environment, GNOME3, will mount
-+    devices and removable media (such as DVDs, CDs and USB flash drives) whenever
-+    they are inserted into the system. To disable autorun-never within GNOME3, add or set
-+    <tt>autorun-never</tt> to <tt>true</tt> in <tt>/etc/dconf/db/local.d/00-security-settings</tt>.
-+    For example:
-+    <pre>[org/gnome/desktop/media-handling]
-+    autorun-never=true</pre>
-+    Once the settings have been added, add a lock to
-+    <tt>/etc/dconf/db/local.d/locks/00-security-settings-lock</tt> to prevent user modification.
-+    For example:
-+    <pre>/org/gnome/desktop/media-handling/autorun-never</pre>
-+    After the settings have been set, run <tt>dconf update</tt>.
-+
-+rationale: |-
-+    Disabling automatic mount running in GNOME3 can prevent
-+    the introduction of malware via removable media.
-+    It will, however, also prevent desktop users from legitimate use
-+    of removable media.
-+
-+severity: medium
-+
-+identifiers:
-+    cce@rhel7: CCE-83741-9
-+    cce@rhel8: CCE-83742-7
-+
-+references:
-+    cui: 3.1.7
-+    nist: CM-7(a),CM-7(b),CM-6(a)
-+    nist-csf: PR.AC-3,PR.AC-6
-+    isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.4,SR 1.5,SR 1.9,SR 2.1,SR 2.6'
-+    isa-62443-2009: 4.3.3.2.2,4.3.3.5.2,4.3.3.6.6,4.3.3.7.2,4.3.3.7.4
-+    cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
-+    iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
-+    cis-csc: 12,16
-+    stig@rhel7: RHEL-07-020111
-+    disa: CCI-001958
-+    srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
-+
-+
-+ocil_clause: 'GNOME autorun is not disabled'
-+
-+ocil: |-
-+    These settings can be verified by running the following:
-+    <pre>$ gsettings get org.gnome.desktop.media-handling autorun-never</pre>
-+    If properly configured, the output for <tt>autorun-never</tt>should be <tt>true</tt>.
-+    To ensure that users cannot enable autorun in GNOME3, run the following:
-+    <pre>$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*</pre>
-+    If properly configured, the output for <tt>autorun-never</tt> should be <tt>/org/gnome/desktop/media-handling/autorun-never</tt>
-+
-+platform: machine
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
-new file mode 100644
-index 0000000000..8688fc864a
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
-@@ -0,0 +1,10 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/dconf_test_functions.sh
-+
-+yum -y install dconf
-+clean_dconf_settings
-+
-+add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings"
-+add_dconf_lock "org/gnome/desktop/media-handling" "autorun-never" "local.d" "00-security-settings"
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..33a439cbb6
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/dconf_test_functions.sh
-+
-+yum -y install dconf
-+clean_dconf_settings
-diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
-index c012e605a9..6c0ea9893b 100644
---- a/shared/references/cce-redhat-avail.txt
-+++ b/shared/references/cce-redhat-avail.txt
-@@ -293,8 +293,6 @@ CCE-83688-2
- CCE-83689-0
- CCE-83690-8
- CCE-83691-6
--CCE-83692-4
--CCE-83693-2
- CCE-83694-0
- CCE-83695-7
- CCE-83696-5
-@@ -333,8 +331,6 @@ CCE-83735-1
- CCE-83736-9
- CCE-83739-3
- CCE-83740-1
--CCE-83741-9
--CCE-83742-7
- CCE-83743-5
- CCE-83744-3
- CCE-83745-0
-
-From cfdaf607bcc61551032a9b2a48d4ea68c15775a9 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 6 Aug 2020 15:54:22 +0200
-Subject: [PATCH 2/8] Update RHEL7 STIG profile with new rules.
-
-- dconf_gnome_disable_automount_open
-- dconf_gnome_disable_autorun
----
- rhel7/profiles/stig.profile | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index f9f3e94e2a..0d723117a5 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -77,6 +77,9 @@ selections:
-     - dconf_gnome_screensaver_idle_activation_locked
-     - dconf_gnome_screensaver_lock_delay
-     - dconf_gnome_disable_ctrlaltdel_reboot
-+    - dconf_gnome_disable_automount
-+    - dconf_gnome_disable_automount_open
-+    - dconf_gnome_disable_autorun
-     - accounts_password_pam_ucredit
-     - accounts_password_pam_lcredit
-     - accounts_password_pam_dcredit
-
-From 52d1ac84f72e071a1de46a940d3a4e4cf52d807d Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 6 Aug 2020 15:55:25 +0200
-Subject: [PATCH 3/8] Update RHEL7 NCP profile with new rules.
-
-- dconf_gnome_disable_automount_open
-- dconf_gnome_disable_autorun
----
- rhel7/profiles/ncp.profile | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/rhel7/profiles/ncp.profile b/rhel7/profiles/ncp.profile
-index 7de1c7bb42..cf1ccc4612 100644
---- a/rhel7/profiles/ncp.profile
-+++ b/rhel7/profiles/ncp.profile
-@@ -317,6 +317,8 @@ selections:
-     - dconf_db_up_to_date
-     - dconf_gnome_banner_enabled
-     - dconf_gnome_disable_automount
-+    - dconf_gnome_disable_automount_open
-+    - dconf_gnome_disable_autorun
-     - dconf_gnome_disable_ctrlaltdel_reboot
-     - dconf_gnome_disable_geolocation
-     - dconf_gnome_disable_restart_shutdown
-
-From 929054cec387203c53c3e3df166b09e6aa02023b Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Tue, 18 Aug 2020 16:44:29 +0200
-Subject: [PATCH 4/8] Use bash function to install required testing packages.
-
-dconf and gdm packages are required make checks applicable.
----
- .../tests/correct_value.pass.sh                            | 2 +-
- .../tests/wrong_value.fail.sh                              | 7 +++++++
- .../tests/correct_value.pass.sh                            | 2 +-
- .../tests/wrong_value.fail.sh                              | 2 +-
- .../tests/correct_value.pass.sh                            | 2 +-
- .../dconf_gnome_disable_autorun/tests/wrong_value.fail.sh  | 2 +-
- 6 files changed, 12 insertions(+), 5 deletions(-)
- create mode 100644 linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
-
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
-index 685f5925c5..6aeeeee8ee 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/correct_value.pass.sh
-@@ -3,7 +3,7 @@
- 
- . $SHARED/dconf_test_functions.sh
- 
--yum -y install dconf
-+install_dconf_and_gdm_if_needed
- clean_dconf_settings
- 
- add_dconf_setting "org/gnome/desktop/media-handling" "automount" "false" "local.d" "00-security-settings"
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
-new file mode 100644
-index 0000000000..35c6e417ad
---- /dev/null
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/tests/wrong_value.fail.sh
-@@ -0,0 +1,7 @@
-+#!/bin/bash
-+# profiles = xccdf_org.ssgproject.content_profile_stig
-+
-+. $SHARED/dconf_test_functions.sh
-+
-+install_dconf_and_gdm_if_needed
-+clean_dconf_settings
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
-index b9995bf679..77c49a861b 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/correct_value.pass.sh
-@@ -3,7 +3,7 @@
- 
- . $SHARED/dconf_test_functions.sh
- 
--yum -y install dconf
-+install_dconf_and_gdm_if_needed
- clean_dconf_settings
- 
- add_dconf_setting "org/gnome/desktop/media-handling" "automount-open" "false" "local.d" "00-security-settings"
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
-index 33a439cbb6..35c6e417ad 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/tests/wrong_value.fail.sh
-@@ -3,5 +3,5 @@
- 
- . $SHARED/dconf_test_functions.sh
- 
--yum -y install dconf
-+install_dconf_and_gdm_if_needed
- clean_dconf_settings
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
-index 8688fc864a..0c30c00a3d 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/correct_value.pass.sh
-@@ -3,7 +3,7 @@
- 
- . $SHARED/dconf_test_functions.sh
- 
--yum -y install dconf
-+install_dconf_and_gdm_if_needed
- clean_dconf_settings
- 
- add_dconf_setting "org/gnome/desktop/media-handling" "autorun-never" "true" "local.d" "00-security-settings"
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
-index 33a439cbb6..35c6e417ad 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/tests/wrong_value.fail.sh
-@@ -3,5 +3,5 @@
- 
- . $SHARED/dconf_test_functions.sh
- 
--yum -y install dconf
-+install_dconf_and_gdm_if_needed
- clean_dconf_settings
-
-From 8eccb4a33a38043224e3ef7d6b591fcaa7c0a8c5 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 21 Sep 2020 16:25:41 +0200
-Subject: [PATCH 5/8] Escape bracket character in dconf automount rules
- regexes.
-
----
- .../dconf_gnome_disable_automount/oval/shared.xml               | 2 +-
- .../dconf_gnome_disable_automount_open/oval/shared.xml          | 2 +-
- .../dconf_gnome_disable_autorun/oval/shared.xml                 | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-index c05b1d8e1b..8024311b23 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-@@ -23,7 +23,7 @@
-   version="1">
-     <ind:path>/etc/dconf/db/local.d/</ind:path>
-     <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount=false$</ind:pattern>
-+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount=false$</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-index 84264fa8f4..3230efca62 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-@@ -31,7 +31,7 @@
-   version="1">
-     <ind:path>/etc/dconf/db/local.d/</ind:path>
-     <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?automount-open=false$</ind:pattern>
-+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?automount-open=false$</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-index 4c9840c644..a7f54a7f19 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-@@ -31,7 +31,7 @@
-   version="1">
-     <ind:path>/etc/dconf/db/local.d/</ind:path>
-     <ind:filename operation="pattern match">^.*$</ind:filename>
--    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
-+    <ind:pattern operation="pattern match">^\[org/gnome/desktop/media-handling\]([^\n]*\n+)+?autorun-never=true$</ind:pattern>
-     <ind:instance datatype="int">1</ind:instance>
-   </ind:textfilecontent54_object>
- 
-
-From ff380dc7ccab82d40b0c94a782901f439c76b89a Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 21 Sep 2020 16:49:23 +0200
-Subject: [PATCH 6/8] Use oval_metadata macro in some dconf gnome rules.
-
-Reduce boilerplate code by using jinja macro.
----
- .../oval/shared.xml                             |  3 +--
- .../oval/shared.xml                             | 15 +++------------
- .../dconf_gnome_disable_autorun/oval/shared.xml | 17 ++++-------------
- 3 files changed, 8 insertions(+), 27 deletions(-)
-
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-index 8024311b23..7cc031206c 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/oval/shared.xml
-@@ -2,8 +2,7 @@
-   <definition class="compliance" id="dconf_gnome_disable_automount" version="2">
-     {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
-       devices and removable media (such as DVDs, CDs and USB flash drives)
--      whenever they are inserted into the system. Disable automount and autorun
--      within GNOME3.") }}}
-+      whenever they are inserted into the system. Disable automount within GNOME3.", title="Disable GNOME3 automount") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable GNOME3 automount and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-index 3230efca62..1d2cda88ba 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/oval/shared.xml
-@@ -1,17 +1,8 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_automount_open" version="1">
--    <metadata>
--      <title>Disable GNOME3 automount-open</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>The system's default desktop environment, GNOME3, will mount
--      devices and removable media (such as DVDs, CDs and USB flash drives)
--      whenever they are inserted into the system. Disable automount-open
--      within GNOME3.</description>
--    </metadata>
-+    {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
-+    devices and removable media (such as DVDs, CDs and USB flash drives)
-+    whenever they are inserted into the system. Disable automount-open within GNOME3.", title="Disable GNOME3 automount-open") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
-       <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-index a7f54a7f19..6299881f45 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/oval/shared.xml
-@@ -1,20 +1,11 @@
- <def-group>
-   <definition class="compliance" id="dconf_gnome_disable_autorun" version="1">
--    <metadata>
--      <title>Disable GNOME3 Automounting</title>
--      <affected family="unix">
--        <platform>Red Hat Enterprise Linux 7</platform>
--        <platform>Red Hat Enterprise Linux 8</platform>
--        <platform>multi_platform_fedora</platform>
--      </affected>
--      <description>The system's default desktop environment, GNOME3, will mount
--      devices and removable media (such as DVDs, CDs and USB flash drives)
--      whenever they are inserted into the system. Disable automount and autorun
--      within GNOME3.</description>
--    </metadata>
-+    {{{ oval_metadata("The system's default desktop environment, GNOME3, will mount
-+    devices and removable media (such as DVDs, CDs and USB flash drives)
-+    whenever they are inserted into the system. Disable autorun within GNOME3.", title="Disable GNOME3 autorun") }}}
-     <criteria operator="OR">
-       <extend_definition comment="dconf installed" definition_ref="package_dconf_installed" negate="true" />
--      <criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
-+      <criteria comment="Disable GNOME3 autorun and prevent user from changing it" operator="AND">
-         <extend_definition comment="dconf user profile exists" definition_ref="enable_dconf_user_profile" />
-         <criterion comment="Disable autorun in GNOME3" test_ref="test_dconf_gnome_disable_autorun" />
-         <criterion comment="Prevent user from changing autorun setting" test_ref="test_prevent_user_gnome_autorun" />
-
-From 90c9b3d5e6796ec5c309af2a8b9e1d6fca1be263 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Mon, 21 Sep 2020 16:57:24 +0200
-Subject: [PATCH 7/8] Fix ansible remediation for dconf gnome disable mount
- rules.
-
----
- .../dconf_gnome_disable_automount/ansible/shared.yml             | 1 +
- .../dconf_gnome_disable_automount_open/ansible/shared.yml        | 1 +
- .../dconf_gnome_disable_autorun/ansible/shared.yml               | 1 +
- 3 files changed, 3 insertions(+)
-
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
-index eeb7b8f301..964ba02a4f 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount/ansible/shared.yml
-@@ -10,6 +10,7 @@
-     option: automount
-     value: "false"
-     create: yes
-+    no_extra_spaces: yes
- 
- - name: "Prevent user modification of GNOME3 Automounting - automount"
-   lineinfile:
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
-index 680d148347..65a6a0784b 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/ansible/shared.yml
-@@ -10,6 +10,7 @@
-     option: automount-open
-     value: "false"
-     create: yes
-+    no_extra_spaces: yes
- 
- - name: "Prevent user modification of GNOME3 Automounting - automount-open"
-   lineinfile:
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
-index 036246e3be..7f5394f13a 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/ansible/shared.yml
-@@ -10,6 +10,7 @@
-     option: autorun-never
-     value: "true"
-     create: yes
-+    no_extra_spaces: yes
- 
- - name: "Prevent user modification of GNOME3 Automounting - autorun-never"
-   lineinfile:
-
-From ea3110c04b78c2d7bc3bae9977b4d4a19386e259 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 4 Nov 2020 09:52:08 +0100
-Subject: [PATCH 8/8] Deduplicate STIG ID in gnome automount rules.
-
----
- .../dconf_gnome_disable_automount_open/rule.yml                  | 1 -
- .../gnome_media_settings/dconf_gnome_disable_autorun/rule.yml    | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
-index 07ce263102..f76241a48d 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_automount_open/rule.yml
-@@ -39,7 +39,6 @@ references:
-     cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
-     iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
-     cis-csc: 12,16
--    stig@rhel7: RHEL-07-020111
-     disa: CCI-001958
-     srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
- 
-diff --git a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
-index 92fa209fb5..943b444ceb 100644
---- a/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
-+++ b/linux_os/guide/system/software/gnome/gnome_media_settings/dconf_gnome_disable_autorun/rule.yml
-@@ -39,7 +39,6 @@ references:
-     cobit5: APO13.01,DSS01.04,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS06.03
-     iso27001-2013: A.11.2.6,A.13.1.1,A.13.2.1,A.6.2.1,A.6.2.2,A.7.1.1,A.9.2.1
-     cis-csc: 12,16
--    stig@rhel7: RHEL-07-020111
-     disa: CCI-001958
-     srg: SRG-OS-000114-GPOS-00059,SRG-OS-000378-GPOS-00163,SRG-OS-000480-GPOS-00227
- 
diff --git a/SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch b/SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch
deleted file mode 100644
index b2092d3..0000000
--- a/SOURCES/scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 25dcc59ebea297789ee89cfe0263ec8575455da7 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 26 Nov 2020 15:45:10 +0100
-Subject: [PATCH 1/2] Update RHEL7 STIG profile with /var/log/audit related
- rules.
-
-Add file_permissions_var_log_audit and file_ownership_var_log_audit to
-RHEL7 STIG profile.
----
- .../file_ownership_var_log_audit/rule.yml                       | 1 +
- .../file_permissions_var_log_audit/oval/shared.xml              | 2 +-
- .../file_permissions_var_log_audit/rule.yml                     | 1 +
- rhel7/profiles/stig.profile                                     | 2 ++
- 4 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
-index 248ff3598..8a8c71520 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_ownership_var_log_audit/rule.yml
-@@ -21,6 +21,7 @@ identifiers:
- 
- references:
-     stigid@ol7: OL07-00-910055
-+    stigid@rhel7: RHEL-07-910055
-     stigid@rhel6: RHEL-06-000384
-     srg@rhel6: SRG-OS-000057
-     disa@rhel6: CCI-000166
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
-index 5941ea660f..1bb7dd453c 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/oval/shared.xml
-@@ -34,7 +34,7 @@
-   </unix:file_object>
- 
-   <unix:file_state id="state_not_mode_0600" version="1" operator="OR">
--    <!-- if any one of these is true then mode is NOT 0640 (hence the OR operator) -->
-+    <!-- if any one of these is true then mode is NOT 0600 (hence the OR operator) -->
-     <unix:suid datatype="boolean">true</unix:suid>
-     <unix:sgid datatype="boolean">true</unix:sgid>
-     <unix:sticky datatype="boolean">true</unix:sticky>
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
-index 6c265d68b..d6b36b647 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/rule.yml
-@@ -24,6 +24,7 @@ identifiers:
- 
- references:
-     stigid@ol7: OL07-00-910055
-+    stigid@rhel7: RHEL-07-910055
-     disa: CCI-000162,CCI-000163,CCI-000164,CCI-001314
-     srg: SRG-OS-000057-GPOS-00027,SRG-OS-000058-GPOS-00028,SRG-OS-000059-GPOS-00029,SRG-OS-000206-GPOS-00084
-     stigid@rhel6: RHEL-06-000383
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 4698785a49..1d94e79964 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -313,3 +313,5 @@ selections:
-     - mount_option_dev_shm_nosuid
-     - audit_rules_privileged_commands_mount
-     - package_MFEhiplsm_installed
-+    - file_ownership_var_log_audit
-+    - file_permissions_var_log_audit
-
-From e83eaf0ff5a3e3a4cb7a3caac0410c4ad4813312 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Thu, 26 Nov 2020 15:57:29 +0100
-Subject: [PATCH 2/2] Remove unrelated fix content from
- file_permissions_var_log_audit bash.
-
----
- .../file_permissions_var_log_audit/bash/shared.sh            | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh
-index 3175a18a23..d6c45867e5 100644
---- a/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh
-+++ b/linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/bash/shared.sh
-@@ -9,12 +9,7 @@ if LC_ALL=C grep -m 1 -q ^log_group /etc/audit/auditd.conf; then
-     chmod 0600 /var/log/audit/audit.log
-     chmod 0400 /var/log/audit/audit.log.*
-   fi
--
--  chmod 0640 /etc/audit/audit*
--  chmod 0640 /etc/audit/rules.d/*
- else
-   chmod 0600 /var/log/audit/audit.log
-   chmod 0400 /var/log/audit/audit.log.*
--  chmod 0640 /etc/audit/audit*
--  chmod 0640 /etc/audit/rules.d/*
- fi
diff --git a/SOURCES/scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch b/SOURCES/scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch
deleted file mode 100644
index 24052bc..0000000
--- a/SOURCES/scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 48e3c05ea2bdf769700aa1059293e61122cc3798 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 25 Nov 2020 12:27:50 +0100
-Subject: [PATCH] Add test to grub2_enable_fips_mode to check if
- /etc/system-fips exists.
-
----
- .../software/integrity/fips/etc_system_fips_exists/rule.yml     | 2 +-
- .../integrity/fips/grub2_enable_fips_mode/oval/shared.xml       | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
-index 2bc0abb631..7b2076df40 100644
---- a/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
-+++ b/linux_os/guide/system/software/integrity/fips/etc_system_fips_exists/rule.yml
-@@ -1,6 +1,6 @@
- documentation_complete: true
- 
--prodtype: fedora,rhcos4,ol8,rhel8,rhv4
-+prodtype: fedora,rhcos4,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
- 
- title: Ensure '/etc/system-fips' exists
- 
-diff --git a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml
-index dcd668d97c..31997d844e 100644
---- a/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml
-+++ b/linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/oval/shared.xml
-@@ -6,6 +6,7 @@
-       <extend_definition comment="prelink disabled" definition_ref="disable_prelink" />
-       <extend_definition comment="package dracut-fips installed" definition_ref="package_dracut-fips_installed" />
-       <extend_definition comment="package dracut-fips-aesni installed" definition_ref="package_dracut-fips-aesni_installed" />
-+      <extend_definition comment="check /etc/system-fips exists" definition_ref="etc_system_fips_exists" />
-       <criteria operator="OR">
-         <criterion test_ref="test_grub2_enable_fips_mode" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" />
-         <criteria operator="AND">
diff --git a/SOURCES/scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch b/SOURCES/scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch
deleted file mode 100644
index c730a7d..0000000
--- a/SOURCES/scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch
+++ /dev/null
@@ -1,10052 +0,0 @@
-From e32e21b9e2577b047d8dc12d27dda0f1fd7359b4 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Wed, 25 Nov 2020 17:03:34 +0100
-Subject: [PATCH] Update RHEL7 STIG benchmark reference from v2r8 to v3r1.
-
----
- .../disa-stig-rhel7-v2r8-xccdf-manual.xml     | 4989 ----------------
- .../disa-stig-rhel7-v3r1-xccdf-manual.xml     | 5037 +++++++++++++++++
- 2 files changed, 5037 insertions(+), 4989 deletions(-)
- delete mode 100644 shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml
- create mode 100644 shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml
-
-diff --git a/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml
-deleted file mode 100644
-index 01fb97e10d..0000000000
---- a/shared/references/disa-stig-rhel7-v2r8-xccdf-manual.xml
-+++ /dev/null
-@@ -1,4989 +0,0 @@
--<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" id="RHEL_7_STIG" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-05-15">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 8 Benchmark Date: 24 Jul 2020</plain-text><version>2</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-71849" selected="true" /><select idref="V-71855" selected="true" /><select idref="V-71859" selected="true" /><select idref="V-71861" selected="true" /><select idref="V-71863" selected="true" /><select idref="V-71891" selected="true" /><select idref="V-71893" selected="true" /><select idref="V-71899" selected="true" /><select idref="V-71901" selected="true" /><select idref="V-71903" selected="true" /><select idref="V-71905" selected="true" /><select idref="V-71907" selected="true" /><select idref="V-71909" selected="true" /><select idref="V-71911" selected="true" /><select idref="V-71913" selected="true" /><select idref="V-71915" selected="true" /><select idref="V-71917" selected="true" /><select idref="V-71919" selected="true" /><select idref="V-71921" selected="true" /><select idref="V-71923" selected="true" /><select idref="V-71925" selected="true" /><select idref="V-71927" selected="true" /><select idref="V-71929" selected="true" /><select idref="V-71931" selected="true" /><select idref="V-71933" selected="true" /><select idref="V-71935" selected="true" /><select idref="V-71937" selected="true" /><select idref="V-71939" selected="true" /><select idref="V-71941" selected="true" /><select idref="V-71943" selected="true" /><select idref="V-71945" selected="true" /><select idref="V-71947" selected="true" /><select idref="V-71949" selected="true" /><select idref="V-71951" selected="true" /><select idref="V-71953" selected="true" /><select idref="V-71955" selected="true" /><select idref="V-71957" selected="true" /><select idref="V-71959" selected="true" /><select idref="V-71961" selected="true" /><select idref="V-71963" selected="true" /><select idref="V-71965" selected="true" /><select idref="V-71967" selected="true" /><select idref="V-71969" selected="true" /><select idref="V-71971" selected="true" /><select idref="V-71973" selected="true" /><select idref="V-71975" selected="true" /><select idref="V-71977" selected="true" /><select idref="V-71979" selected="true" /><select idref="V-71983" selected="true" /><select idref="V-71985" selected="true" /><select idref="V-71987" selected="true" /><select idref="V-71989" selected="true" /><select idref="V-71991" selected="true" /><select idref="V-71993" selected="true" /><select idref="V-71995" selected="true" /><select idref="V-71997" selected="true" /><select idref="V-71999" selected="true" /><select idref="V-72001" selected="true" /><select idref="V-72003" selected="true" /><select idref="V-72005" selected="true" /><select idref="V-72007" selected="true" /><select idref="V-72009" selected="true" /><select idref="V-72013" selected="true" /><select idref="V-72015" selected="true" /><select idref="V-72017" selected="true" /><select idref="V-72019" selected="true" /><select idref="V-72021" selected="true" /><select idref="V-72023" selected="true" /><select idref="V-72025" selected="true" /><select idref="V-72027" selected="true" /><select idref="V-72029" selected="true" /><select idref="V-72031" selected="true" /><select idref="V-72033" selected="true" /><select idref="V-72035" selected="true" /><select idref="V-72037" selected="true" /><select idref="V-72039" selected="true" /><select idref="V-72041" selected="true" /><select idref="V-72043" selected="true" /><select idref="V-72045" selected="true" /><select idref="V-72047" selected="true" /><select idref="V-72049" selected="true" /><select idref="V-72051" selected="true" /><select idref="V-72053" selected="true" /><select idref="V-72055" selected="true" /><select idref="V-72057" selected="true" /><select idref="V-72059" selected="true" /><select idref="V-72061" selected="true" /><select idref="V-72063" selected="true" /><select idref="V-72065" selected="true" /><select idref="V-72067" selected="true" /><select idref="V-72069" selected="true" /><select idref="V-72071" selected="true" /><select idref="V-72073" selected="true" /><select idref="V-72075" selected="true" /><select idref="V-72077" selected="true" /><select idref="V-72079" selected="true" /><select idref="V-72081" selected="true" /><select idref="V-72083" selected="true" /><select idref="V-72085" selected="true" /><select idref="V-72087" selected="true" /><select idref="V-72089" selected="true" /><select idref="V-72091" selected="true" /><select idref="V-72093" selected="true" /><select idref="V-72095" selected="true" /><select idref="V-72097" selected="true" /><select idref="V-72099" selected="true" /><select idref="V-72101" selected="true" /><select idref="V-72103" selected="true" /><select idref="V-72105" selected="true" /><select idref="V-72107" selected="true" /><select idref="V-72109" selected="true" /><select idref="V-72111" selected="true" /><select idref="V-72113" selected="true" /><select idref="V-72115" selected="true" /><select idref="V-72117" selected="true" /><select idref="V-72119" selected="true" /><select idref="V-72121" selected="true" /><select idref="V-72123" selected="true" /><select idref="V-72125" selected="true" /><select idref="V-72127" selected="true" /><select idref="V-72129" selected="true" /><select idref="V-72131" selected="true" /><select idref="V-72133" selected="true" /><select idref="V-72135" selected="true" /><select idref="V-72137" selected="true" /><select idref="V-72139" selected="true" /><select idref="V-72141" selected="true" /><select idref="V-72145" selected="true" /><select idref="V-72147" selected="true" /><select idref="V-72149" selected="true" /><select idref="V-72151" selected="true" /><select idref="V-72153" selected="true" /><select idref="V-72155" selected="true" /><select idref="V-72157" selected="true" /><select idref="V-72159" selected="true" /><select idref="V-72161" selected="true" /><select idref="V-72163" selected="true" /><select idref="V-72165" selected="true" /><select idref="V-72167" selected="true" /><select idref="V-72171" selected="true" /><select idref="V-72173" selected="true" /><select idref="V-72175" selected="true" /><select idref="V-72177" selected="true" /><select idref="V-72179" selected="true" /><select idref="V-72183" selected="true" /><select idref="V-72185" selected="true" /><select idref="V-72187" selected="true" /><select idref="V-72189" selected="true" /><select idref="V-72191" selected="true" /><select idref="V-72197" selected="true" /><select idref="V-72199" selected="true" /><select idref="V-72201" selected="true" /><select idref="V-72203" selected="true" /><select idref="V-72205" selected="true" /><select idref="V-72207" selected="true" /><select idref="V-72209" selected="true" /><select idref="V-72211" selected="true" /><select idref="V-72213" selected="true" /><select idref="V-72217" selected="true" /><select idref="V-72219" selected="true" /><select idref="V-72221" selected="true" /><select idref="V-72223" selected="true" /><select idref="V-72225" selected="true" /><select idref="V-72227" selected="true" /><select idref="V-72229" selected="true" /><select idref="V-72231" selected="true" /><select idref="V-72233" selected="true" /><select idref="V-72235" selected="true" /><select idref="V-72237" selected="true" /><select idref="V-72239" selected="true" /><select idref="V-72241" selected="true" /><select idref="V-72243" selected="true" /><select idref="V-72245" selected="true" /><select idref="V-72247" selected="true" /><select idref="V-72249" selected="true" /><select idref="V-72251" selected="true" /><select idref="V-72253" selected="true" /><select idref="V-72255" selected="true" /><select idref="V-72257" selected="true" /><select idref="V-72259" selected="true" /><select idref="V-72261" selected="true" /><select idref="V-72263" selected="true" /><select idref="V-72265" selected="true" /><select idref="V-72267" selected="true" /><select idref="V-72269" selected="true" /><select idref="V-72273" selected="true" /><select idref="V-72275" selected="true" /><select idref="V-72277" selected="true" /><select idref="V-72279" selected="true" /><select idref="V-72281" selected="true" /><select idref="V-72283" selected="true" /><select idref="V-72285" selected="true" /><select idref="V-72287" selected="true" /><select idref="V-72289" selected="true" /><select idref="V-72291" selected="true" /><select idref="V-72293" selected="true" /><select idref="V-72295" selected="true" /><select idref="V-72297" selected="true" /><select idref="V-72299" selected="true" /><select idref="V-72301" selected="true" /><select idref="V-72303" selected="true" /><select idref="V-72305" selected="true" /><select idref="V-72307" selected="true" /><select idref="V-72309" selected="true" /><select idref="V-72311" selected="true" /><select idref="V-72313" selected="true" /><select idref="V-72315" selected="true" /><select idref="V-72317" selected="true" /><select idref="V-72319" selected="true" /><select idref="V-72417" selected="true" /><select idref="V-72427" selected="true" /><select idref="V-72433" selected="true" /><select idref="V-73155" selected="true" /><select idref="V-73157" selected="true" /><select idref="V-73159" selected="true" /><select idref="V-73161" selected="true" /><select idref="V-73163" selected="true" /><select idref="V-73165" selected="true" /><select idref="V-73167" selected="true" /><select idref="V-73171" selected="true" /><select idref="V-73173" selected="true" /><select idref="V-73175" selected="true" /><select idref="V-73177" selected="true" /><select idref="V-77819" selected="true" /><select idref="V-77821" selected="true" /><select idref="V-77823" selected="true" /><select idref="V-77825" selected="true" /><select idref="V-78995" selected="true" /><select idref="V-78997" selected="true" /><select idref="V-78999" selected="true" /><select idref="V-79001" selected="true" /><select idref="V-81003" selected="true" /><select idref="V-81005" selected="true" /><select idref="V-81007" selected="true" /><select idref="V-81013" selected="true" /><select idref="V-81017" selected="true" /><select idref="V-81019" selected="true" /><select idref="V-81021" selected="true" /><select idref="V-92251" selected="true" /><select idref="V-92253" selected="true" /><select idref="V-92255" selected="true" /><select idref="V-94843" selected="true" /><select idref="V-100023" selected="true" /></Profile><Group id="V-71849"><title>SRG-OS-000257-GPOS-00098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86473r4_rule" severity="high" weight="10.0"><version>RHEL-07-010010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title><description>&lt;VulnDiscussion&gt;Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
--
--Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001494</ident><ident system="http://iase.disa.mil/cci">CCI-001496</ident><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002235</ident><fixtext fixref="F-78201r4_fix">Run the following command to determine which package owns the file:
--
--# rpm -qf &lt;filename&gt;
--
--Reset the user and group ownership of files within a package with the following command:
--
--#rpm --setugids &lt;packagename&gt;
--
--
--Reset the permissions of files within a package with the following command:
--
--#rpm --setperms &lt;packagename&gt;</fixtext><fix id="F-78201r4_fix" /><check system="C-72081r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.
--
--Check the default file permissions, ownership, and group membership of system files and commands with the following command:
--
--# for i in `rpm -Va | egrep -i '^\.[M|U|G|.]{8}' | cut -d " " -f4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f1,5,6,7 | grep $i;done;done
--
--/var/log/gdm 040755 root root
--/etc/audisp/audisp-remote.conf 0100640 root root
--/usr/bin/passwd 0104755 root root
--
--For each file returned, verify the current permissions, ownership, and group membership:
--# ls -la &lt;filename&gt;
--
---rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf
--
--If the file is more permissive than the default permissions, this is a finding.
--
--If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.
--
--If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-71855"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86479r4_rule" severity="high" weight="10.0"><version>RHEL-07-010020</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.
--
--Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001749</ident><fixtext fixref="F-78207r1_fix">Run the following command to determine which package owns the file:
--
--# rpm -qf &lt;filename&gt;
--
--The package can be reinstalled from a yum repository using the command:
--
--# sudo yum reinstall &lt;packagename&gt;
--
--Alternatively, the package can be reinstalled from trusted media using the command:
--
--# sudo rpm -Uvh &lt;packagename&gt;</fixtext><fix id="F-78207r1_fix" /><check system="C-72087r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the cryptographic hash of system files and commands match the vendor values.
--
--Check the cryptographic hash of system files and commands with the following command:
--
--Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.
--
--# rpm -Va --noconfig | grep '^..5'
--
--If there is any output from the command for system files or binaries, this is a finding.</check-content></check></Rule></Group><Group id="V-71859"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86483r4_rule" severity="medium" weight="10.0"><version>RHEL-07-010030</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
--
--System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
--
--The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
--
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--
--Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000048</ident><fixtext fixref="F-78211r4_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable.
--
--Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
--
--# touch /etc/dconf/db/local.d/01-banner-message
--
--Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
--
--[org/gnome/login-screen]
--banner-message-enable=true
--
--Update the system databases:
--
--# dconf update
--
--Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-78211r4_fix" /><check system="C-72091r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
--
--Check to see if the operating system displays a banner at the logon screen with the following command:
--
--# grep banner-message-enable /etc/dconf/db/local.d/*
--banner-message-enable=true
--
--If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-71861"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86485r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010040</version><title>The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
--
--System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
--
--The banner must be formatted in accordance with applicable DoD policy.
--
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000048</ident><fixtext fixref="F-78213r6_fix">Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
--
--Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
--
--Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
--
--# touch /etc/dconf/db/local.d/01-banner-message
--
--Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
--
--[org/gnome/login-screen]
--
--banner-message-enable=true
--
--banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
--
--Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
--
--Run the following command to update the database:
--# dconf update</fixtext><fix id="F-78213r6_fix" /><check system="C-72093r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
--
--Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
--
--Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:
--
--# grep banner-message-text /etc/dconf/db/local.d/*
--banner-message-text=
--'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
--
--Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
--
--If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-71863"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86487r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010050</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
--
--System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
--
--The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
--
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000048</ident><fixtext fixref="F-78217r2_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file.
--
--Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants.  Such communications and work product are private and confidential.  See User Agreement for details."</fixtext><fix id="F-78217r2_fix" /><check system="C-72097r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.
--
--Check to see if the operating system displays a banner at the command line logon screen with the following command:
--
--# more /etc/issue
--
--The command should return the following text:
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
--
--If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-71891"><title>SRG-OS-000028-GPOS-00009</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86515r6_rule" severity="medium" weight="10.0"><version>RHEL-07-010060</version><title>The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
--
--The session lock is implemented at the point where session activity can be determined.
--
--Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.
--
--Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000056</ident><fixtext fixref="F-78243r9_fix">Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:
--
--# touch /etc/dconf/db/local.d/00-screensaver
--
--Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines:
--
--# Set this to true to lock the screen when the screensaver activates
--lock-enabled=true
--
--Update the system databases:
--
--# dconf update
--
--Users must log out and back in again before the system-wide settings take effect. </fixtext><fix id="F-78243r9_fix" /><check system="C-72123r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable.
--
--Check to see if the screen lock is enabled with the following command:
--
--# grep -i lock-enabled /etc/dconf/db/local.d/*
--lock-enabled=true
--
--If the "lock-enabled" setting is missing or is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-71893"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86517r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010070</version><title>The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
--
--The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-78245r5_fix">Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
--
--# touch /etc/dconf/db/local.d/00-screensaver
--
--Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:
--
--[org/gnome/desktop/session]
--# Set the lock time out to 900 seconds before the session is considered idle
--idle-delay=uint32 900
--
--You must include the "uint32" along with the integer key values as shown.
--
--Update the system databases:
--
--# dconf update
--
--Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-78245r5_fix" /><check system="C-72125r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable.
--
--Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:
--
--# grep -i idle-delay /etc/dconf/db/local.d/*
--idle-delay=uint32 900
--
--If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-71899"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86523r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010100</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
--
--The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-78251r2_fix">Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--# touch /etc/dconf/db/local.d/00-screensaver
--
--Add the setting to enable screensaver locking after 15 minutes of inactivity:
--
--[org/gnome/desktop/screensaver]
--
--idle-activation-enabled=true
--
--Update the system databases:
--
--# dconf update
--
--Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-78251r2_fix" /><check system="C-72131r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
--
--Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
--
--Check for the session lock settings with the following commands:
--
--# grep -i idle-activation-enabled /etc/dconf/db/local.d/*
--
--idle-activation-enabled=true
--
--If "idle-activation-enabled" is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-71901"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86525r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010110</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
--
--The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-78253r2_fix">Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--# touch /etc/dconf/db/local.d/00-screensaver
--
--Add the setting to enable session locking when a screensaver is activated:
--
--[org/gnome/desktop/screensaver]
--lock-delay=uint32 5
--
--The "uint32" must be included along with the integer key values as shown.
--
--Update the system databases:
--
--# dconf update
--
--Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-78253r2_fix" /><check system="C-72133r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. 
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
--
--If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:
--
--# grep -i lock-delay /etc/dconf/db/local.d/*
--lock-delay=uint32 5
--
--If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-71903"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86527r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010120</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000192</ident><fixtext fixref="F-78255r1_fix">Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
--
--Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
--
--ucredit = -1</fixtext><fix id="F-78255r1_fix" /><check system="C-72135r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
--
--Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command:
--
--# grep ucredit /etc/security/pwquality.conf 
--ucredit = -1
--
--If the value of "ucredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-71905"><title>SRG-OS-000070-GPOS-00038</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86529r5_rule" severity="medium" weight="10.0"><version>RHEL-07-010130</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000193</ident><fixtext fixref="F-78257r6_fix">Configure the system to require at least one lower-case character when creating or changing a password.
--
--Add or modify the following line 
--in "/etc/security/pwquality.conf":
--
--lcredit = -1</fixtext><fix id="F-78257r6_fix" /><check system="C-72137r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
--
--Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command:
--
--# grep lcredit /etc/security/pwquality.conf 
--lcredit = -1 
--
--If the value of "lcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-71907"><title>SRG-OS-000071-GPOS-00039</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86531r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010140</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000194</ident><fixtext fixref="F-78259r1_fix">Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
--
--Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
--
--dcredit = -1</fixtext><fix id="F-78259r1_fix" /><check system="C-72139r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
--
--Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command:
--
--# grep dcredit /etc/security/pwquality.conf 
--dcredit = -1 
--
--If the value of "dcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-71909"><title>SRG-OS-000266-GPOS-00101</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86533r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010150</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001619</ident><fixtext fixref="F-78261r2_fix">Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
--
--Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
--
--ocredit = -1</fixtext><fix id="F-78261r2_fix" /><check system="C-72141r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system enforces password complexity by requiring that at least one special character be used.
--
--Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
--
--Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command:
--
--# grep ocredit /etc/security/pwquality.conf 
--ocredit=-1
--
--If the value of "ocredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-71911"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86535r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010160</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000195</ident><fixtext fixref="F-78263r1_fix">Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
--
--Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
--
--difok = 8</fixtext><fix id="F-78263r1_fix" /><check system="C-72143r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>The "difok" option sets the number of characters in a password that must not be present in the old password.
--
--Check for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
--
--# grep difok /etc/security/pwquality.conf 
--difok = 8
--
--If the value of "difok" is set to less than "8", this is a finding.</check-content></check></Rule></Group><Group id="V-71913"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86537r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010170</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000195</ident><fixtext fixref="F-78265r1_fix">Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
--
--Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
--
--minclass = 4</fixtext><fix id="F-78265r1_fix" /><check system="C-72145r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).
--
--Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
--
--# grep minclass /etc/security/pwquality.conf 
--minclass = 4
--
--If the value of "minclass" is set to less than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-71915"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86539r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010180</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000195</ident><fixtext fixref="F-78267r2_fix">Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
--
--Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
--
--maxrepeat = 3</fixtext><fix id="F-78267r2_fix" /><check system="C-72147r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password.
--
--Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
--
--# grep maxrepeat /etc/security/pwquality.conf 
--maxrepeat = 3
--
--If the value of "maxrepeat" is set to more than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-71917"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86541r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010190</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
--
--Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000195</ident><fixtext fixref="F-78269r1_fix">Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
--
--Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
--
--maxclassrepeat = 4</fixtext><fix id="F-78269r1_fix" /><check system="C-72149r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password.
--
--Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
--
--# grep maxclassrepeat /etc/security/pwquality.conf 
--maxclassrepeat = 4
--
--If the value of "maxclassrepeat" is set to more than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-71919"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86543r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010200</version><title>The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-78271r4_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
--
--Add the following line in "/etc/pam.d/system-auth":
--pam_unix.so sha512 shadow try_first_pass use_authtok
--
--Add the following line in "/etc/pam.d/password-auth":
--pam_unix.so sha512 shadow try_first_pass use_authtok
--
--Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78271r4_fix" /><check system="C-72151r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
--
--Check that the system is configured to create SHA512 hashed passwords with the following command:
--
--# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth
--
--Outcome should look like following:
--/etc/pam.d/system-auth-ac:password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
--/etc/pam.d/password-auth:password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
--
--If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-71921"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86545r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010210</version><title>The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-78273r1_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
--
--Add or update the following line in "/etc/login.defs":
--
--ENCRYPT_METHOD SHA512</fixtext><fix id="F-78273r1_fix" /><check system="C-72153r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
--
--Check that the system is configured to create SHA512 hashed passwords with the following command:
--
--# grep -i encrypt /etc/login.defs
--ENCRYPT_METHOD SHA512
--
--If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-71923"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86547r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010220</version><title>The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000196</ident><fixtext fixref="F-78275r1_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
--
--Add or update the following line in "/etc/libuser.conf" in the [defaults] section: 
--
--crypt_style = sha512</fixtext><fix id="F-78275r1_fix" /><check system="C-72155r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512".
--
--Check that the system is configured to create "SHA512" hashed passwords with the following command:
--
--# grep -i sha512 /etc/libuser.conf 
--
--crypt_style = sha512
--
--If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-71925"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86549r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010230</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000198</ident><fixtext fixref="F-78277r1_fix">Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.
--
--Add the following line in "/etc/login.defs" (or modify the line to have the required value):
--
--PASS_MIN_DAYS     1</fixtext><fix id="F-78277r1_fix" /><check system="C-72157r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.
--
--Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: 
--
--# grep -i pass_min_days /etc/login.defs
--PASS_MIN_DAYS     1
--
--If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71927"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86551r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010240</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000198</ident><fixtext fixref="F-78279r1_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
--
--# chage -m 1 [user]</fixtext><fix id="F-78279r1_fix" /><check system="C-72159r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check whether the minimum time period between password changes for each user account is one day or greater.
--
--# awk -F: '$4 &lt; 1 {print $1 " " $4}' /etc/shadow
--
--If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group><Group id="V-71929"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86553r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010250</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000199</ident><fixtext fixref="F-78281r1_fix">Configure the operating system to enforce a 60-day maximum password lifetime restriction.
--
--Add the following line in "/etc/login.defs" (or modify the line to have the required value):
--
--PASS_MAX_DAYS     60</fixtext><fix id="F-78281r1_fix" /><check system="C-72161r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If passwords are not being used for authentication, this is Not Applicable.
--
--Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.
--
--Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command:
--
--# grep -i pass_max_days /etc/login.defs
--PASS_MAX_DAYS 60
--
--If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71931"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86555r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010260</version><title>The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000199</ident><fixtext fixref="F-78283r1_fix">Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
--
--# chage -M 60 [user]</fixtext><fix id="F-78283r1_fix" /><check system="C-72163r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check whether the maximum time period for existing passwords is restricted to 60 days.
--
--# awk -F: '$5 &gt; 60 {print $1 " " $5}' /etc/shadow
--
--If any results are returned that are not associated with a system account, this is a finding.
--</check-content></check></Rule></Group><Group id="V-71933"><title>SRG-OS-000077-GPOS-00045</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86557r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010270</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000200</ident><fixtext fixref="F-78285r3_fix">Configure the operating system to prohibit password reuse for a minimum of five generations.
--
--Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value):
--
--password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
--   
--Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78285r3_fix" /><check system="C-72165r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prohibits password reuse for a minimum of five generations.
--
--Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:
--
--# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
--
--password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
--
--If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-71935"><title>SRG-OS-000078-GPOS-00046</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86559r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010280</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
--
--Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000205</ident><fixtext fixref="F-78287r1_fix">Configure operating system to enforce a minimum 15-character password length.
--
--Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
--
--minlen = 15</fixtext><fix id="F-78287r1_fix" /><check system="C-72167r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
--
--Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command:
--
--# grep minlen /etc/security/pwquality.conf
--minlen = 15
--
--If the command does not return a "minlen" value of 15 or greater, this is a finding.</check-content></check></Rule></Group><Group id="V-71937"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86561r3_rule" severity="high" weight="10.0"><version>RHEL-07-010290</version><title>The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.</title><description>&lt;VulnDiscussion&gt;If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78289r3_fix">If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
--
--Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
--
--Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78289r3_fix" /><check system="C-72169r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>To verify that null passwords cannot be used, run the following command: 
--
--# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
--
--If this produces any output, it may be possible to log on with accounts with empty passwords.
--
--If null passwords can be used, this is a finding.</check-content></check></Rule></Group><Group id="V-71939"><title>SRG-OS-000106-GPOS-00053</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86563r3_rule" severity="high" weight="10.0"><version>RHEL-07-010300</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000766</ident><fixtext fixref="F-78291r2_fix">To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
--
--PermitEmptyPasswords no
--
--The SSH service must be restarted for changes to take effect.  Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.</fixtext><fix id="F-78291r2_fix" /><check system="C-72171r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:
--
--# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
--PermitEmptyPasswords no
--
--If no line, a commented line, or a line indicating the value "no" is returned, the required value is set.
--
--If the required value is not set, this is a finding.</check-content></check></Rule></Group><Group id="V-71941"><title>SRG-OS-000118-GPOS-00060</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86565r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010310</version><title>The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.</title><description>&lt;VulnDiscussion&gt;Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
--
--Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000795</ident><fixtext fixref="F-78293r1_fix">Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.
--
--Add the following line to "/etc/default/useradd" (or modify the line to have the required value):
--
--INACTIVE=0</fixtext><fix id="F-78293r1_fix" /><check system="C-72173r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If passwords are not being used for authentication, this is Not Applicable.
--
--Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:
--
--# grep -i inactive /etc/default/useradd
--INACTIVE=0
--
--If the value is not set to "0", is commented out, or is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-71943"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86567r6_rule" severity="medium" weight="10.0"><version>RHEL-07-010320</version><title>The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
--
--Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000044</ident><ident system="http://iase.disa.mil/cci">CCI-002236</ident><ident system="http://iase.disa.mil/cci">CCI-002237</ident><ident system="http://iase.disa.mil/cci">CCI-002238</ident><fixtext fixref="F-78295r5_fix">Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
--
--Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
--
--auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--auth sufficient pam_unix.so try_first_pass
--auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--account required pam_faillock.so   
--
--Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78295r5_fix" /><check system="C-72175r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
--
--# grep pam_faillock.so /etc/pam.d/password-auth
--
--auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--account required pam_faillock.so 
--
--If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--Note: The maximum configurable value for "unlock_time" is "604800". 
--
--If any line referencing the "pam_faillock.so" module is commented out, this is a finding.
--
--# grep pam_faillock.so /etc/pam.d/system-auth
--
--auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--account required pam_faillock.so 
--
--If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
--
--If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding.
--
--Note: The maximum configurable value for "unlock_time" is "604800". 
--If any line referencing the "pam_faillock.so" module is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71945"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86569r4_rule" severity="medium" weight="10.0"><version>RHEL-07-010330</version><title>The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
--
--Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002238</ident><fixtext fixref="F-78297r3_fix">Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
--
--Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
--
--auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--auth sufficient pam_unix.so try_first_pass
--auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--account required pam_faillock.so
--
--Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-78297r3_fix" /><check system="C-72177r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
--
--# grep pam_faillock.so /etc/pam.d/password-auth
--auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 
--auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 
--account required pam_faillock.so
--
--If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.
--
--# grep pam_faillock.so /etc/pam.d/system-auth
--auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 
--auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
--account required pam_faillock.so
--
--If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.</check-content></check></Rule></Group><Group id="V-71947"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86571r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010340</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
--
--When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
--
--Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002038</ident><fixtext fixref="F-78299r2_fix">Configure the operating system to require users to supply a password for privilege escalation.
--
--Check the configuration of the "/etc/sudoers" file with the following command:
--# visudo
--
--Remove any occurrences of "NOPASSWD" tags in the file.   
--
--Check the configuration of the /etc/sudoers.d/* files with the following command:
--# grep -i nopasswd /etc/sudoers.d/*
--
--Remove any occurrences of "NOPASSWD" tags in the file.</fixtext><fix id="F-78299r2_fix" /><check system="C-72179r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If passwords are not being used for authentication, this is Not Applicable.
--
--Verify the operating system requires users to supply a password for privilege escalation.
--
--Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
--
--# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*
--
--If any uncommented line is found with a "NOPASSWD" tag, this is a finding.</check-content></check></Rule></Group><Group id="V-71949"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86573r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010350</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
--
--When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
--
--Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002038</ident><fixtext fixref="F-78301r3_fix">Configure the operating system to require users to reauthenticate for privilege escalation.
--
--Check the configuration of the "/etc/sudoers" file with the following command:
--
--# visudo
--Remove any occurrences of "!authenticate" tags in the file.
--
--Check the configuration of the "/etc/sudoers.d/*" files with the following command:
--
--# grep -i authenticate /etc/sudoers /etc/sudoers.d/*
--Remove any occurrences of "!authenticate" tags in the file(s).</fixtext><fix id="F-78301r3_fix" /><check system="C-72181r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system requires users to reauthenticate for privilege escalation.
--
--Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
--
--# grep -i authenticate /etc/sudoers /etc/sudoers.d/*
--
--If any uncommented line is found with a "!authenticate" tag, this is a finding.</check-content></check></Rule></Group><Group id="V-71951"><title>SRG-OS-000480-GPOS-00226</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86575r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.</title><description>&lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
--
--Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78303r1_fix">Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
--
--Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater:
--
--FAIL_DELAY 4</fixtext><fix id="F-78303r1_fix" /><check system="C-72183r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.
--
--Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command:
--
--# grep -i fail_delay /etc/login.defs
--FAIL_DELAY 4
--
--If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71953"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86577r2_rule" severity="high" weight="10.0"><version>RHEL-07-010440</version><title>The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78305r1_fix">Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable.
--
--Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":
--
--[daemon]
--AutomaticLoginEnable=false</fixtext><fix id="F-78305r1_fix" /><check system="C-72185r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
--
--Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command:
--
--# grep -i automaticloginenable /etc/gdm/custom.conf
--AutomaticLoginEnable=false
--
--If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-71955"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86579r3_rule" severity="high" weight="10.0"><version>RHEL-07-010450</version><title>The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78307r2_fix">Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable.
--
--Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":
--
--[daemon]
--TimedLoginEnable=false</fixtext><fix id="F-78307r2_fix" /><check system="C-72187r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
--
--Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command:
--
--# grep -i timedloginenable /etc/gdm/custom.conf
--TimedLoginEnable=false
--
--If the value of "TimedLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-71957"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86581r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010460</version><title>The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78309r2_fix">Configure the operating system to not allow users to override environment variables to the SSH daemon.
--
--Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no":
--
--PermitUserEnvironment no
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78309r2_fix" /><check system="C-72189r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system does not allow users to override environment variables to the SSH daemon.
--
--Check for the value of the "PermitUserEnvironment" keyword with the following command:
--
--# grep -i permituserenvironment /etc/ssh/sshd_config
--PermitUserEnvironment no
--
--If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71959"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86583r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010470</version><title>The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78311r3_fix">Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.
--
--Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no":
--
--HostbasedAuthentication no
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78311r3_fix" /><check system="C-72191r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.
--
--Check for the value of the "HostbasedAuthentication" keyword with the following command:
--
--# grep -i hostbasedauthentication /etc/ssh/sshd_config
--HostbasedAuthentication no
--
--If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71961"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86585r6_rule" severity="high" weight="10.0"><version>RHEL-07-010480</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-78313r3_fix">Configure the system to encrypt the boot password for root.
--
--Generate an encrypted grub2 password for root with the following command:
--
--Note: The hash generated is an example.
--
--# grub2-mkpasswd-pbkdf2
--
--Enter Password:
--Reenter Password:
--PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
--
--Edit "/etc/grub.d/40_custom" and add the following lines below the comments:
--
--# vi /etc/grub.d/40_custom
--
--set superusers="root"
--
--password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}
--
--Generate a new "grub.conf" file with the new password with the following commands:
--
--# grub2-mkconfig --output=/tmp/grub2.cfg
--# mv /tmp/grub2.cfg /boot/grub2/grub.cfg</fixtext><fix id="F-78313r3_fix" /><check system="C-72193r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>For systems that use UEFI, this is Not Applicable.
--For systems that are running RHEL 7.2 or newer, this is Not Applicable.
--
--Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
--
--# grep -i password_pbkdf2 /boot/grub2/grub.cfg
--
--password_pbkdf2 [superusers-account] [password-hash]
--
--If the root password entry does not begin with "password_pbkdf2", this is a finding.
--
--If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-71963"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86587r4_rule" severity="high" weight="10.0"><version>RHEL-07-010490</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-78315r3_fix">Configure the system to encrypt the boot password for root.
--
--Generate an encrypted grub2 password for root with the following command:
--
--Note: The hash generated is an example.
--
--# grub2-mkpasswd-pbkdf2
--
--Enter Password:
--Reenter Password:
--PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
--
--Edit "/etc/grub.d/40_custom" and add the following lines below the comments:
--
--# vi /etc/grub.d/40_custom
--
--set superusers="root"
--
--password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}
--
--Generate a new "grub.conf" file with the new password with the following commands:
--
--# grub2-mkconfig --output=/tmp/grub2.cfg
--# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg</fixtext><fix id="F-78315r3_fix" /><check system="C-72195r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>For systems that use BIOS, this is Not Applicable.
--For systems that are running RHEL 7.2 or newer, this is Not Applicable.
--
--Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
--
--# grep -i password /boot/efi/EFI/redhat/grub.cfg
--
--password_pbkdf2 [superusers-account] [password-hash]
--
--If the root password entry does not begin with "password_pbkdf2", this is a finding.
--
--If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-71965"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86589r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010500</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
--
--Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
--
--1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; 
--
--and
--
--2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
--
--Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000766</ident><fixtext fixref="F-78317r3_fix">Configure the operating system to require individuals to be authenticated with a multifactor authenticator.
--
--Enable smartcard logons with the following commands:
--
--# authconfig --enablesmartcard --smartcardaction=0 --update
--# authconfig --enablerequiresmartcard -update
--
--Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line:
--
--#/usr/X11R6/bin/xscreensaver-command -lock
--
--Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.</fixtext><fix id="F-78317r3_fix" /><check system="C-72197r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.
--
--Check to see if smartcard authentication is enforced on the system:
--
--# authconfig --test | grep "pam_pkcs11 is enabled"
--
--If no results are returned, this is a finding.
--
--# authconfig --test | grep "smartcard removal action"
--
--If "smartcard removal action" is blank, this is a finding.
--
--# authconfig --test | grep "smartcard module"
--
--If "smartcard module" is blank, this is a finding.</check-content></check></Rule></Group><Group id="V-71967"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86591r2_rule" severity="high" weight="10.0"><version>RHEL-07-020000</version><title>The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
--
--Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
--
--The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.
--
--If a privileged user were to log on using this service, the privileged user password could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-78319r1_fix">Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:
--
--# yum remove rsh-server</fixtext><fix id="F-78319r1_fix" /><check system="C-72199r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check to see if the rsh-server package is installed with the following command:
--
--# yum list installed rsh-server
--
--If the rsh-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-71969"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86593r2_rule" severity="high" weight="10.0"><version>RHEL-07-020010</version><title>The Red Hat Enterprise Linux operating system must not have the ypserv package installed.</title><description>&lt;VulnDiscussion&gt;Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-78321r1_fix">Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command:
--
--# yum remove ypserv</fixtext><fix id="F-78321r1_fix" /><check system="C-72201r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.
--
--Check to see if the "ypserve" package is installed with the following command:
--
--# yum list installed ypserv
--
--If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-71971"><title>SRG-OS-000324-GPOS-00125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86595r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
--
--Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002235</ident><fixtext fixref="F-78323r2_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
--
--Use the following command to map a new user to the "sysadm_u" role: 
--
--#semanage login -a -s sysadm_u &lt;username&gt;
--
--Use the following command to map an existing user to the "sysadm_u" role:
--
--#semanage login -m -s sysadm_u &lt;username&gt;
--
--Use the following command to map a new user to the "staff_u" role:
--
--#semanage login -a -s staff_u &lt;username&gt;
--
--Use the following command to map an existing user to the "staff_u" role:
--
--#semanage login -m -s staff_u &lt;username&gt;
--
--Use the following command to map a new user to the "user_u" role:
--
--# semanage login -a -s user_u &lt;username&gt;
--
--Use the following command to map an existing user to the "user_u" role:
--
--# semanage login -m -s user_u &lt;username&gt;</fixtext><fix id="F-78323r2_fix" /><check system="C-72203r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Note: Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
--
--Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
--
--Get a list of authorized users (other than System Administrator and guest accounts) for the system.
--
--Check the list against the system by using the following command:
--
--# semanage login -l | more
--
--Login Name SELinux User MLS/MCS Range Service
--__default__ user_u s0-s0:c0.c1023 *
--root unconfined_u s0-s0:c0.c1023 *
--system_u system_u s0-s0:c0.c1023 *
--joe staff_u s0-s0:c0.c1023 *
--
--All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.
--
--All authorized non-administrative users must be mapped to the "user_u" role. 
--
--If they are not mapped in this way, this is a finding.</check-content></check></Rule></Group><Group id="V-71973"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86597r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020030</version><title>The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
--
--Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001744</ident><fixtext fixref="F-78325r2_fix">Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:  
--
--# more /etc/cron.daily/aide
--#!/bin/bash
--
--/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-78325r2_fix" /><check system="C-72205r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system routinely checks the baseline configuration for unauthorized changes.
--
--Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.
--
--Check to see if AIDE is installed on the system with the following command:
--
--# yum list installed aide
--
--If AIDE is not installed, ask the SA how file integrity checks are performed on the system.
--
--Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.
--
--Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
--
--# ls -al /etc/cron.* | grep aide
---rwxr-xr-x 1 root root 29 Nov 22 2015 aide
--
--# grep aide /etc/crontab /var/spool/cron/root
--/etc/crontab: 30 04 * * * /root/aide
--/var/spool/cron/root: 30 04 * * * /root/aide
--
--If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-71975"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86599r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020040</version><title>The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
--
--Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001744</ident><fixtext fixref="F-78327r3_fix">Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. 
--
--The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. 
--
--# more /etc/cron.daily/aide
--
--/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-78327r3_fix" /><check system="C-72207r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.
--
--Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.
--
--Check to see if AIDE is installed on the system with the following command:
--
--# yum list installed aide
--
--If AIDE is not installed, ask the SA how file integrity checks are performed on the system. 
--
--Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.
--
--Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
--
--# ls -al /etc/cron.* | grep aide
---rwxr-xr-x 1 root root 32 Jul 1 2011 aide
--
--# grep aide /etc/crontab /var/spool/cron/root
--/etc/crontab: 30 04 * * * /root/aide
--/var/spool/cron/root: 30 04 * * * /root/aide
--
--AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:
--
--# more /etc/cron.daily/aide
--#!/bin/bash
--
--/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
--
--If the file integrity application does not notify designated personnel of changes, this is a finding.</check-content></check></Rule></Group><Group id="V-71977"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86601r2_rule" severity="high" weight="10.0"><version>RHEL-07-020050</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
--
--Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
--
--Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001749</ident><fixtext fixref="F-78329r1_fix">Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file:
--
--gpgcheck=1</fixtext><fix id="F-78329r1_fix" /><check system="C-72209r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
--
--Check that yum verifies the signature of packages from a repository prior to install with the following command:
--
--# grep gpgcheck /etc/yum.conf
--gpgcheck=1
--
--If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. 
--
--If there is no process to validate certificates that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-71979"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86603r2_rule" severity="high" weight="10.0"><version>RHEL-07-020060</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
--
--Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
--
--Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001749</ident><fixtext fixref="F-78331r1_fix">Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file:
--
--localpkg_gpgcheck=1</fixtext><fix id="F-78331r1_fix" /><check system="C-72211r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
--
--Check that yum verifies the signature of local packages prior to install with the following command:
--
--# grep localpkg_gpgcheck /etc/yum.conf
--localpkg_gpgcheck=1
--
--If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. 
--
--If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-71983"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86607r5_rule" severity="medium" weight="10.0"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description>&lt;VulnDiscussion&gt;USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
--
--Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><ident system="http://iase.disa.mil/cci">CCI-000778</ident><ident system="http://iase.disa.mil/cci">CCI-001958</ident><fixtext fixref="F-78335r4_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
--
--Create a file under "/etc/modprobe.d" with the following command:
--
--# touch /etc/modprobe.d/usb-storage.conf
--
--Add the following line to the created file:
--
--install usb-storage /bin/true
--
--Configure the operating system to disable the ability to use USB mass storage devices.
--
--# vi /etc/modprobe.d/blacklist.conf
--
--Add or update the line:
--
--blacklist usb-storage</fixtext><fix id="F-78335r4_fix" /><check system="C-72215r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system disables the ability to load the USB Storage kernel module.
--
--# grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
--
--install usb-storage /bin/true
--
--If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
--
--Verify the operating system disables the ability to use USB mass storage devices.
--
--Check to see if USB mass storage is disabled with the following command:
--
--# grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
--blacklist usb-storage
--
--If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-71985"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86609r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020110</version><title>The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
--
--Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><ident system="http://iase.disa.mil/cci">CCI-000778</ident><ident system="http://iase.disa.mil/cci">CCI-001958</ident><fixtext fixref="F-78337r2_fix">Configure the operating system to disable the ability to automount devices.
--
--Turn off the automount service with the following commands:
--
--# systemctl stop autofs
--# systemctl disable autofs
--
--If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.</fixtext><fix id="F-78337r2_fix" /><check system="C-72217r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system disables the ability to automount devices.
--
--Check to see if automounter service is active with the following command:
--
--# systemctl status autofs
--autofs.service - Automounts filesystems on demand
--   Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
--   Active: inactive (dead)
--
--If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-71987"><title>SRG-OS-000437-GPOS-00194</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86611r2_rule" severity="low" weight="10.0"><version>RHEL-07-020200</version><title>The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002617</ident><fixtext fixref="F-78339r1_fix">Configure the operating system to remove all software components after updated versions have been installed.
--
--Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file:
--
--clean_requirements_on_remove=1</fixtext><fix id="F-78339r1_fix" /><check system="C-72219r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system removes all software components after updated versions have been installed.
--
--Check if yum is configured to remove unneeded packages with the following command:
--
--# grep -i clean_requirements_on_remove /etc/yum.conf
--clean_requirements_on_remove=1
--
--If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-71989"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86613r4_rule" severity="high" weight="10.0"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
--
--This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002696</ident><fixtext fixref="F-78341r2_fix">Configure the operating system to verify correct operation of all security functions.
--
--Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line:
--
--SELINUX=enforcing
--
--A reboot is required for the changes to take effect.</fixtext><fix id="F-78341r2_fix" /><check system="C-72221r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux.  McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
--
--Verify the operating system verifies correct operation of all security functions.
--
--Check if "SELinux" is active and in "Enforcing" mode with the following command:
--
--# getenforce
--Enforcing
--
--If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-71991"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86615r6_rule" severity="high" weight="10.0"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
--
--This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><ident system="http://iase.disa.mil/cci">CCI-002696</ident><fixtext fixref="F-78343r2_fix">Configure the operating system to verify correct operation of all security functions.
--
--Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line:
--
--SELINUXTYPE=targeted
--
--A reboot is required for the changes to take effect.</fixtext><fix id="F-78343r2_fix" /><check system="C-72223r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
--
--Verify the operating system verifies correct operation of all security functions.
--
--Check if "SELinux" is active and is enforcing the targeted policy with the following command:
--
--# sestatus
--
--SELinux status: enabled
--
--SELinuxfs mount: /selinux
--
--SELinux root directory: /etc/selinux
--
--Loaded policy name: targeted
--
--Current mode: enforcing
--
--Mode from config file: enforcing
--
--Policy MLS status: enabled
--
--Policy deny_unknown status: allowed
--
--Max kernel policy version: 28
--
--If the "Loaded policy name" is not set to "targeted", this is a finding.
--
--Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted":
--
--# grep -i "selinuxtype" /etc/selinux/config | grep -v '^#'
--
--SELINUXTYPE = targeted
--
--If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.</check-content></check></Rule></Group><Group id="V-71993"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86617r5_rule" severity="high" weight="10.0"><version>RHEL-07-020230</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78345r6_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
--
--# systemctl mask ctrl-alt-del.target</fixtext><fix id="F-78345r6_fix" /><check system="C-72225r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
--
--Check that the ctrl-alt-del.target is masked and not active with the following command:
--
--# systemctl status ctrl-alt-del.target
--
--ctrl-alt-del.target
--Loaded: masked (/dev/null; bad)
--Active: inactive (dead)
--
--If the ctrl-alt-del.target is not masked, this is a finding.
--
--If the ctrl-alt-del.target is active, this is a finding.</check-content></check></Rule></Group><Group id="V-71995"><title>SRG-OS-000480-GPOS-00228</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86619r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020240</version><title>The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.</title><description>&lt;VulnDiscussion&gt;Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78347r1_fix">Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
--
--Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":
--
--UMASK  077</fixtext><fix id="F-78347r1_fix" /><check system="C-72227r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.
--
--Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:
--
--Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.
--
--# grep -i umask /etc/login.defs
--UMASK  077
--
--If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-71997"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86621r6_rule" severity="high" weight="10.0"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description>&lt;VulnDiscussion&gt;An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
--
--Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78349r1_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-78349r1_fix" /><check system="C-72229r12_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the version of the operating system is vendor supported.
--
--Check the version of the operating system with the following command:
--
--# cat /etc/redhat-release
--
--Red Hat Enterprise Linux Server release 7.4 (Maipo)
--
--Current End of Extended Update Support for RHEL 7.6 is 31 October 2020.
--
--Current End of Extended Update Support for RHEL 7.7 is 31 August 2021.
--
--Current End of Maintenance Support for RHEL 7.8 is 31 October 2020.
--
--Current End of Maintenance Support for RHEL 7.9 is 30 April 2021.
--
--If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-71999"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86623r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020260</version><title>The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.</title><description>&lt;VulnDiscussion&gt;Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78351r1_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-78351r1_fix" /><check system="C-72231r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). 
--
--Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.
--
--Check that the available package security updates have been installed on the system with the following command:
--
--# yum history list | more
--Loaded plugins: langpacks, product-id, subscription-manager
--ID     | Command line             | Date and time    | Action(s)      | Altered
---------------------------------------------------------------------------------
--    70 | install aide             | 2016-05-05 10:58 | Install       |     1   
--    69 | update -y                | 2016-05-04 14:34 | Update     |   18 EE
--    68 | install vlc                | 2016-04-21 17:12 | Install        |   21   
--    67 | update -y                | 2016-04-21 17:04 | Update     |     7 EE
--    66 | update -y                | 2016-04-15 16:47 | E, I, U         |   84 EE
--
--If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. 
--
--Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.
--
--If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.</check-content></check></Rule></Group><Group id="V-72001"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86625r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020270</version><title>The Red Hat Enterprise Linux operating system must not have unnecessary accounts.</title><description>&lt;VulnDiscussion&gt;Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78353r1_fix">Configure the system so all accounts on the system are assigned to an active system, application, or user account. 
--
--Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. 
--
--Document all authorized accounts on the system.</fixtext><fix id="F-78353r1_fix" /><check system="C-72233r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all accounts on the system are assigned to an active system, application, or user account.
--
--Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).
--
--Check the system accounts on the system with the following command:
--
--# more /etc/passwd
--root:x:0:0:root:/root:/bin/bash
--bin:x:1:1:bin:/bin:/sbin/nologin
--daemon:x:2:2:daemon:/sbin:/sbin/nologin
--sync:x:5:0:sync:/sbin:/bin/sync
--shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
--halt:x:7:0:halt:/sbin:/sbin/halt
--games:x:12:100:games:/usr/games:/sbin/nologin
--gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
--
--Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. 
--
--If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.</check-content></check></Rule></Group><Group id="V-72003"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86627r2_rule" severity="low" weight="10.0"><version>RHEL-07-020300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.</title><description>&lt;VulnDiscussion&gt;If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000764</ident><fixtext fixref="F-78355r1_fix">Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".</fixtext><fix id="F-78355r1_fix" /><check system="C-72235r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file.
--
--Check that all referenced GIDs exist with the following command:
--
--# pwck -r
--
--If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.</check-content></check></Rule></Group><Group id="V-72005"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86629r2_rule" severity="high" weight="10.0"><version>RHEL-07-020310</version><title>The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.</title><description>&lt;VulnDiscussion&gt;If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78357r1_fix">Change the UID of any account on the system, other than root, that has a UID of "0". 
--
--If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.</fixtext><fix id="F-78357r1_fix" /><check system="C-72237r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check the system for duplicate UID "0" assignments with the following command:
--
--# awk -F: '$3 == 0 {print $1}' /etc/passwd
--
--If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72007"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86631r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.</title><description>&lt;VulnDiscussion&gt;Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><fixtext fixref="F-78359r1_fix">Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:
--
--# chown &lt;user&gt; &lt;file&gt;</fixtext><fix id="F-78359r1_fix" /><check system="C-72239r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all files and directories on the system have a valid owner.
--
--Check the owner of all files and directories with the following command:
--
--Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
--
--# find / -fstype xfs -nouser
--
--If any files on the system do not have an assigned owner, this is a finding.</check-content></check></Rule></Group><Group id="V-72009"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86633r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020330</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.</title><description>&lt;VulnDiscussion&gt;Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002165</ident><fixtext fixref="F-78361r1_fix">Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
--
--# chgrp &lt;group&gt; &lt;file&gt;</fixtext><fix id="F-78361r1_fix" /><check system="C-72241r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all files and directories on the system have a valid group.
--
--Check the owner of all files and directories with the following command:
--
--Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
--
--# find / -fstype xfs -nogroup
--
--If any files on the system do not have an assigned group, this is a finding.</check-content></check></Rule></Group><Group id="V-72013"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86637r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020610</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78365r1_fix">Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
--
--CREATE_HOME yes</fixtext><fix id="F-78365r1_fix" /><check system="C-72245r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all local interactive users on the system are assigned a home directory upon creation.
--
--Check to see if the system is configured to create home directories for local interactive users with the following command:
--
--# grep -i create_home /etc/login.defs
--CREATE_HOME yes
--
--If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72015"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86639r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020620</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
--
--In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78367r2_fix">Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
--
--Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd".
--
--# mkdir /home/smithj 
--# chown smithj /home/smithj
--# chgrp users /home/smithj
--# chmod 0750 /home/smithj</fixtext><fix id="F-78367r2_fix" /><check system="C-72247r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify local interactive users on the system have a home directory assigned and the directory exists.
--
--Check the home directory assignment for all local interactive non-privileged users on the system with the following command:
--
--# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-9][0-9]{3}"
--
--smithj:1001:/home/smithj
--
--Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.
--
--Check that all referenced home directories exist with the following command:
--
--# pwck -r
--user 'smithj': directory '/home/smithj' does not exist
--
--If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-72017"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86641r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020630</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78369r2_fix">Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
--
--Note: The example will be for the user "smithj".
--
--# chmod 0750 /home/smithj</fixtext><fix id="F-78369r2_fix" /><check system="C-72249r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.
--
--Check the home directory assignment for all non-privileged users on the system with the following command:
--
--Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
--
--# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
---rwxr-x--- 1 smithj users  18 Mar  5 17:06 /home/smithj
--
--If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content></check></Rule></Group><Group id="V-72019"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86643r5_rule" severity="medium" weight="10.0"><version>RHEL-07-020640</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.</title><description>&lt;VulnDiscussion&gt;If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78371r2_fix">Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:
--
--Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
--
--# chown smithj /home/smithj</fixtext><fix id="F-78371r2_fix" /><check system="C-72251r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the assigned home directory of all local interactive users on the system exists.
--
--Check the home directory assignment for all local interactive users on the system with the following command:
--
--# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
--
---rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
--
--If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.</check-content></check></Rule></Group><Group id="V-72021"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86645r5_rule" severity="medium" weight="10.0"><version>RHEL-07-020650</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.</title><description>&lt;VulnDiscussion&gt;If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78373r2_fix">Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
--
--Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
--
--# chgrp users /home/smithj</fixtext><fix id="F-78373r2_fix" /><check system="C-72253r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
--
--Check the home directory assignment for all local interactive users on the system with the following command:
--
--# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
--
---rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
--
--Check the user's primary group with the following command:
--
--# grep users /etc/group
--
--users:x:250:smithj,jonesj,jacksons
--
--If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-72023"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86647r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020660</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78375r2_fix">Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:
--
--Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
--
--# chown smithj /home/smithj/&lt;file or directory&gt;</fixtext><fix id="F-78375r2_fix" /><check system="C-72255r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all files and directories in a local interactive user's home directory are owned by the user.
--
--Check the owner of all files and directories in a local interactive user's home directory with the following command:
--
--Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
--
--# ls -lLR /home/smithj
---rw-r--r-- 1 smithj smithj  18 Mar  5 17:06 file1
---rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
---rw-r--r-- 1 smithj smithj 231 Mar  5 17:06 file3
--
--If any files are found with an owner different than the home directory user, this is a finding.</check-content></check></Rule></Group><Group id="V-72025"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86649r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020670</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description>&lt;VulnDiscussion&gt;If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78377r2_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
--
--Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
--
--# chgrp users /home/smithj/&lt;file&gt;</fixtext><fix id="F-78377r2_fix" /><check system="C-72257r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.
--
--Check the group owner of all files and directories in a local interactive user's home directory with the following command:
--
--Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
--
--# ls -lLR /&lt;home directory&gt;/&lt;users home directory&gt;/
---rw-r--r-- 1 smithj smithj  18 Mar  5 17:06 file1
---rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
---rw-r--r-- 1 smithj sa        231 Mar  5 17:06 file3
--
--If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:
--
--# grep smithj /etc/group
--sa:x:100:juan,shelley,bob,smithj 
--smithj:x:521:smithj
--
--If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-72027"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86651r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020680</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78379r1_fix">Set the mode on files and directories in the local interactive user home directory with the following command:
--
--Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
--
--# chmod 0750 /home/smithj/&lt;file&gt;</fixtext><fix id="F-78379r1_fix" /><check system="C-72259r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750".
--
--Check the mode of all non-initialization files in a local interactive user home directory with the following command:
--
--Files that begin with a "." are excluded from this requirement.
--
--Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
--
--# ls -lLR /home/smithj
---rwxr-x--- 1 smithj smithj  18 Mar  5 17:06 file1
---rwxr----- 1 smithj smithj 193 Mar  5 17:06 file2
---rw-r-x--- 1 smithj smithj 231 Mar  5 17:06 file3
--
--If any files are found with a mode more permissive than "0750", this is a finding.</check-content></check></Rule></Group><Group id="V-72029"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86653r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020690</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78381r4_fix">Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:
--
--Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
--
--# chown smithj /home/smithj/.[^.]*</fixtext><fix id="F-78381r4_fix" /><check system="C-72261r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the local initialization files of all local interactive users are owned by that user.
--
--Check the home directory assignment for all non-privileged users on the system with the following command:
--
--Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
--
--# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
--smithj:1000:/home/smithj
--
--Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
--
--Check the owner of all local interactive user's initialization files with the following command:
--
--# ls -al /home/smithj/.[^.]* | more
--
---rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
---rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
---rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
--
--If all local interactive user's initialization files are not owned by that user or root, this is a finding.</check-content></check></Rule></Group><Group id="V-72031"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86655r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020700</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78383r4_fix">Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command:
--
--Note: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users.
--
--# chgrp users /home/smithj/.[^.]*</fixtext><fix id="F-78383r4_fix" /><check system="C-72263r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).
--
--Check the home directory assignment for all non-privileged users on the system with the following command:
--
--Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".
--
--# cut -d: -f 1,4,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
--smithj:1000:/home/smithj
--
--# grep 1000 /etc/group
--users:x:1000:smithj,jonesj,jacksons 
--
--Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
--
--Check the group owner of all local interactive user's initialization files with the following command:
--
--# ls -al /home/smithj/.[^.]* | more
--
---rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
---rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
---rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
--
--If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-72033"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86657r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020710</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78385r4_fix">Set the mode of the local initialization files to "0740" with the following command:
--
--Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
--
--# chmod 0740 /home/smithj/.[^.]*</fixtext><fix id="F-78385r4_fix" /><check system="C-72265r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that all local initialization files have a mode of "0740" or less permissive.
--
--Check the mode on all local initialization files with the following command:
--
--Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
--
--# ls -al /home/smithj/.[^.]* | more
--
---rwxr----- 1 smithj users 896 Mar 10 2011 .profile
---rwxr----- 1 smithj users 497 Jan 6 2007 .login
---rwxr----- 1 smithj users 886 Jan 6 2007 .something
--
--If any local initialization files have a mode more permissive than "0740", this is a finding.</check-content></check></Rule></Group><Group id="V-72035"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86659r4_rule" severity="medium" weight="10.0"><version>RHEL-07-020720</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.</title><description>&lt;VulnDiscussion&gt;The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78387r4_fix">Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. 
--
--If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.</fixtext><fix id="F-78387r4_fix" /><check system="C-72267r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory.
--
--Check the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands:
--
--Note: The example will be for the smithj user, which has a home directory of "/home/smithj".
--
--# grep -i path /home/smithj/.*
--/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
--/home/smithj/.bash_profile:export PATH
--
--If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-72037"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86661r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020730</version><title>The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.</title><description>&lt;VulnDiscussion&gt;If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78389r2_fix">Set the mode on files being executed by the local initialization files with the following command:
--
--# chmod 0755 &lt;file&gt;</fixtext><fix id="F-78389r2_fix" /><check system="C-72269r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that local initialization files do not execute world-writable programs.
--
--Check the system for world-writable files with the following command:
--
--# find / -xdev -perm -002 -type f -exec ls -ld {} \; | more
--
--For all files listed, check for their presence in the local initialization files with the following commands:
--
--Note: The example will be for a system that is configured to create users' home directories in the "/home" directory.
--
--# grep &lt;file&gt; /home/*/.*
--
--If any local initialization files are found to reference world-writable files, this is a finding.</check-content></check></Rule></Group><Group id="V-72039"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86663r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020900</version><title>The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.</title><description>&lt;VulnDiscussion&gt;If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78391r1_fix">Run the following command to determine which package owns the device file:
--
--# rpm -qf &lt;filename&gt;
--
--The package can be reinstalled from a yum repository using the command:
--
--# sudo yum reinstall &lt;packagename&gt;
--
--Alternatively, the package can be reinstalled from trusted media using the command:
--
--# sudo rpm -Uvh &lt;packagename&gt;</fixtext><fix id="F-78391r1_fix" /><check system="C-72271r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that all system device files are correctly labeled to prevent unauthorized modification.
--
--List all device files on the system that are incorrectly labeled with the following commands:
--
--Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.
--
--#find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
--
--#find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
--
--Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.
--
--If there is output from either of these commands, other than already noted, this is a finding.</check-content></check></Rule></Group><Group id="V-72041"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86665r4_rule" severity="medium" weight="10.0"><version>RHEL-07-021000</version><title>The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78393r2_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.</fixtext><fix id="F-78393r2_fix" /><check system="C-72273r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify file systems that contain user home directories are mounted with the "nosuid" option.
--
--Find the file system(s) that contain the user home directories with the following command:
--
--Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
--
--# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
--smithj:1001:/home/smithj
--thomasr:1002:/home/thomasr
--
--Check the file systems that are mounted at boot time with the following command:
--
--# more /etc/fstab
--
--UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home   ext4   rw,relatime,discard,data=ordered,nosuid 0 2
--                                                            
--If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-72043"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86667r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021010</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78395r1_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.</fixtext><fix id="F-78395r1_fix" /><check system="C-72275r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify file systems that are used for removable media are mounted with the "nosuid" option.
--
--Check the file systems that are mounted at boot time with the following command:
--
--# more /etc/fstab
--
--UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0
--
--If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-72045"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86669r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021020</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78397r2_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</fixtext><fix id="F-78397r2_fix" /><check system="C-72277r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify file systems that are being NFS imported are configured with the "nosuid" option.
--
--Find the file system(s) that contain the directories being exported with the following command:
--
--# more /etc/fstab | grep nfs
--
--UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0
--
--If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
--
--Verify the NFS is mounted with the "nosuid" option:
--
--# mount | grep nfs | grep nosuid
--If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-72047"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86671r4_rule" severity="medium" weight="10.0"><version>RHEL-07-021030</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not group-owned by a privileged Group Identifier (GID), unauthorized users may be able to modify files created by others.
--
--The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78399r1_fix">Change the group of the world-writable directories to root with the following command:
--
--# chgrp root &lt;directory&gt;</fixtext><fix id="F-78399r1_fix" /><check system="C-72279r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify all world-writable directories are group-owned by root, sys, bin, or an application group.
--
--Check the system for world-writable directories with the following command:
--
--Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
--
--# find / -xdev -perm -002 -type d -fstype xfs -exec ls -lLd {} \;
--drwxrwxrwt 2 root root 40 Aug 26 13:07 /dev/mqueue
--drwxrwxrwt 2 root root 220 Aug 26 13:23 /dev/shm
--drwxrwxrwt 14 root root 4096 Aug 26 13:29 /tmp
--
--If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding.</check-content></check></Rule></Group><Group id="V-72049"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86673r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021040</version><title>The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.</title><description>&lt;VulnDiscussion&gt;The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78401r3_fix">Remove the umask statement from all local interactive user's initialization files. 
--
--If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.</fixtext><fix id="F-78401r3_fix" /><check system="C-72281r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the default umask for all local interactive users is "077".
--
--Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.
--
--Check all local interactive user initialization files for interactive users with the following command:
--
--Note: The example is for a system that is configured to create users home directories in the "/home" directory.
--
--# grep -i umask /home/*/.*
--
--If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.</check-content></check></Rule></Group><Group id="V-72051"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86675r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021100</version><title>The Red Hat Enterprise Linux operating system must have cron logging implemented.</title><description>&lt;VulnDiscussion&gt;Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78403r2_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
--
--cron.* /var/log/cron.log</fixtext><fix id="F-78403r2_fix" /><check system="C-72283r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that "rsyslog" is configured to log cron events.
--
--Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command:
--
--Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
--
--# grep cron /etc/rsyslog.conf  /etc/rsyslog.d/*.conf
--cron.* /var/log/cron.log
--
--If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
--
--Look for the following entry:
--
--*.* /var/log/messages
--
--If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.</check-content></check></Rule></Group><Group id="V-72053"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86677r3_rule" severity="medium" weight="10.0"><version>RHEL-07-021110</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.</title><description>&lt;VulnDiscussion&gt;If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78405r1_fix">Set the owner on the "/etc/cron.allow" file to root with the following command:
--
--# chown root /etc/cron.allow</fixtext><fix id="F-78405r1_fix" /><check system="C-72285r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "cron.allow" file is owned by root.
--
--Check the owner of the "cron.allow" file with the following command:
--
--# ls -al /etc/cron.allow
---rw------- 1 root root 6 Mar  5  2011 /etc/cron.allow
--
--If the "cron.allow" file exists and has an owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-72055"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86679r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021120</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.</title><description>&lt;VulnDiscussion&gt;If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78407r1_fix">Set the group owner on the "/etc/cron.allow" file to root with the following command:
--
--# chgrp root /etc/cron.allow</fixtext><fix id="F-78407r1_fix" /><check system="C-72287r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "cron.allow" file is group-owned by root.
--
--Check the group owner of the "cron.allow" file with the following command:
--
--# ls -al /etc/cron.allow
---rw------- 1 root root 6 Mar  5  2011 /etc/cron.allow
--
--If the "cron.allow" file exists and has a group owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-72057"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86681r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021300</version><title>The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.</title><description>&lt;VulnDiscussion&gt;Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78409r1_fix">If kernel core dumps are not required, disable the "kdump" service with the following command:
--
--# systemctl disable kdump.service
--
--If kernel core dumps are required, document the need with the ISSO.</fixtext><fix id="F-78409r1_fix" /><check system="C-72289r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that kernel core dumps are disabled unless needed.
--
--Check the status of the "kdump" service with the following command:
--
--# systemctl status kdump.service
--kdump.service - Crash recovery kernel arming
--   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)
--   Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago
-- Main PID: 1130 (code=exited, status=0/SUCCESS)
--kernel arming.
--
--If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
--
--If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-72059"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86683r2_rule" severity="low" weight="10.0"><version>RHEL-07-021310</version><title>The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78411r1_fix">Migrate the "/home" directory onto a separate file system/partition.</fixtext><fix id="F-78411r1_fix" /><check system="C-72291r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.
--
--Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:
--
--#cut -d: -f 1,3,6,7 /etc/passwd | egrep ":[1-4][0-9]{3}" | tr ":" "\t"
--
--adamsj /home/adamsj /bin/bash
--jacksonm /home/jacksonm /bin/bash
--smithj /home/smithj /bin/bash
--
--The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.
--
--Check that a file system/partition has been created for the non-privileged interactive users with the following command:
--
--Note: The partition of /home is used in the example.
--
--# grep /home /etc/fstab
--UUID=333ada18    /home                   ext4    noatime,nobarrier,nodev  1 2
--
--If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-72061"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86685r2_rule" severity="low" weight="10.0"><version>RHEL-07-021320</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /var.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78413r1_fix">Migrate the "/var" path onto a separate file system.</fixtext><fix id="F-78413r1_fix" /><check system="C-72293r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that a separate file system/partition has been created for "/var".
--
--Check that a file system/partition has been created for "/var" with the following command:
--
--# grep /var /etc/fstab
--UUID=c274f65f    /var                    ext4    noatime,nobarrier        1 2
--
--If a separate entry for "/var" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-72063"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86687r6_rule" severity="low" weight="10.0"><version>RHEL-07-021330</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78415r1_fix">Migrate the system audit data path onto a separate file system.</fixtext><fix id="F-78415r1_fix" /><check system="C-72295r10_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.
--
--# grep /var/log/audit /etc/fstab
--
--If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding.
--
--Verify that "/var/log/audit" is mounted on a separate file system:
--
--# mount | grep "/var/log/audit"
--
--If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.</check-content></check></Rule></Group><Group id="V-72065"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86689r3_rule" severity="low" weight="10.0"><version>RHEL-07-021340</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78417r2_fix">Start the "tmp.mount" service with the following command:
--
--# systemctl enable tmp.mount
--   
--OR
--
--Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.</fixtext><fix id="F-78417r2_fix" /><check system="C-72297r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that a separate file system/partition has been created for "/tmp".
--
--Check that a file system/partition has been created for "/tmp" with the following command:
--
--# systemctl is-enabled tmp.mount
--enabled
--
--If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point:
--
--# grep -i /tmp /etc/fstab
--UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp   ext4   rw,relatime,discard,data=ordered,nosuid,noexec, 0 0
--
--If "tmp.mount" service is not enabled and the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. </check-content></check></Rule></Group><Group id="V-72067"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86691r4_rule" severity="high" weight="10.0"><version>RHEL-07-021350</version><title>The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</title><description>&lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
--
--Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000068</ident><ident system="http://iase.disa.mil/cci">CCI-001199</ident><ident system="http://iase.disa.mil/cci">CCI-002450</ident><ident system="http://iase.disa.mil/cci">CCI-002476</ident><fixtext fixref="F-78419r3_fix">Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
--
--To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
--
--Configure the operating system to implement DoD-approved encryption by following the steps below: 
--
--The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.
--
--Install the dracut-fips package with the following command:
--
--# yum install dracut-fips
--
--Recreate the "initramfs" file with the following command:
--
--Note: This command will overwrite the existing "initramfs" file.
--
--# dracut -f
--
--Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file:
--
--fips=1
--
--Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows:
--
--On BIOS-based machines, use the following command:
--
--# grub2-mkconfig -o /boot/grub2/grub.cfg
--
--On UEFI-based machines, use the following command:
--
--# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
--
--If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=&lt;partition of /boot or /boot/efi&gt; must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:
--
--# df /boot
--Filesystem 1K-blocks Used Available Use% Mounted on
--/dev/sda1 495844 53780 416464 12% /boot
--
--To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:
--
--# blkid /dev/sda1
--/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4"
--
--For the example above, append the following string to the kernel command line:
--
--boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797
--
--Reboot the system for the changes to take effect.</fixtext><fix id="F-78419r3_fix" /><check system="C-72299r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.
--
--Check to see if the "dracut-fips" package is installed with the following command:
--
--# yum list installed dracut-fips
--
--dracut-fips-033-360.el7_2.x86_64.rpm
--
--If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:
--
--Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
--
--# grep fips /boot/grub2/grub.cfg
--/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet
--
--If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:
--
--# cat /proc/sys/crypto/fips_enabled 
--1
--
--If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.</check-content></check></Rule></Group><Group id="V-72069"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86693r3_rule" severity="low" weight="10.0"><version>RHEL-07-021600</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).</title><description>&lt;VulnDiscussion&gt;ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78421r2_fix">Configure the file integrity tool to check file and directory ACLs. 
--
--If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-78421r2_fix" /><check system="C-72301r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the file integrity tool is configured to verify ACLs.
--
--Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:
--
--# yum list installed aide
--
--If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. 
--
--If there is no application installed to perform file integrity checks, this is a finding.
--
--Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. 
--
--Use the following command to determine if the file is in another location:
--
--# find / -name aide.conf
--
--Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists.
--
--An example rule that includes the "acl" rule is below:
--
--All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
--/bin All # apply the custom rule to the files in bin 
--/sbin All # apply the same custom rule to the files in sbin 
--
--If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-72071"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86695r3_rule" severity="low" weight="10.0"><version>RHEL-07-021610</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.</title><description>&lt;VulnDiscussion&gt;Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78423r2_fix">Configure the file integrity tool to check file and directory extended attributes. 
--
--If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-78423r2_fix" /><check system="C-72303r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the file integrity tool is configured to verify extended attributes.
--
--Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:
--
--# yum list installed aide
--
--If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
--
--If there is no application installed to perform file integrity checks, this is a finding.
--
--Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory.
--
--Use the following command to determine if the file is in another location:
--
--# find / -name aide.conf
--
--Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.
--
--An example rule that includes the "xattrs" rule follows:
--
--All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
--/bin All # apply the custom rule to the files in bin 
--/sbin All # apply the same custom rule to the files in sbin 
--
--If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-72073"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86697r4_rule" severity="medium" weight="10.0"><version>RHEL-07-021620</version><title>The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.</title><description>&lt;VulnDiscussion&gt;File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
--
--Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78425r2_fix">Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. 
--
--If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-78425r2_fix" /><check system="C-72305r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
--
--Check to see if AIDE is installed on the system with the following command:
--
--# yum list installed aide
--
--If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. 
--
--If there is no application installed to perform file integrity checks, this is a finding.
--
--Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. 
--
--Use the following command to determine if the file is in another location:
--
--# find / -name aide.conf
--
--Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists.
--
--An example rule that includes the "sha512" rule follows:
--
--All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
--/bin All # apply the custom rule to the files in bin 
--/sbin All # apply the same custom rule to the files in sbin 
--
--If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content></check></Rule></Group><Group id="V-72075"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86699r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021700</version><title>The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.</title><description>&lt;VulnDiscussion&gt;Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78427r1_fix">Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.</fixtext><fix id="F-78427r1_fix" /><check system="C-72307r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system is not configured to use a boot loader on removable media.
--
--Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
--
--Check for the existence of alternate boot loader configuration files with the following command:
--
--# find / -name grub.cfg
--/boot/grub2/grub.cfg
--
--If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. 
--
--Check that the grub configuration file has the set root command in each menu entry with the following commands:
--
--# grep -c menuentry /boot/grub2/grub.cfg
--1
--# grep 'set root' /boot/grub2/grub.cfg
--set root=(hd0,1)
--
--If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.</check-content></check></Rule></Group><Group id="V-72077"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86701r2_rule" severity="high" weight="10.0"><version>RHEL-07-021710</version><title>The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
--
--Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
--
--Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000381</ident><fixtext fixref="F-78429r1_fix">Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:
--
--# yum remove telnet-server</fixtext><fix id="F-78429r1_fix" /><check system="C-72309r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.
--
--The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.
--
--If a privileged user were to log on using this service, the privileged user password could be compromised. 
--
--Check to see if the telnet-server package is installed with the following command:
--
--# yum list installed telnet-server
--
--If the telnet-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-72079"><title>SRG-OS-000038-GPOS-00016</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86703r3_rule" severity="high" weight="10.0"><version>RHEL-07-030000</version><title>The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.</title><description>&lt;VulnDiscussion&gt;Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
--
--Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
--
--Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
--
--Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000131</ident><fixtext fixref="F-78431r2_fix">Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
--
--Enable the auditd service with the following command:
--
--# systemctl start auditd.service</fixtext><fix id="F-78431r2_fix" /><check system="C-72311r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.
--
--Check to see if auditing is active by issuing the following command:
--
--# systemctl is-active auditd.service
--active
--
--If the "auditd" status is not active, this is a finding.</check-content></check></Rule></Group><Group id="V-72081"><title>SRG-OS-000046-GPOS-00022</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86705r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030010</version><title>The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
--
--Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
--
--This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
--
--Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000139</ident><fixtext fixref="F-78433r2_fix">Configure the operating system to shut down in the event of an audit processing failure.
--
--Add or correct the option to shut down the operating system with the following command:
--
--# auditctl -f 2
--
--Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
--
---f 2
--
--If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:
--
--# auditctl -f 1
--
--Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
--
---f 1
--
--Kernel log monitoring must also be configured to properly alert designated staff.
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78433r2_fix" /><check system="C-72313r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Confirm the audit configuration regarding how auditing processing failures are handled.
--
--Check to see what level "auditctl" is set to with following command: 
--
--# auditctl -s | grep -i "fail"
--
--failure 2
--
--Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure.
--
--If the "failure" setting is set to any value other than "1" or "2", this is a finding.
--
--If the "failure" setting is not set, this should be upgraded to a CAT I finding.
--
--If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.</check-content></check></Rule></Group><Group id="V-72083"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86707r2_rule" severity="medium" weight="10.0"><version>RHEL-07-030300</version><title>The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
--
--Off-loading is a common process in information systems with limited audit storage capacity.
--
--Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-78435r1_fix">Configure the operating system to off-load audit records onto a different system or media from the system being audited.
--
--Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.</fixtext><fix id="F-78435r1_fix" /><check system="C-72315r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system off-loads audit records onto a different system or media from the system being audited.
--
--To determine the remote server that the records are being sent to, use the following command:
--
--# grep -i remote_server /etc/audisp/audisp-remote.conf
--remote_server = 10.0.21.1
--
--If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
--
--If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.</check-content></check></Rule></Group><Group id="V-72085"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86709r2_rule" severity="medium" weight="10.0"><version>RHEL-07-030310</version><title>The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
--
--Off-loading is a common process in information systems with limited audit storage capacity.
--
--Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-78437r1_fix">Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.
--
--Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line:
--
--enable_krb5 = yes</fixtext><fix id="F-78437r1_fix" /><check system="C-72317r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.
--
--To determine if the transfer is encrypted, use the following command:
--
--# grep -i enable_krb5 /etc/audisp/audisp-remote.conf
--enable_krb5 = yes
--
--If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
--
--If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-72087"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86711r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030320</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-78439r4_fix">Configure the action the operating system takes if the disk the audit records are written to becomes full.
--
--Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:
--
--disk_full_action = single</fixtext><fix id="F-78439r4_fix" /><check system="C-72319r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the action the operating system takes if the disk the audit records are written to becomes full.
--
--To determine the action that takes place if the disk is full on the remote server, use the following command:
--
--# grep -i disk_full_action /etc/audisp/audisp-remote.conf
--disk_full_action = single
--
--If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72089"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86713r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030330</version><title>The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001855</ident><fixtext fixref="F-78441r3_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
--
--Check the system configuration to determine the partition the audit records are being written to: 
--
--# grep -iw log_file /etc/audit/auditd.conf
--
--Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
--
--# df -h /var/log/audit/
--
--Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.</fixtext><fix id="F-78441r3_fix" /><check system="C-72321r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
--
--Check the system configuration to determine the partition the audit records are being written to with the following command:
--
--# grep -iw log_file /etc/audit/auditd.conf
--log_file = /var/log/audit/audit.log
--
--Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
--
--# df -h /var/log/audit/
--0.9G /var/log/audit
--
--If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:
--
--# du -sh &lt;partition&gt;
--1.8G /var
--
--Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
--
--# grep -iw space_left /etc/audit/auditd.conf
--space_left = 225 
--
--If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.</check-content></check></Rule></Group><Group id="V-72091"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86715r2_rule" severity="medium" weight="10.0"><version>RHEL-07-030340</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001855</ident><fixtext fixref="F-78443r1_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
--
--Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". 
-- 
--space_left_action = email</fixtext><fix id="F-78443r1_fix" /><check system="C-72323r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
--
--Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:
--
--# grep -i space_left_action  /etc/audit/auditd.conf
--space_left_action = email
--
--If the value of the "space_left_action" keyword is not set to "email", this is a finding.</check-content></check></Rule></Group><Group id="V-72093"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86717r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030350</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001855</ident><fixtext fixref="F-78445r3_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
--
--Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. 
-- 
--action_mail_acct = root</fixtext><fix id="F-78445r3_fix" /><check system="C-72325r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
--
--Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:
--
--# grep -i action_mail_acct  /etc/audit/auditd.conf
--action_mail_acct = root
--
--If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.</check-content></check></Rule></Group><Group id="V-72095"><title>SRG-OS-000327-GPOS-00127</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86719r7_rule" severity="medium" weight="10.0"><version>RHEL-07-030360</version><title>The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.</title><description>&lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002234</ident><fixtext fixref="F-78447r9_fix">Configure the operating system to audit the execution of privileged functions.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
---a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
---a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
---a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78447r9_fix" /><check system="C-72327r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system audits the execution of privileged functions using the following command:
--
--# grep -iw execve /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
---a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
---a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
---a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
--
--
--If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
--
--If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-72097"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86721r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030370</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78449r9_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78449r9_fix" /><check system="C-72329r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw chown /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72099"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86723r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030380</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78451r9_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78451r9_fix" /><check system="C-72331r10_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw fchown /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72101"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86725r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030390</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78453r9_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78453r9_fix" /><check system="C-72333r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw lchown /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72103"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86727r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030400</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78455r8_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78455r8_fix" /><check system="C-72335r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw fchownat /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72105"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86729r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030410</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78457r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78457r8_fix" /><check system="C-72337r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw chmod /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72107"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86731r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030420</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78459r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.
--</fixtext><fix id="F-78459r10_fix" /><check system="C-72339r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw fchmod /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72109"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86733r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030430</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78461r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78461r9_fix" /><check system="C-72341r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw fchmodat /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72111"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86735r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030440</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78463r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78463r9_fix" /><check system="C-72343r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw setxattr /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72113"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86737r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030450</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78465r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78465r8_fix" /><check system="C-72345r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw fsetxattr /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72115"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86739r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030460</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78467r11_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78467r11_fix" /><check system="C-72347r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw lsetxattr /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72117"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86741r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030470</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78469r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78469r8_fix" /><check system="C-72349r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw removexattr /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72119"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86743r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030480</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78471r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78471r7_fix" /><check system="C-72351r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw fremovexattr /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72121"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86745r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030490</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78473r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78473r8_fix" /><check system="C-72353r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw lremovexattr /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
---a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
--
--If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72123"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86747r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030500</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78475r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules:
--
---a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78475r8_fix" /><check system="C-72355r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw creat /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--If both the "b32" and "b64" audit rules are not defined for the "creat" syscall, this is a finding.
--
--If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
--
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72125"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86749r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030510</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78477r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78477r8_fix" /><check system="C-72357r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw open /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--If both the "b32" and "b64" audit rules are not defined for the "open" syscall, this is a finding.
--
--If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
--
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72127"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86751r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030520</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78479r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78479r9_fix" /><check system="C-72359r9_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw openat /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--If both the "b32" and "b64" audit rules are not defined for the "openat" syscall, this is a finding.
--
--If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
--
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72129"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86753r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030530</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78481r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78481r9_fix" /><check system="C-72361r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw open_by_handle_at /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_at" syscall, this is a finding.
--
--If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
--
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72131"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86755r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030540</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78483r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78483r8_fix" /><check system="C-72363r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw truncate /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--If both the "b32" and "b64" audit rules are not defined for the "truncate" syscall, this is a finding.
--
--If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
--
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72133"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86757r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030550</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78485r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78485r9_fix" /><check system="C-72365r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw ftruncate /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--
---a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--
--If both the "b32" and "b64" audit rules are not defined for the "ftruncate" syscall, this is a finding.
--
--If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
--
--If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-72135"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86759r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030560</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78487r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78487r6_fix" /><check system="C-72367r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/sbin/semanage /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72137"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86761r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030570</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78489r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78489r7_fix" /><check system="C-72369r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/sbin/setsebool /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72139"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86763r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030580</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78491r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78491r7_fix" /><check system="C-72371r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/bin/chcon /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72141"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86765r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030590</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78493r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78493r8_fix" /><check system="C-72373r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72145"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86769r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030610</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78497r4_fix">Configure the operating system to generate audit records when unsuccessful account access events occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---w /var/run/faillock -p wa -k logins
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78497r4_fix" /><check system="C-72377r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when unsuccessful account access events occur. 
--
--Check the file system rule in "/etc/audit/audit.rules" with the following commands: 
--
--# grep -i /var/run/faillock /etc/audit/audit.rules
--
---w /var/run/faillock -p wa -k logins
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72147"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86771r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030620</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000126</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78499r3_fix">Configure the operating system to generate audit records when successful account access events occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---w /var/log/lastlog -p wa -k logins
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78499r3_fix" /><check system="C-72379r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful account access events occur. 
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands: 
--
--# grep -i /var/log/lastlog /etc/audit/audit.rules
--
---w /var/log/lastlog -p wa -k logins 
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72149"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86773r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030630</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated.  Daemons are not user sessions and have the loginuid set to -1.  The auid representation is an unsigned 32-bit integer, which equals 4294967295.  The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78501r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78501r7_fix" /><check system="C-72381r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/bin/passwd /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72151"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86775r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030640</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78503r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78503r9_fix" /><check system="C-72383r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72153"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86777r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030650</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78505r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--The audit daemon must be restarted for the changes to take effect. </fixtext><fix id="F-78505r6_fix" /><check system="C-72385r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/bin/gpasswd /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72155"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86779r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030660</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chage command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78507r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78507r6_fix" /><check system="C-72387r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/bin/chage /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72157"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86781r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030670</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78509r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78509r6_fix" /><check system="C-72389r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
--
--Check the file system rule in "/etc/audit/audit.rules" with the following command:
--
--# grep -i /usr/sbin/userhelper /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72159"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86783r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030680</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the su command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78511r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change 
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78511r7_fix" /><check system="C-72391r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw /usr/bin/su /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72161"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86785r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030690</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78513r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change 
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78513r6_fix" /><check system="C-72393r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur.
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw /usr/bin/sudo /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72163"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86787r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030700</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78517r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---w /etc/sudoers -p wa -k privileged-actions
--
---w /etc/sudoers.d/ -p wa -k privileged-actions
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78517r6_fix" /><check system="C-72397r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. 
--
--Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -i "/etc/sudoers" /etc/audit/audit.rules
--
---w /etc/sudoers -p wa -k privileged-actions
--
--# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules
--
---w /etc/sudoers.d/ -p wa -k privileged-actions
--
--If the commands do not return output that match the examples, this is a finding.</check-content></check></Rule></Group><Group id="V-72165"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86789r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030710</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78519r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78519r6_fix" /><check system="C-72399r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -i /usr/bin/newgrp /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72167"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86791r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030720</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000130</ident><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78521r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78521r6_fix" /><check system="C-72401r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur.
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -i /usr/bin/chsh /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72171"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86795r8_rule" severity="medium" weight="10.0"><version>RHEL-07-030740</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78525r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
---a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
---a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78525r10_fix" /><check system="C-72405r12_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
--
--Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw "mount" /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
---a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
---a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
--
--If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.
--
--If all uses of the "mount" command are not being audited, this is a finding.</check-content></check></Rule></Group><Group id="V-72173"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86797r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030750</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the umount command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78527r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78527r6_fix" /><check system="C-72407r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.
--
--Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw "/usr/bin/umount" /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount 
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72175"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86799r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030760</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78529r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78529r6_fix" /><check system="C-72409r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72177"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86801r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030770</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78531r6_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78531r6_fix" /><check system="C-72411r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72179"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86803r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030780</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78533r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78533r5_fix" /><check system="C-72413r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules
--
---a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72183"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86807r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030800</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
--
--At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000135</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78537r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78537r5_fix" /><check system="C-72417r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
--
--Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
--
--# grep -iw /usr/bin/crontab /etc/audit/audit.rules
--
---a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72185"><title>SRG-OS-000471-GPOS-00215</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86809r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030810</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78539r5_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78539r5_fix" /><check system="C-72419r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules
--
---a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam 
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72187"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86811r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030820</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78541r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. 
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S init_module -k module-change
--
---a always,exit -F arch=b64 -S init_module -k module-change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78541r7_fix" /><check system="C-72421r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. 
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw init_module /etc/audit/audit.rules 
--
---a always,exit -F arch=b32 -S init_module -k module-change
--
---a always,exit -F arch=b64 -S init_module -k module-change
--
--If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72189"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86813r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030830</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78543r7_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. 
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F arch=b32 -S delete_module -k module-change
--
---a always,exit -F arch=b64 -S delete_module -k module-change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78543r7_fix" /><check system="C-72423r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. 
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw delete_module /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S delete_module -k module-change
--
---a always,exit -F arch=b64 -S delete_module -k module-change
--
--If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72191"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86815r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030840</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-78545r11_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---w /usr/bin/kmod -p x -F auid!=unset -k module-change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78545r11_fix" /><check system="C-72425r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw kmod /etc/audit/audit.rules
--
---w /usr/bin/kmod -p x -F auid!=unset -k module-change
--
--If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72197"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86821r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030870</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000018</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-001403</ident><ident system="http://iase.disa.mil/cci">CCI-002130</ident><fixtext fixref="F-78551r4_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
--
--Add or update the following rule "/etc/audit/rules.d/audit.rules":
--
---w /etc/passwd -p wa -k identity
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78551r4_fix" /><check system="C-72431r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep /etc/passwd /etc/audit/audit.rules
--
---w /etc/passwd -p wa -k identity
--
--If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72199"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86823r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030880</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78553r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
--
--Add the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78553r8_fix" /><check system="C-72433r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw rename /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
--
--If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72201"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86825r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030890</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78555r9_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
--
--Add the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78555r9_fix" /><check system="C-72435r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw renameat /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
--
--If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72203"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86827r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030900</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78557r10_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
--
--Add the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78557r10_fix" /><check system="C-72437r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw rmdir /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
--
--If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72205"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86829r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030910</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78559r8_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
--
--Add the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78559r8_fix" /><check system="C-72439r7_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw unlink /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
--
--If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72207"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86831r6_rule" severity="medium" weight="10.0"><version>RHEL-07-030920</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
--
--When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
--
--Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-002884</ident><fixtext fixref="F-78561r11_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
--
--Add the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-78561r11_fix" /><check system="C-72441r8_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
--
--Check the file system rules in "/etc/audit/audit.rules" with the following commands:
--
--# grep -iw unlinkat /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
--
---a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
--
--If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-72209"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86833r2_rule" severity="medium" weight="10.0"><version>RHEL-07-031000</version><title>The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.</title><description>&lt;VulnDiscussion&gt;Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78563r2_fix">Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system:
--*.* @@&lt;log aggregation system name&gt;</fixtext><fix id="F-78563r2_fix" /><check system="C-72443r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify "rsyslog" is configured to send all messages to a log aggregation server.
--
--Check the configuration of "rsyslog" with the following command:
--
--Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf".
--
--# grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf
--*.* @@logagg.site.mil
--
--If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
--
--If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.</check-content></check></Rule></Group><Group id="V-72211"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86835r2_rule" severity="medium" weight="10.0"><version>RHEL-07-031010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.</title><description>&lt;VulnDiscussion&gt;Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
--
--If the system is intended to be a log aggregation server its use must be documented with the ISSO.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78565r2_fix">Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.</fixtext><fix id="F-78565r2_fix" /><check system="C-72445r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
--
--Check the configuration of "rsyslog" with the following command:
--
--# grep imtcp /etc/rsyslog.conf
--$ModLoad imtcp
--# grep imudp /etc/rsyslog.conf
--$ModLoad imudp
--# grep imrelp /etc/rsyslog.conf
--$ModLoad imrelp
--
--If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.
--
--If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.</check-content></check></Rule></Group><Group id="V-72213"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86837r3_rule" severity="high" weight="10.0"><version>RHEL-07-032000</version><title>The Red Hat Enterprise Linux operating system must use a virus scan program.</title><description>&lt;VulnDiscussion&gt;Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.  
--
--The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
--
--If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001668</ident><fixtext fixref="F-78567r2_fix">Install an antivirus solution on the system.</fixtext><fix id="F-78567r2_fix" /><check system="C-72447r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.
--
--If there is no anti-virus solution installed on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-72217"><title>SRG-OS-000027-GPOS-00008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86841r3_rule" severity="low" weight="10.0"><version>RHEL-07-040000</version><title>The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.</title><description>&lt;VulnDiscussion&gt;Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
--
--This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000054</ident><fixtext fixref="F-78571r2_fix">Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types.
--
--Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ :
--
--* hard maxlogins 10</fixtext><fix id="F-78571r2_fix" /><check system="C-72451r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command:
--
--# grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf
--
--* hard maxlogins 10
--
--This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
--
--If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-72219"><title>SRG-OS-000096-GPOS-00050</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86843r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040100</version><title>The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.</title><description>&lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
--
--Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
--
--To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
--
--Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000382</ident><ident system="http://iase.disa.mil/cci">CCI-002314</ident><fixtext fixref="F-78573r1_fix">Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.</fixtext><fix id="F-78573r1_fix" /><check system="C-72453r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.
--
--Check which services are currently active with the following command:
--
--# firewall-cmd --list-all
--public (default, active)
--  interfaces: enp0s3
--  sources: 
--  services: dhcpv6-client dns http https ldaps rpc-bind ssh
--  ports: 
--  masquerade: no
--  forward-ports: 
--  icmp-blocks: 
--  rich rules: 
--
--Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. 
--
--If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.</check-content></check></Rule></Group><Group id="V-72221"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86845r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040110</version><title>The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications.</title><description>&lt;VulnDiscussion&gt;Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
--
--Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
--
--FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
--
--Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000068</ident><ident system="http://iase.disa.mil/cci">CCI-000366</ident><ident system="http://iase.disa.mil/cci">CCI-000803</ident><fixtext fixref="F-78575r3_fix">Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
--
--Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
--
--Ciphers aes128-ctr,aes192-ctr,aes256-ctr
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78575r3_fix" /><check system="C-72455r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
--
--Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
--
--The location of the "sshd_config" file may vary if a different daemon is in use.
--
--Inspect the "Ciphers" configuration with the following command:
--
--# grep -i ciphers /etc/ssh/sshd_config
--Ciphers aes128-ctr,aes192-ctr,aes256-ctr
--
--If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72223"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86847r5_rule" severity="medium" weight="10.0"><version>RHEL-07-040160</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 
--
--Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
--
--Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><ident system="http://iase.disa.mil/cci">CCI-001133</ident><ident system="http://iase.disa.mil/cci">CCI-002361</ident><fixtext fixref="F-78577r6_fix">Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
--
--Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
--
--#!/bin/bash
--
--TMOUT=900
--readonly TMOUT
--export TMOUT</fixtext><fix id="F-78577r6_fix" /><check system="C-72457r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.
--
--Check the value of the system inactivity timeout with the following command:
--
--# grep -i tmout /etc/profile.d/*
--
--etc/profile.d/tmout.sh:TMOUT=900
--
--/etc/profile.d/tmout.sh:readonly TMOUT
--
--/etc/profile.d/tmout.sh:export TMOUT
--
--If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-72225"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86849r5_rule" severity="medium" weight="10.0"><version>RHEL-07-040170</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
--
--System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
--
--The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
--
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000048</ident><ident system="http://iase.disa.mil/cci">CCI-000050</ident><ident system="http://iase.disa.mil/cci">CCI-001384</ident><ident system="http://iase.disa.mil/cci">CCI-001385</ident><ident system="http://iase.disa.mil/cci">CCI-001386</ident><ident system="http://iase.disa.mil/cci">CCI-001387</ident><ident system="http://iase.disa.mil/cci">CCI-001388</ident><fixtext fixref="F-78579r5_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
--
--Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
--
--banner /etc/issue
--
--Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
--
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--The SSH service must be restarted for changes to take effect. </fixtext><fix id="F-78579r5_fix" /><check system="C-72459r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
--
--Check for the location of the banner file being used with the following command:
--
--# grep -i banner /etc/ssh/sshd_config
--
--banner /etc/issue
--
--This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").
--
--If the line is commented out, this is a finding.
--
--View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:
--
--"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
--
--By using this IS (which includes any device attached to this IS), you consent to the following conditions:
--
---The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
--
---At any time, the USG may inspect and seize data stored on this IS.
--
---Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
--
---This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
--
---Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
--
--If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
--
--If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-72227"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86851r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040180</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
--
--Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001453</ident><fixtext fixref="F-78581r2_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.
--
--Add or modify the following line in "/etc/sssd/sssd.conf":
--
--ldap_id_use_start_tls = true</fixtext><fix id="F-78581r2_fix" /><check system="C-72461r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If LDAP is not being utilized, this requirement is Not Applicable.
--
--Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.
--
--To determine if LDAP is being used for authentication, use the following command:
--
--# systemctl status sssd.service
--sssd.service - System Security Services Daemon
--Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
--Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
--
--If the "sssd.service" is "active", then LDAP is being used. 
--
--Determine the "id_provider" the LDAP is currently using:
--
--# grep -i "id_provider" /etc/sssd/sssd.conf
--
--id_provider = ad
--
--If "id_provider" is set to "ad", this is Not Applicable.
--
--Ensure that LDAP is configured to use TLS by using the following command:
--
--# grep -i "start_tls" /etc/sssd/sssd.conf
--ldap_id_use_start_tls = true
--
--If the "ldap_id_use_start_tls" option is not "true", this is a finding.</check-content></check></Rule></Group><Group id="V-72229"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86853r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040190</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
--
--Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001453</ident><fixtext fixref="F-78583r4_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
--
--Add or modify the following line in "/etc/sssd/sssd.conf":
--
--ldap_tls_reqcert = demand</fixtext><fix id="F-78583r4_fix" /><check system="C-72463r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If LDAP is not being utilized, this requirement is Not Applicable.
--
--Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.
--
--To determine if LDAP is being used for authentication, use the following command:
--
--# systemctl status sssd.service
--sssd.service - System Security Services Daemon
--Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
--Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
--
--If the "sssd.service" is "active", then LDAP is being used. 
--
--Determine the "id_provider" the LDAP is currently using:
--
--# grep -i "id_provider" /etc/sssd/sssd.conf
--
--id_provider = ad
--
--If "id_provider" is set to "ad", this is Not Applicable.
--
--Verify the sssd service is configured to require the use of certificates:
--
--# grep -i tls_reqcert /etc/sssd/sssd.conf
--ldap_tls_reqcert = demand
--
--If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding.
--
--If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.</check-content></check></Rule></Group><Group id="V-72231"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86855r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040200</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
--
--Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001453</ident><fixtext fixref="F-78585r3_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
--
--Add or modify the following line in "/etc/sssd/sssd.conf":
--
--ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt</fixtext><fix id="F-78585r3_fix" /><check system="C-72465r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If LDAP is not being utilized, this requirement is Not Applicable.
--
--Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.
--
--To determine if LDAP is being used for authentication, use the following command:
--
--# systemctl status sssd.service
--sssd.service - System Security Services Daemon
--Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
--Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
--
--If the "sssd.service" is "active", then LDAP is being used.
--
--Determine the "id_provider" that the LDAP is currently using:
--
--# grep -i "id_provider" /etc/sssd/sssd.conf
--
--id_provider = ad
--
--If "id_provider" is set to "ad", this is Not Applicable.
--
--Check the path to the X.509 certificate for peer authentication with the following command:
--
--# grep -i tls_cacert /etc/sssd/sssd.conf
--
--ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
--
--Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate.
--
--If this file does not exist, or the option is commented out or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-72233"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86857r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
--
--This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
--
--Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
--
--Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002418</ident><ident system="http://iase.disa.mil/cci">CCI-002420</ident><ident system="http://iase.disa.mil/cci">CCI-002421</ident><ident system="http://iase.disa.mil/cci">CCI-002422</ident><fixtext fixref="F-78587r3_fix">Install SSH packages onto the host with the following commands:
--
--# yum install openssh-server.x86_64</fixtext><fix id="F-78587r3_fix" /><check system="C-72467r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check to see if sshd is installed with the following command:
--
--# yum list installed \*ssh\*
--libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1
--openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1
--openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1
--
--If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-72235"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86859r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040310</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
--
--This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
--
--Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
--
--Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-002418</ident><ident system="http://iase.disa.mil/cci">CCI-002420</ident><ident system="http://iase.disa.mil/cci">CCI-002421</ident><ident system="http://iase.disa.mil/cci">CCI-002422</ident><fixtext fixref="F-78589r2_fix">Configure the SSH service to automatically start after reboot with the following command:
--
--# systemctl enable sshd.service</fixtext><fix id="F-78589r2_fix" /><check system="C-72469r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify SSH is loaded and active with the following command:
--
--# systemctl status sshd
--sshd.service - OpenSSH server daemon
--Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
--Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago
--Main PID: 1348 (sshd)
--CGroup: /system.slice/sshd.service
--1053 /usr/sbin/sshd -D
--
--If "sshd" does not show a status of "active" and "running", this is a finding.</check-content></check></Rule></Group><Group id="V-72237"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86861r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
--
--Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
--
--Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001133</ident><ident system="http://iase.disa.mil/cci">CCI-002361</ident><fixtext fixref="F-78591r2_fix">Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.
--
--Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
--
--ClientAliveInterval 600
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78591r2_fix" /><check system="C-72471r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system automatically terminates a user session after inactivity time-outs have expired.
--
--Check for the value of the "ClientAliveInterval" keyword with the following command:
--
--# grep -iw clientaliveinterval /etc/ssh/sshd_config
--
--ClientAliveInterval 600
--
--If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding.
--
--If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-72239"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86863r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040330</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78593r4_fix">Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
--
--Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
--
--RhostsRSAAuthentication no
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78593r4_fix" /><check system="C-72473r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check the version of the operating system with the following command:
--
--# cat /etc/redhat-release
--
--If the release is 7.4 or newer this requirement is Not Applicable.
--
--Verify the SSH daemon does not allow authentication using RSA rhosts authentication.
--
--To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run the following command:
--
--# grep RhostsRSAAuthentication /etc/ssh/sshd_config
--RhostsRSAAuthentication no
--
--If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-72241"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86865r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040340</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
--
--Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
--
--Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001133</ident><ident system="http://iase.disa.mil/cci">CCI-002361</ident><fixtext fixref="F-78595r4_fix">Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown.
--
--Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
--
--ClientAliveCountMax 0
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78595r4_fix" /><check system="C-72475r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system automatically terminates a user session after inactivity time-outs have expired.
--
--Check for the value of the "ClientAliveCountMax" keyword with the following command:
--
--# grep -i clientalivecount /etc/ssh/sshd_config
--ClientAliveCountMax 0
--
--If "ClientAliveCountMax" is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72243"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86867r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040350</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78597r2_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
--
--Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
--
--IgnoreRhosts yes</fixtext><fix id="F-78597r2_fix" /><check system="C-72477r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon does not allow authentication using known hosts authentication.
--
--To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command:
--
--# grep -i IgnoreRhosts /etc/ssh/sshd_config
--
--IgnoreRhosts yes
--
--If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-72245"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86869r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040360</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78599r3_fix">Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
--
--Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:
--
--PrintLastLog yes
--
--The SSH service must be restarted for changes to "sshd_config" to take effect.</fixtext><fix id="F-78599r3_fix" /><check system="C-72479r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify SSH provides users with feedback on when account accesses last occurred.
--
--Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:
--
--# grep -i printlastlog /etc/ssh/sshd_config
--PrintLastLog yes
--
--If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72247"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86871r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040370</version><title>The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.</title><description>&lt;VulnDiscussion&gt;Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78601r2_fix">Configure SSH to stop users from logging on remotely as the root user.
--
--Edit the appropriate  "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
--
--PermitRootLogin no
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78601r2_fix" /><check system="C-72481r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify remote access using SSH prevents users from logging on directly as root.
--
--Check that SSH prevents users from logging on directly as root with the following command:
--
--# grep -i permitrootlogin /etc/ssh/sshd_config
--PermitRootLogin no
--
--If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72249"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86873r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040380</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78603r2_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
--
--Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
--
--IgnoreUserKnownHosts yes
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78603r2_fix" /><check system="C-72483r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon does not allow authentication using known hosts authentication.
--
--To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:
--
--# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
--
--IgnoreUserKnownHosts yes
--
--If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-72251"><title>SRG-OS-000074-GPOS-00042</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86875r4_rule" severity="high" weight="10.0"><version>RHEL-07-040390</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.</title><description>&lt;VulnDiscussion&gt;SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
--
--Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000197</ident><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78605r2_fix">Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
--
--Protocol 2
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78605r2_fix" /><check system="C-72485r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check the version of the operating system with the following command:
--
--# cat /etc/redhat-release
--
--If the release is 7.4 or newer this requirement is Not Applicable.
--
--Verify the SSH daemon is configured to only use the SSHv2 protocol.
--
--Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:
--
--# grep -i protocol /etc/ssh/sshd_config
--Protocol 2
--#Protocol 1,2
--
--If any protocol line other than "Protocol 2" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-72253"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86877r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040400</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.</title><description>&lt;VulnDiscussion&gt;DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001453</ident><fixtext fixref="F-78607r2_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
--
--MACs hmac-sha2-256,hmac-sha2-512
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78607r2_fix" /><check system="C-72487r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.
--
--Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
--
--Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:
--
--# grep -i macs /etc/ssh/sshd_config
--MACs hmac-sha2-256,hmac-sha2-512
--
--If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72255"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86879r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040410</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a public host key file is modified by an unauthorized user, the SSH service may be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78609r1_fix">Note: SSH public key files may be found in other directories on the system depending on the installation. 
--
--Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
--
--# chmod 0644 /etc/ssh/*.key.pub</fixtext><fix id="F-78609r1_fix" /><check system="C-72489r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH public host key files have mode "0644" or less permissive.
--
--Note: SSH public key files may be found in other directories on the system depending on the installation.
--
--The following command will find all SSH public key files on the system:
--
--# find /etc/ssh -name '*.pub' -exec ls -lL {} \;
--
---rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub
---rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub
---rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub
--
--If any file has a mode more permissive than "0644", this is a finding.</check-content></check></Rule></Group><Group id="V-72257"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86881r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040420</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.</title><description>&lt;VulnDiscussion&gt;If an unauthorized user obtains the private SSH host key file, the host could be impersonated.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78611r5_fix">Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
--
--# chmod 0640 /path/to/file/ssh_host*key
--</fixtext><fix id="F-78611r5_fix" /><check system="C-72491r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH private host key files have mode "0640" or less permissive.
--
--The following command will find all SSH private key files on the system and list their modes:
--
--# find / -name '*ssh_host*key' | xargs ls -lL
--
---rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key
---rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key
---rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key
--
--If any file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-72259"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86883r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.</title><description>&lt;VulnDiscussion&gt;GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78613r2_fix">Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": 
--
--GSSAPIAuthentication no
--
--The SSH service must be restarted for changes to take effect.
--
--If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.</fixtext><fix id="F-78613r2_fix" /><check system="C-72493r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon does not permit GSSAPI authentication unless approved.
--
--Check that the SSH daemon does not permit GSSAPI authentication with the following command:
--
--# grep -i gssapiauth /etc/ssh/sshd_config
--GSSAPIAuthentication no
--
--If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72261"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86885r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040440</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.</title><description>&lt;VulnDiscussion&gt;Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78615r2_fix">Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
--
--KerberosAuthentication no
--
--The SSH service must be restarted for changes to take effect.
--
--If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.</fixtext><fix id="F-78615r2_fix" /><check system="C-72495r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.
--
--Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:
--
--# grep -i kerberosauth /etc/ssh/sshd_config
--KerberosAuthentication no
--
--If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72263"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86887r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040450</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.</title><description>&lt;VulnDiscussion&gt;If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78617r4_fix">Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":
--
--StrictModes yes
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78617r4_fix" /><check system="C-72497r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon performs strict mode checking of home directory configuration files.
--
--The location of the "sshd_config" file may vary if a different daemon is in use.
--
--Inspect the "sshd_config" file with the following command:
--
--# grep -i strictmodes /etc/ssh/sshd_config
--
--StrictModes yes
--
--If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72265"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86889r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040460</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.</title><description>&lt;VulnDiscussion&gt;SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78619r2_fix">Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":
--
--UsePrivilegeSeparation sandbox
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78619r2_fix" /><check system="C-72499r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon performs privilege separation.
--
--Check that the SSH daemon performs privilege separation with the following command:
--
--# grep -i usepriv /etc/ssh/sshd_config
--
--UsePrivilegeSeparation sandbox
--
--If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72267"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86891r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040470</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.</title><description>&lt;VulnDiscussion&gt;If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78621r2_fix">Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":
--
--Compression no
--
--The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-78621r2_fix" /><check system="C-72501r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the SSH daemon performs compression after a user successfully authenticates.
--
--Check that the SSH daemon performs compression after a user successfully authenticates with the following command:
--
--# grep -i compression /etc/ssh/sshd_config
--Compression delayed
--
--If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72269"><title>SRG-OS-000355-GPOS-00143</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86893r5_rule" severity="medium" weight="10.0"><version>RHEL-07-040500</version><title>The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).</title><description>&lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
--
--Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
--
--Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
--
--Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001891</ident><ident system="http://iase.disa.mil/cci">CCI-002046</ident><fixtext fixref="F-78623r5_fix">Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows:
--
--server 0.rhel.pool.ntp.org iburst maxpoll 10
--
--If NTP was running and "maxpoll" was updated, the NTP service must be restarted:
--
--# systemctl restart ntpd
--
--If NTP was not running, it must be started:
--
--# systemctl start ntpd 
--
--If "chronyd" was running and "maxpoll" was updated, the service must be restarted:
--
--# systemctl restart chronyd.service
--
--If "chronyd" was not running, it must be started:
--
--# systemctl start chronyd.service</fixtext><fix id="F-78623r5_fix" /><check system="C-72503r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Check to see if NTP is running in continuous mode:
--
--# ps -ef | grep ntp
--
--If NTP is not running, check to see if "chronyd" is running in continuous mode:
--
--# ps -ef | grep chronyd
--
--If NTP or "chronyd" is not running, this is a finding.
--
--If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" option setting:
--
--# grep maxpoll /etc/ntp.conf
--
--server 0.rhel.pool.ntp.org iburst maxpoll 10
--
--If the option is set to "17" or is not set, this is a finding.
--
--If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command.
--
--# grep -i "ntpd -q" /etc/cron.daily/*
--# ls -al /etc/cron.* | grep ntp
--
--ntp
--
--If a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpd -q" command, this is a finding.
--
--If the "chronyd" process is found, then check the "chrony.conf" file for the "maxpoll" option setting:
--
--# grep maxpoll /etc/chrony.conf
--
--server 0.rhel.pool.ntp.org iburst maxpoll 10
--
--If the option is not set or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-72273"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86897r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040520</version><title>The Red Hat Enterprise Linux operating system must enable an application firewall, if available.</title><description>&lt;VulnDiscussion&gt;Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
--
--Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78627r1_fix">Ensure the operating system's application firewall is enabled.
--
--Install the "firewalld" package, if it is not on the system, with the following command:
--
--# yum install firewalld
--
--Start the firewall via "systemctl" with the following command:
--
--# systemctl start firewalld</fixtext><fix id="F-78627r1_fix" /><check system="C-72507r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system enabled an application firewall.
--
--Check to see if "firewalld" is installed with the following command:
--
--# yum list installed firewalld
--firewalld-0.3.9-11.el7.noarch.rpm
--
--If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. 
--
--If an application firewall is not installed, this is a finding. 
--
--Check to see if the firewall is loaded and active with the following command:
--
--# systemctl status firewalld
--firewalld.service - firewalld - dynamic firewall daemon
--
--   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
--   Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago
--
--If "firewalld" does not show a status of "loaded" and "active", this is a finding. 
--
--Check the state of the firewall:
--
--# firewall-cmd --state 
--running
--
--If "firewalld" does not show a state of "running", this is a finding.</check-content></check></Rule></Group><Group id="V-72275"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86899r4_rule" severity="low" weight="10.0"><version>RHEL-07-040530</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78629r4_fix">Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". 
--
--Add the following line to the top of "/etc/pam.d/postlogin":
--
--session required pam_lastlog.so showfailed</fixtext><fix id="F-78629r4_fix" /><check system="C-72509r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify users are provided with feedback on when account accesses last occurred.
--
--Check that "pam_lastlog" is used and not silent with the following command:
--
--# grep pam_lastlog /etc/pam.d/postlogin
--session required pam_lastlog.so showfailed
--
--If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.</check-content></check></Rule></Group><Group id="V-72277"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86901r2_rule" severity="high" weight="10.0"><version>RHEL-07-040540</version><title>The Red Hat Enterprise Linux operating system must not contain .shosts files.</title><description>&lt;VulnDiscussion&gt;The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78631r1_fix">Remove any found ".shosts" files from the system.
--
--# rm /[path]/[to]/[file]/.shosts</fixtext><fix id="F-78631r1_fix" /><check system="C-72511r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify there are no ".shosts" files on the system.
--
--Check the system for the existence of these files with the following command:
--
--# find / -name '*.shosts'
--
--If any ".shosts" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-72279"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86903r2_rule" severity="high" weight="10.0"><version>RHEL-07-040550</version><title>The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.</title><description>&lt;VulnDiscussion&gt;The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78633r1_fix">Remove any found "shosts.equiv" files from the system.
--
--# rm /[path]/[to]/[file]/shosts.equiv</fixtext><fix id="F-78633r1_fix" /><check system="C-72513r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify there are no "shosts.equiv" files on the system.
--
--Check the system for the existence of these files with the following command:
--
--# find / -name shosts.equiv
--
--If any "shosts.equiv" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-72281"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86905r3_rule" severity="low" weight="10.0"><version>RHEL-07-040600</version><title>For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.</title><description>&lt;VulnDiscussion&gt;To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78635r1_fix">Configure the operating system to use two or more name servers for DNS resolution.
--
--Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:
--
--# echo -n &gt; /etc/resolv.conf
--
--And then make the file immutable with the following command:
--
--# chattr +i /etc/resolv.conf
--
--If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.</fixtext><fix id="F-78635r1_fix" /><check system="C-72515r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Determine whether the system is using local or DNS name resolution with the following command:
--
--# grep hosts /etc/nsswitch.conf
--hosts: files dns
--
--If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.
--
--Verify the "/etc/resolv.conf" file is empty with the following command:
--
--# ls -al /etc/resolv.conf
---rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
--
--If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.
--
--If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.
--
--Determine the name servers used by the system with the following command:
--
--# grep nameserver /etc/resolv.conf
--nameserver 192.168.1.2
--nameserver 192.168.1.3
--
--If less than two lines are returned that are not commented out, this is a finding.
--
--Verify that the "/etc/resolv.conf" file is immutable with the following command:
--
--# sudo lsattr /etc/resolv.conf
--
------i----------- /etc/resolv.conf
--
--If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-72283"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86907r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040610</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78637r3_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.all.accept_source_route = 0   
--
--Issue the following command to make the changes take effect:
-- 
--# sysctl -system</fixtext><fix id="F-78637r3_fix" /><check system="C-72517r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system does not accept IPv4 source-routed packets.
--
--# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*
--
--net.ipv4.conf.all.accept_source_route = 0
--
--If " net.ipv4.conf.all.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the accept source route variable with the following command:
--
--# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route
--net.ipv4.conf.all.accept_source_route = 0
--
--If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72285"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86909r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040620</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78639r2_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.default.accept_source_route = 0   
--
--Issue the following command to make the changes take effect:
-- 
--# sysctl --system</fixtext><fix id="F-78639r2_fix" /><check system="C-72519r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system does not accept IPv4 source-routed packets by default.
--
--# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*
--net.ipv4.conf.default.accept_source_route = 0
--
--If " net.ipv4.conf.default.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the accept source route variable with the following command:
--
--# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route
--net.ipv4.conf.default.accept_source_route = 0
--
--If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72287"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86911r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040630</version><title>The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description>&lt;VulnDiscussion&gt;Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78641r2_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.icmp_echo_ignore_broadcasts = 1
--
--Issue the following command to make the changes take effect: 
--
--# sysctl --system</fixtext><fix id="F-78641r2_fix" /><check system="C-72521r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.
--
--# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*
--
--If " net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
--
--Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command:
--
--# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts
--net.ipv4.icmp_echo_ignore_broadcasts = 1
--
--If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-72289"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86913r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040640</version><title>The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78643r3_fix">Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.default.accept_redirects = 0   
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-78643r3_fix" /><check system="C-72523r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system will not accept IPv4 ICMP redirect messages.
--
--# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*
--
--If " net.ipv4.conf.default.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the value of the "accept_redirects" variables with the following command:
--
--# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'
--net.ipv4.conf.default.accept_redirects = 0
--
--If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72291"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86915r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040650</version><title>The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78645r4_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. 
--
--Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.default.send_redirects = 0
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-78645r4_fix" /><check system="C-72525r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.
--
--# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*
--
--If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the "default send_redirects" variables with the following command:
--
--# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'
--
--net.ipv4.conf.default.send_redirects = 0 
--
--If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72293"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86917r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040660</version><title>The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78647r3_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects. 
--
--Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.all.send_redirects = 0
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-78647r3_fix" /><check system="C-72527r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system does not send IPv4 ICMP redirect messages.
--
--# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*
--
--If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the "all send_redirects" variables with the following command:
--
--# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects'
--
--net.ipv4.conf.all.send_redirects = 0
--
--If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72295"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86919r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040670</version><title>Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.</title><description>&lt;VulnDiscussion&gt;Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.
--
--If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78649r1_fix">Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
--
--Set the promiscuous mode of an interface to off with the following command:
--
--#ip link set dev &lt;devicename&gt; multicast off promisc off</fixtext><fix id="F-78649r1_fix" /><check system="C-72529r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.
--
--Check for the status with the following command:
--
--# ip link | grep -i promisc
--
--If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.</check-content></check></Rule></Group><Group id="V-72297"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86921r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040680</version><title>The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.</title><description>&lt;VulnDiscussion&gt;If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78651r2_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
--
--# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</fixtext><fix id="F-78651r2_fix" /><check system="C-72531r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system is configured to prevent unrestricted mail relaying.
--
--Determine if "postfix" is installed with the following commands:
--
--# yum list installed postfix
--postfix-2.6.6-6.el7.x86_64.rpm 
--
--If postfix is not installed, this is Not Applicable.
--
--If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:
--
--# postconf -n smtpd_client_restrictions
--smtpd_client_restrictions = permit_mynetworks, reject
--
--If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.</check-content></check></Rule></Group><Group id="V-72299"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86923r3_rule" severity="high" weight="10.0"><version>RHEL-07-040690</version><title>The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.</title><description>&lt;VulnDiscussion&gt;The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78653r3_fix">Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:
--
--# yum remove vsftpd</fixtext><fix id="F-78653r3_fix" /><check system="C-72533r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify an FTP server has not been installed on the system.
--
--Check to see if an FTP server has been installed with the following commands:
--
--# yum list installed vsftpd
--
-- vsftpd-3.0.2.el7.x86_64.rpm
--
--If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-72301"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86925r2_rule" severity="high" weight="10.0"><version>RHEL-07-040700</version><title>The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.</title><description>&lt;VulnDiscussion&gt;If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000318</ident><ident system="http://iase.disa.mil/cci">CCI-000368</ident><ident system="http://iase.disa.mil/cci">CCI-001812</ident><ident system="http://iase.disa.mil/cci">CCI-001813</ident><ident system="http://iase.disa.mil/cci">CCI-001814</ident><fixtext fixref="F-78655r2_fix">Remove the TFTP package from the system with the following command:
--
--# yum remove tftp-server</fixtext><fix id="F-78655r2_fix" /><check system="C-72535r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify a TFTP server has not been installed on the system.
--
--Check to see if a TFTP server has been installed with the following command:
--
--# yum list installed tftp-server
--tftp-server-0.49-9.el7.x86_64.rpm
--
--If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-72303"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86927r4_rule" severity="high" weight="10.0"><version>RHEL-07-040710</version><title>The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted.</title><description>&lt;VulnDiscussion&gt;Open X displays allow an attacker to capture keystrokes and execute commands remotely.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78657r6_fix">Configure SSH to encrypt connections for interactive users.
--
--Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
--
--X11Forwarding yes
--
--The SSH service must be restarted for changes to take effect:
--
--# systemctl restart sshd</fixtext><fix id="F-78657r6_fix" /><check system="C-72537r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify remote X connections for interactive users are encrypted.
--
--Check that remote X connections are encrypted with the following command:
--
--# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#"
--
--X11Forwarding yes
--
--If the "X11Forwarding" keyword is set to "no" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-72305"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86929r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040720</version><title>The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.</title><description>&lt;VulnDiscussion&gt;Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78659r1_fix">Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):
--
--server_args = -s /var/lib/tftpboot</fixtext><fix id="F-78659r1_fix" /><check system="C-72539r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the TFTP daemon is configured to operate in secure mode.
--
--Check to see if a TFTP server has been installed with the following commands:
--
--# yum list installed tftp-server
--tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms
--
--If a TFTP server is not installed, this is Not Applicable.
--
--If a TFTP server is installed, check for the server arguments with the following command: 
--
--# grep server_args /etc/xinetd.d/tftp
--server_args = -s /var/lib/tftpboot
--
--If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-72307"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86931r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040730</version><title>The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved.</title><description>&lt;VulnDiscussion&gt;Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. X Windows has a long history of security vulnerabilities and will not be used unless approved and documented.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78661r2_fix">Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands:
--
--# rpm -e xorg-x11-server-common</fixtext><fix id="F-78661r2_fix" /><check system="C-72541r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that if the system has X Windows System installed, it is authorized.
--
--Check for the X11 package with the following command:
--
--# rpm -qa | grep xorg | grep server
--
--Ask the System Administrator if use of the X Windows System is an operational requirement.
--
--If the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-72309"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86933r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040740</version><title>The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.</title><description>&lt;VulnDiscussion&gt;Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78663r2_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.ip_forward = 0
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-78663r2_fix" /><check system="C-72543r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system is not performing packet forwarding, unless the system is a router.
--
--# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*
--
--net.ipv4.ip_forward = 0
--
--If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
--
--Check that the operating system does not implement IP forwarding using the following command:
--
--# /sbin/sysctl -a | grep net.ipv4.ip_forward
--net.ipv4.ip_forward = 0
--
--If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.</check-content></check></Rule></Group><Group id="V-72311"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86935r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040750</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.</title><description>&lt;VulnDiscussion&gt;When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78665r2_fix">Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. 
--
--Ensure the "sec" option is defined as "krb5:krb5i:krb5p".</fixtext><fix id="F-78665r2_fix" /><check system="C-72545r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify "AUTH_GSS" is being used to authenticate NFS mounts.
--
--To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command:
--
--# cat /etc/fstab | grep nfs
--192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p
--
--If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-72313"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86937r2_rule" severity="high" weight="10.0"><version>RHEL-07-040800</version><title>SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.</title><description>&lt;VulnDiscussion&gt;Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78667r1_fix">If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.</fixtext><fix id="F-78667r1_fix" /><check system="C-72547r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that a system using SNMP is not using default community strings.
--
--Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command:
--
--# ls -al /etc/snmp/snmpd.conf
-- -rw-------   1 root root      52640 Mar 12 11:08 snmpd.conf
--
--If the file does not exist, this is Not Applicable.
--
--If the file does exist, check for the default community strings with the following commands:
--
--# grep public /etc/snmp/snmpd.conf
--# grep private /etc/snmp/snmpd.conf
--
--If either of these commands returns any output, this is a finding.</check-content></check></Rule></Group><Group id="V-72315"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86939r3_rule" severity="medium" weight="10.0"><version>RHEL-07-040810</version><title>The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.</title><description>&lt;VulnDiscussion&gt;If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78669r3_fix">If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. 
--
--If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.</fixtext><fix id="F-78669r3_fix" /><check system="C-72549r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. 
--
--Verify the system's access control program is configured to grant or deny system access to specific hosts.
--
--Check to see if "firewalld" is active with the following command:
--
--# systemctl status firewalld
--firewalld.service - firewalld - dynamic firewall daemon
--Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
--Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago
--
--If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:
--
--# firewall-cmd --get-default-zone
--public
--
--# firewall-cmd --list-all --zone=public
--public (active)
--target: default
--icmp-block-inversion: no
--interfaces: eth0
--sources:
--services: mdns ssh
--ports:
--protocols:
--masquerade: no
--forward-ports:
--icmp-blocks:
--
--If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:
--
--# ls -al /etc/hosts.allow
--rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow
--
--# ls -al /etc/hosts.deny
---rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny
--
--If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.
--
--If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.</check-content></check></Rule></Group><Group id="V-72317"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86941r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040820</version><title>The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.</title><description>&lt;VulnDiscussion&gt;IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78671r1_fix">Remove all unapproved tunnels from the system, or document them with the ISSO.</fixtext><fix id="F-78671r1_fix" /><check system="C-72551r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system does not have unauthorized IP tunnels configured.
--
--Check to see if "libreswan" is installed with the following command:
--
--# yum list installed libreswan
--libreswan.x86-64 3.20-5.el7_4
--
--If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:
--
--# systemctl status ipsec
--ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
--Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
--Active: inactive (dead)
--
--If the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands:
--
--# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf
--
--If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. 
--
--If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.</check-content></check></Rule></Group><Group id="V-72319"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-86943r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040830</version><title>The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-78673r2_fix">Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv6.conf.all.accept_source_route = 0
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-78673r2_fix" /><check system="C-72553r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>If IPv6 is not enabled, the key will not exist, and this is Not Applicable.
--
--Verify the system does not accept IPv6 source-routed packets.
--
--# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*
--
--net.ipv6.conf.all.accept_source_route = 0
--
--If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the accept source route variable with the following command:
--
--# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route
--net.ipv6.conf.all.accept_source_route = 0
--
--If the returned lines do not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-72417"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87041r5_rule" severity="medium" weight="10.0"><version>RHEL-07-041001</version><title>The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
--
--Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
--
--A privileged account is defined as an information system account with authorizations of a privileged user.
--
--Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
--
--This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
--
--Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001948</ident><ident system="http://iase.disa.mil/cci">CCI-001953</ident><ident system="http://iase.disa.mil/cci">CCI-001954</ident><fixtext fixref="F-78769r5_fix">Configure the operating system to implement multifactor authentication by installing the required packages.
--
--Install the pam_pkcs11 package with the following command:
--
--# yum install pam_pkcs11</fixtext><fix id="F-78769r5_fix" /><check system="C-72617r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system has the packages required for multifactor authentication installed.
--
--Check for the presence of the packages required to support multifactor authentication with the following commands:
--
--# yum list installed pam_pkcs11
--pam_pkcs11-0.6.2-14.el7.noarch.rpm
--
--
--If the "pam_pkcs11" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-72427"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87051r4_rule" severity="medium" weight="10.0"><version>RHEL-07-041002</version><title>The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
--
--Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
--
--A privileged account is defined as an information system account with authorizations of a privileged user.
--
--Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
--
--This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
--
--Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001948</ident><ident system="http://iase.disa.mil/cci">CCI-001953</ident><ident system="http://iase.disa.mil/cci">CCI-001954</ident><fixtext fixref="F-78779r3_fix">Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
--
--Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.</fixtext><fix id="F-78779r3_fix" /><check system="C-72627r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
--
--Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command:
--
--# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
--
--services = nss, pam
--
--If the "pam" service is not present on all "services" lines, this is a finding.</check-content></check></Rule></Group><Group id="V-72433"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87057r5_rule" severity="medium" weight="10.0"><version>RHEL-07-041003</version><title>The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
--
--Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
--
--A privileged account is defined as an information system account with authorizations of a privileged user.
--
--Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
--
--This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
--
--Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001948</ident><ident system="http://iase.disa.mil/cci">CCI-001953</ident><ident system="http://iase.disa.mil/cci">CCI-001954</ident><fixtext fixref="F-78785r3_fix">Configure the operating system to do certificate status checking for PKI authentication.
--
--Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".</fixtext><fix id="F-78785r3_fix" /><check system="C-72633r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system implements certificate status checking for PKI authentication.
--
--Check to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:
--
--# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v "^#"
--
--cert_policy = ca, ocsp_on, signature;
--cert_policy = ca, ocsp_on, signature;
--cert_policy = ca, ocsp_on, signature;
--
--There should be at least three lines returned. 
--
--If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-73155"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87807r4_rule" severity="medium" weight="10.0"><version>RHEL-07-010081</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
--
--The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-79601r2_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
--
--# touch /etc/dconf/db/local.d/locks/session
--
--Add the setting to lock the screensaver lock delay:
--
--/org/gnome/desktop/screensaver/lock-delay</fixtext><fix id="F-79601r2_fix" /><check system="C-73279r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. 
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
--
--Determine which profile the system database is using with the following command:
--# grep system-db /etc/dconf/profile/user
--
--system-db:local
--
--Check for the lock delay setting with the following command:
--
--Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
--
--# grep -i lock-delay /etc/dconf/db/local.d/locks/*
--
--/org/gnome/desktop/screensaver/lock-delay
--
--If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-73157"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87809r4_rule" severity="medium" weight="10.0"><version>RHEL-07-010082</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
--
--The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-79603r1_fix">Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.
--
--# touch /etc/dconf/db/local.d/locks/session
--
--Add the setting to lock the session idle delay:
--
--/org/gnome/desktop/session/idle-delay</fixtext><fix id="F-79603r1_fix" /><check system="C-73281r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. 
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. 
--
--Determine which profile the system database is using with the following command:
--# grep system-db /etc/dconf/profile/user
--
--system-db:local
--
--Check for the session idle delay setting with the following command:
--
--Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
--
--# grep -i idle-delay /etc/dconf/db/local.d/locks/*
--
--/org/gnome/desktop/session/idle-delay
--
--If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-73159"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87811r4_rule" severity="medium" weight="10.0"><version>RHEL-07-010119</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000192</ident><fixtext fixref="F-79605r5_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
--
--Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value):
--
--password required pam_pwquality.so retry=3
--
--Note: The value of "retry" should be between "1" and "3".</fixtext><fix id="F-79605r5_fix" /><check system="C-73283r6_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system uses "pwquality" to enforce the password complexity rules. 
--
--Check for the use of "pwquality" with the following command:
--
--# cat /etc/pam.d/system-auth | grep pam_pwquality
--
--password required pam_pwquality.so retry=3
--
--If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding.
--
--If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-73161"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87813r2_rule" severity="medium" weight="10.0"><version>RHEL-07-021021</version><title>The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-79607r2_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</fixtext><fix id="F-79607r2_fix" /><check system="C-73285r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify file systems that are being NFS imported are configured with the "noexec" option.
--
--Find the file system(s) that contain the directories being imported with the following command:
--
--# more /etc/fstab | grep nfs
--
--UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0
--
--If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
--
--Verify the NFS is mounted with the "noexec"option:
--
--# mount | grep nfs | grep noexec
--If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-73163"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87815r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030321</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-79609r2_fix">Configure the action the operating system takes if there is an error sending audit records to a remote system.
--
--Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".
--
--network_failure_action = syslog</fixtext><fix id="F-79609r2_fix" /><check system="C-73287r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the action the operating system takes if there is an error sending audit records to a remote system.
--
--Check the action that takes place if there is an error sending audit records to a remote system with the following command:
--
--# grep -i network_failure_action /etc/audisp/audisp-remote.conf
--network_failure_action = syslog
--
--If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-73165"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87817r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030871</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000018</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-001403</ident><ident system="http://iase.disa.mil/cci">CCI-002130</ident><fixtext fixref="F-79611r3_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---w /etc/group -p wa -k identity
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-79611r3_fix" /><check system="C-73289r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep /etc/group /etc/audit/audit.rules
--
---w /etc/group -p wa -k identity
--
--If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-73167"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87819r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030872</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000018</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-001403</ident><ident system="http://iase.disa.mil/cci">CCI-002130</ident><fixtext fixref="F-79613r3_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
--
--Add or update the following rule in "/etc/audit/rules.d/audit.rules":
--
---w /etc/gshadow -p wa -k identity
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-79613r3_fix" /><check system="C-73291r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep /etc/gshadow /etc/audit/audit.rules
--
---w /etc/gshadow -p wa -k identity
--
--If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-73171"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87823r4_rule" severity="medium" weight="10.0"><version>RHEL-07-030873</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000018</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-001403</ident><ident system="http://iase.disa.mil/cci">CCI-002130</ident><fixtext fixref="F-79617r4_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
--
--Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
--
---w /etc/shadow -p wa -k identity
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-79617r4_fix" /><check system="C-73295r4_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep /etc/shadow /etc/audit/audit.rules
--
---w /etc/shadow -p wa -k identity
--
--If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-73173"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87825r5_rule" severity="medium" weight="10.0"><version>RHEL-07-030874</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000018</ident><ident system="http://iase.disa.mil/cci">CCI-000172</ident><ident system="http://iase.disa.mil/cci">CCI-001403</ident><ident system="http://iase.disa.mil/cci">CCI-002130</ident><fixtext fixref="F-79619r6_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
--
--Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
--
---w /etc/security/opasswd -p wa -k identity
--
--The audit daemon must be restarted for the changes to take effect:
--# systemctl restart auditd</fixtext><fix id="F-79619r6_fix" /><check system="C-73297r5_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep /etc/security/opasswd /etc/audit/audit.rules
--
---w /etc/security/opasswd -p wa -k identity
--
--If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-73175"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87827r4_rule" severity="medium" weight="10.0"><version>RHEL-07-040641</version><title>The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-79621r3_fix">Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.all.accept_redirects = 0   
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-79621r3_fix" /><check system="C-73299r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system ignores IPv4 ICMP redirect messages.
--
--# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*
--
--If " net.ipv4.conf.all.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
--
--Check that the operating system implements the "accept_redirects" variables with the following command:
--
--# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects'
--
--net.ipv4.conf.all.accept_redirects = 0
--
--If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-73177"><title>SRG-OS-000424-GPOS-00188</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-87829r2_rule" severity="medium" weight="10.0"><version>RHEL-07-041010</version><title>The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.</title><description>&lt;VulnDiscussion&gt;The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001443</ident><ident system="http://iase.disa.mil/cci">CCI-001444</ident><ident system="http://iase.disa.mil/cci">CCI-002418</ident><fixtext fixref="F-79623r1_fix">Configure the system to disable all wireless network interfaces with the following command:
--
--#nmcli radio wifi off</fixtext><fix id="F-79623r1_fix" /><check system="C-73301r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that there are no wireless interfaces configured on the system.
--
--This is N/A for systems that do not have wireless network adapters.
--
--Check for the presence of active wireless interfaces with the following command:
--
--# nmcli device
--DEVICE TYPE STATE
--eth0 ethernet connected
--wlp3s0 wifi disconnected
--lo loopback unmanaged
--
--If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-77819"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-92515r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010061</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
--
--Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
--
--Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001948</ident><ident system="http://iase.disa.mil/cci">CCI-001953</ident><ident system="http://iase.disa.mil/cci">CCI-001954</ident><fixtext fixref="F-84519r4_fix">Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
--
--# touch /etc/dconf/db/local.d/00-defaults
--
--Edit "[org/gnome/login-screen]" and add or update the following line:
--enable-smartcard-authentication=true   
--
--Update the system databases:
--# dconf update</fixtext><fix id="F-84519r4_fix" /><check system="C-77437r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
--
--Determine which profile the system database is using with the following command:
--
--# grep system-db /etc/dconf/profile/user
--
--system-db:local
--
--Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.
--
--# grep enable-smartcard-authentication /etc/dconf/db/local.d/*
--
--enable-smartcard-authentication=true
--
--If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-77821"><title>SRG-OS-000378-GPOS-00163</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-92517r3_rule" severity="medium" weight="10.0"><version>RHEL-07-020101</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.</title><description>&lt;VulnDiscussion&gt;Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001958</ident><fixtext fixref="F-84521r3_fix">Configure the operating system to disable the ability to use the DCCP kernel module.
--
--Create a file under "/etc/modprobe.d" with the following command:
--
--# touch /etc/modprobe.d/dccp.conf
--
--Add the following line to the created file:
--
--install dccp /bin/true
--
--Ensure that the DCCP module is blacklisted: 
--
--# vi /etc/modprobe.d/blacklist.conf
--
--Add or update the line:
--
--blacklist dccp</fixtext><fix id="F-84521r3_fix" /><check system="C-77439r11_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system disables the ability to load the DCCP kernel module.
--
--# grep -r dccp /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
--
--install dccp /bin/true
--
--If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
--
--Verify the operating system disables the ability to use the DCCP kernel module.
--
--Check to see if the DCCP kernel module is disabled with the following command:
--
--# grep -i dccp /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
--
--blacklist dccp
--
--If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-77823"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-92519r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010481</version><title>The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-84523r2_fix">Configure the operating system to require authentication upon booting into single-user and maintenance modes.
--
--Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":
--
--ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</fixtext><fix id="F-84523r2_fix" /><check system="C-77441r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system must require authentication upon booting into single-user and maintenance modes.
--
--Check that the operating system requires authentication upon booting into single-user mode with the following command:
--
--# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin
--
--ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
--
--If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.</check-content></check></Rule></Group><Group id="V-77825"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-92521r2_rule" severity="medium" weight="10.0"><version>RHEL-07-040201</version><title>The Red Hat Enterprise Linux operating system must implement virtual address space randomization.</title><description>&lt;VulnDiscussion&gt;Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-84531r2_fix">Configure the operating system implement virtual address space randomization.
--
--Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--kernel.randomize_va_space = 2
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-84531r2_fix" /><check system="C-77449r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system implements virtual address space randomization.
--
--# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*
--
--kernel.randomize_va_space = 2
--
--If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "2", this is a finding.
--
--Check that the operating system implements virtual address space randomization with the following command:
--
--# /sbin/sysctl -a | grep kernel.randomize_va_space 
--
--kernel.randomize_va_space = 2
--
--If "kernel.randomize_va_space" does not have a value of "2", this is a finding.</check-content></check></Rule></Group><Group id="V-78995"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-93701r3_rule" severity="medium" weight="10.0"><version>RHEL-07-010062</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
--
--The session lock is implemented at the point where session activity can be determined.
--
--The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.
--&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-85745r1_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
--
--# touch /etc/dconf/db/local.d/locks/session
--
--Add the setting to lock the screensaver lock-enabled setting:
--
--/org/gnome/desktop/screensaver/lock-enabled
--</fixtext><fix id="F-85745r1_fix" /><check system="C-78583r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. 
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
--
--Determine which profile the system database is using with the following command:
--# grep system-db /etc/dconf/profile/user
--
--system-db:local
--
--Check for the lock-enabled setting with the following command:
--
--Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
--
--# grep -i lock-enabled /etc/dconf/db/local.d/locks/*
--
--/org/gnome/desktop/screensaver/lock-enabled
--
--If the command does not return a result, this is a finding.
--</check-content></check></Rule></Group><Group id="V-78997"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-93703r2_rule" severity="medium" weight="10.0"><version>RHEL-07-010101</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
--
--The session lock is implemented at the point where session activity can be determined.
--
--The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000057</ident><fixtext fixref="F-85747r1_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
--
--Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
--
--Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
--
--# touch /etc/dconf/db/local.d/locks/session
--
--Add the setting to lock the screensaver idle-activation-enabled setting:
--
--/org/gnome/desktop/screensaver/idle-activation-enabled</fixtext><fix id="F-85747r1_fix" /><check system="C-78585r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. 
--
--Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
--
--Determine which profile the system database is using with the following command:
--# grep system-db /etc/dconf/profile/user
--
--system-db:local
--
--Check for the idle-activation-enabled setting with the following command:
--
--Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
--
--# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*
--
--/org/gnome/desktop/screensaver/idle-activation-enabled
--
--If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-78999"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-93705r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030819</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-85749r4_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur.
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules":
--
---a always,exit -F arch=b32 -S create_module -k module-change
--
---a always,exit -F arch=b64 -S create_module -k module-change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-85749r4_fix" /><check system="C-78587r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. 
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw create_module /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S create_module -k module-change
--
---a always,exit -F arch=b64 -S create_module -k module-change
--
--If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-79001"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-93707r3_rule" severity="medium" weight="10.0"><version>RHEL-07-030821</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
--
--Audit records can be generated from various components within the information system (e.g., module or policy filter).
--
--Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000172</ident><fixtext fixref="F-85751r3_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. 
--
--Add or update the following rules in "/etc/audit/rules.d/audit.rules": 
--
---a always,exit -F arch=b32 -S finit_module -k module-change
--
---a always,exit -F arch=b64 -S finit_module -k module-change
--
--The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-85751r3_fix" /><check system="C-78589r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. 
--
--Check the auditing rules in "/etc/audit/audit.rules" with the following command:
--
--# grep -iw finit_module /etc/audit/audit.rules
--
---a always,exit -F arch=b32 -S finit_module -k module-change
--
---a always,exit -F arch=b64 -S finit_module -k module-change
--
--If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-81003"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95715r1_rule" severity="medium" weight="10.0"><version>RHEL-07-010118</version><title>The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.</title><description>&lt;VulnDiscussion&gt;Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000192</ident><fixtext fixref="F-87837r1_fix">Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.
--
--Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value):
--
--password     substack    system-auth</fixtext><fix id="F-87837r1_fix" /><check system="C-80717r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:
--
--# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth
--password     substack     system-auth
--
--If no results are returned, the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-81005"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95717r1_rule" severity="high" weight="10.0"><version>RHEL-07-010482</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-87839r2_fix">Configure the system to encrypt the boot password for root.
--
--Generate an encrypted grub2 password for root with the following command:
--
--Note: The hash generated is an example.
--  
--# grub2-setpassword
--Enter password:
--Confirm password:
--
--Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
--
--set superusers="root"
--export superusers</fixtext><fix id="F-87839r2_fix" /><check system="C-80719r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>For systems that use UEFI, this is Not Applicable.
--
--For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
--
--Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
--
--# grep -iw grub2_password /boot/grub2/user.cfg
--GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
--
--If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
--
--Verify that the "root" account is set as the "superusers":
--
--# grep -iw "superusers" /boot/grub2/grub.cfg
--    set superusers="root"
--    export superusers
--
--If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-81007"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95719r1_rule" severity="high" weight="10.0"><version>RHEL-07-010491</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000213</ident><fixtext fixref="F-87841r2_fix">Configure the system to encrypt the boot password for root.
--
--Generate an encrypted grub2 password for root with the following command:
--
--Note: The hash generated is an example.
--  
--# grub2-setpassword
--Enter password:
--Confirm password:
--
--Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
--
--set superusers="root"
--export superusers</fixtext><fix id="F-87841r2_fix" /><check system="C-80721r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>For systems that use BIOS, this is Not Applicable.
--
--For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
--
--Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
--
--# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
--GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
--
--If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
--
--Verify that the "root" account is set as the "superusers":
--
--# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
--    set superusers="root"
--    export superusers
--
--If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-81013"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95725r3_rule" severity="low" weight="10.0"><version>RHEL-07-021024</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
--
--The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
--
--The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001764</ident><fixtext fixref="F-87847r3_fix">Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
--
--tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</fixtext><fix id="F-87847r3_fix" /><check system="C-80727r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm:
--
--# cat /etc/fstab | grep /dev/shm
--
--tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
--
--If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding.
--
--Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options:
--
--# mount | grep /dev/shm
--
--tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
--
--If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.
--</check-content></check></Rule></Group><Group id="V-81017"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95729r2_rule" severity="medium" weight="10.0"><version>RHEL-07-030201</version><title>The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
--
--Off-loading is a common process in information systems with limited audit storage capacity.
--
--One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited.
--
--Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-87851r2_fix">Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:
--
--direction = out
--path = /sbin/audisp-remote
--type = always
--
--The audit daemon must be restarted for changes to take effect:
--
--# service auditd restart</fixtext><fix id="F-87851r2_fix" /><check system="C-80731r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon:
--
--# cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#"
--
--active = yes
--direction = out
--path = /sbin/audisp-remote
--type = always
--format = string
--
--If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.
--
--If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.</check-content></check></Rule></Group><Group id="V-81019"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95731r1_rule" severity="medium" weight="10.0"><version>RHEL-07-030210</version><title>The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
--
--Off-loading is a common process in information systems with limited audit storage capacity.
--
--When the remote buffer is full, audit logs will not be collected and sent to the central log server.
--
--Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-87853r3_fix">Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option:
--
--overflow_action = syslog
--
--The audit daemon must be restarted for changes to take effect:
--
--# service auditd restart</fixtext><fix id="F-87853r3_fix" /><check system="C-80735r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:
--
--# grep "overflow_action" /etc/audisp/audispd.conf
--
--overflow_action = syslog
--
--If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-81021"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-95733r1_rule" severity="medium" weight="10.0"><version>RHEL-07-030211</version><title>The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
--
--Off-loading is a common process in information systems with limited audit storage capacity.
--
--When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
--
--Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001851</ident><fixtext fixref="F-87855r2_fix">Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:
--
--name_format = hostname
--
--The audit daemon must be restarted for changes to take effect:
--
--# service auditd restart</fixtext><fix id="F-87855r2_fix" /><check system="C-80737r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the audisp daemon is configured to label all off-loaded audit logs:
--
--# grep "name_format" /etc/audisp/audispd.conf
--
--name_format = hostname
--
--If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-92251"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-102353r1_rule" severity="medium" weight="10.0"><version>RHEL-07-040611</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-98473r1_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.all.rp_filter = 1 
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-98473r1_fix" /><check system="C-91431r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system uses a reverse-path filter for IPv4:
--
--# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*
--net.ipv4.conf.all.rp_filter = 1
--
--If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
--
--Check that the operating system implements the accept source route variable with the following command:
--
--# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter
--net.ipv4.conf.all.rp_filter = 1
--
--If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-92253"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-102355r1_rule" severity="medium" weight="10.0"><version>RHEL-07-040612</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-98475r1_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
--
--net.ipv4.conf.default.rp_filter = 1 
--
--Issue the following command to make the changes take effect:
--
--# sysctl --system</fixtext><fix id="F-98475r1_fix" /><check system="C-91433r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the system uses a reverse-path filter for IPv4:
--
--# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*
--net.ipv4.conf.default.rp_filter = 1
--
--If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
--
--Check that the operating system implements the accept source route variable with the following command:
--
--# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter
--net.ipv4.conf.default.rp_filter = 1
--
--If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-92255"><title>SRG-OS-000196</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-102357r2_rule" severity="medium" weight="10.0"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description>&lt;VulnDiscussion&gt;Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-001263</ident><fixtext fixref="F-98477r2_fix">Install and enable the latest McAfee HIPS package or McAfee ENSL.</fixtext><fix id="F-98477r2_fix" /><check system="C-91435r2_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.
--
--Procedure:
--Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:
--
--# rpm -qa | grep MFEhiplsm
--
--Verify that the McAfee HIPS module is active on the system:
--
--# ps -ef | grep -i “hipclient”
--
--If the MFEhiplsm package is not installed, check for another intrusion detection system:
--
--# find / -name &lt;daemon name&gt;
--
--Where &lt;daemon name&gt; is the name of the primary application daemon to determine if the application is loaded on the system.
--
--Determine if the application is active on the system:
--
--# ps -ef | grep -i &lt;daemon name&gt;
--
--If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.
--
--If no host-based intrusion detection system is installed and running on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-94843"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-104673r2_rule" severity="high" weight="10.0"><version>RHEL-07-020231</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><fixtext fixref="F-100967r2_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:
--
--# touch /etc/dconf/db/local.d/00-disable-CAD 
--
--Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:
--
--[org/gnome/settings-daemon/plugins/media-keys]
--logout=''</fixtext><fix id="F-100967r2_fix" /><check system="C-94039r3_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
--
--Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
--
--Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:
--
--# grep logout /etc/dconf/db/local.d/*
--
--logout=''
--
--If "logout" is not set to use two single quotations, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-100023"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-109127r1_rule" severity="medium" weight="10.0"><version>RHEL-07-020111</version><title>The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
--
--Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat 7</dc:subject><dc:identifier>2777</dc:identifier></reference><ident system="http://iase.disa.mil/cci">CCI-000366</ident><ident system="http://iase.disa.mil/cci">CCI-000778</ident><ident system="http://iase.disa.mil/cci">CCI-001958</ident><fixtext fixref="F-105707r1_fix">Configure the graphical user interface to disable the ability to automount devices.
--
--Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
--
--Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:  
--
--[org/gnome/desktop/media-handling]
--
--automount=false
--
--automount-open=false
--
--autorun-never=true
--
--Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:
--/org/gnome/desktop/media-handling/automount
--
--/org/gnome/desktop/media-handling/automount-open
--
--/org/gnome/desktop/media-handling/autorun-never
--
--Run the following command to update the database:
--
--# dconf update</fixtext><fix id="F-105707r1_fix" /><check system="C-98873r1_chk"><check-content-ref name="M" href="DPMS_XCCDF_Benchmark_RHEL_7_STIG.xml" /><check-content>Verify the operating system disables the ability to automount devices in a graphical user interface.
--
--Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
--
--Check to see if automounter service is disabled with the following commands:
--# cat /etc/dconf/db/local.d/00-No-Automount
--
--[org/gnome/desktop/media-handling]
--
--automount=false
--
--automount-open=false
--
--autorun-never=true
--
--If the output does not match the example above, this is a finding.
--
--# cat /etc/dconf/db/local.d/locks/00-No-Automount
--
--/org/gnome/desktop/media-handling/automount
--
--/org/gnome/desktop/media-handling/automount-open
--
--/org/gnome/desktop/media-handling/autorun-never
--If the output does not match the example, this is a finding.</check-content></check></Rule></Group></Benchmark>
-\ No newline at end of file
-diff --git a/shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml
-new file mode 100644
-index 0000000000..560e081822
---- /dev/null
-+++ b/shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml
-@@ -0,0 +1,5037 @@
-+<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_7_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-09-03">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 23 Oct 2020</plain-text><plain-text id="generator">3.1.1.36225</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>3</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Group id="V-204392"><title>SRG-OS-000257-GPOS-00098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204392r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title><description>&lt;VulnDiscussion&gt;Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
-+
-+Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71849</ident><ident system="http://cyber.mil/legacy">SV-86473</ident><ident system="http://cyber.mil/cci">CCI-001494</ident><ident system="http://cyber.mil/cci">CCI-001496</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-4516r499370_fix">Run the following command to determine which package owns the file:
-+
-+# rpm -qf &lt;filename&gt;
-+
-+Reset the user and group ownership of files within a package with the following command:
-+
-+#rpm --setugids &lt;packagename&gt;
-+
-+
-+Reset the permissions of files within a package with the following command:
-+
-+#rpm --setperms &lt;packagename&gt;</fixtext><fix id="F-4516r499370_fix" /><check system="C-4516r499369_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.
-+
-+Check the default file permissions, ownership, and group membership of system files and commands with the following command:
-+
-+# for i in `rpm -Va | egrep -i '^\.[M|U|G|.]{8}' | cut -d " " -f 4,5`;do for j in `rpm -qf $i`;do rpm -ql $j --dump | cut -d " " -f 1,5,6,7 | grep $i;done;done
-+
-+/var/log/gdm 040755 root root
-+/etc/audisp/audisp-remote.conf 0100640 root root
-+/usr/bin/passwd 0104755 root root
-+
-+For each file returned, verify the current permissions, ownership, and group membership:
-+# ls -la &lt;filename&gt;
-+
-+-rw-------. 1 root root 133 Jan 11 13:25 /etc/audisp/audisp-remote.conf
-+
-+If the file is more permissive than the default permissions, this is a finding.
-+
-+If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.
-+
-+If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-204393"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204393r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010030</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-+
-+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
-+
-+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
-+
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+
-+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86483</ident><ident system="http://cyber.mil/legacy">V-71859</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-4517r88372_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
-+
-+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
-+
-+# touch /etc/dconf/db/local.d/01-banner-message
-+
-+Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
-+
-+[org/gnome/login-screen]
-+banner-message-enable=true
-+
-+Update the system databases:
-+
-+# dconf update
-+
-+Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-4517r88372_fix" /><check system="C-4517r88371_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
-+
-+Check to see if the operating system displays a banner at the logon screen with the following command:
-+
-+# grep banner-message-enable /etc/dconf/db/local.d/*
-+banner-message-enable=true
-+
-+If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204394"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204394r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010040</version><title>The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-+
-+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
-+
-+The banner must be formatted in accordance with applicable DoD policy.
-+
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007, SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86485</ident><ident system="http://cyber.mil/legacy">V-71861</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-4518r297479_fix">Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
-+
-+Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
-+
-+Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command:
-+
-+# touch /etc/dconf/db/local.d/01-banner-message
-+
-+Add the following line to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message":
-+
-+[org/gnome/login-screen]
-+
-+banner-message-enable=true
-+
-+banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
-+
-+Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
-+
-+Run the following command to update the database:
-+# dconf update</fixtext><fix id="F-4518r297479_fix" /><check system="C-4518r297478_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon.
-+
-+Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
-+
-+Check that the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command:
-+
-+# grep banner-message-text /etc/dconf/db/local.d/*
-+banner-message-text=
-+'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. '
-+
-+Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
-+
-+If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204395"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204395r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010050</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-+
-+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
-+
-+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
-+
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86487</ident><ident system="http://cyber.mil/legacy">V-71863</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><fixtext fixref="F-4519r88378_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the "/etc/issue" file.
-+
-+Replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants.  Such communications and work product are private and confidential.  See User Agreement for details."</fixtext><fix id="F-4519r88378_fix" /><check system="C-4519r88377_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon.
-+
-+Check to see if the operating system displays a banner at the command line logon screen with the following command:
-+
-+# more /etc/issue
-+
-+The command should return the following text:
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
-+
-+If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204396"><title>SRG-OS-000028-GPOS-00009</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204396r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010060</version><title>The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-+
-+The session lock is implemented at the point where session activity can be determined.
-+
-+Regardless of where the session lock is determined and implemented, once invoked, the session lock must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system.
-+
-+Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86515</ident><ident system="http://cyber.mil/legacy">V-71891</ident><ident system="http://cyber.mil/cci">CCI-000056</ident><fixtext fixref="F-4520r88381_fix">Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example:
-+
-+# touch /etc/dconf/db/local.d/00-screensaver
-+
-+Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines:
-+
-+# Set this to true to lock the screen when the screensaver activates
-+lock-enabled=true
-+
-+Update the system databases:
-+
-+# dconf update
-+
-+Users must log out and back in again before the system-wide settings take effect. </fixtext><fix id="F-4520r88381_fix" /><check system="C-4520r88380_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
-+
-+Check to see if the screen lock is enabled with the following command:
-+
-+# grep -i lock-enabled /etc/dconf/db/local.d/*
-+lock-enabled=true
-+
-+If the "lock-enabled" setting is missing or is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204397"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204397r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010061</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
-+
-+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
-+
-+Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-77819</ident><ident system="http://cyber.mil/legacy">SV-92515</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4521r88384_fix">Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-+
-+# touch /etc/dconf/db/local.d/00-defaults
-+
-+Edit "[org/gnome/login-screen]" and add or update the following line:
-+enable-smartcard-authentication=true   
-+
-+Update the system databases:
-+# dconf update</fixtext><fix id="F-4521r88384_fix" /><check system="C-4521r88383_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
-+
-+Determine which profile the system database is using with the following command:
-+
-+# grep system-db /etc/dconf/profile/user
-+
-+system-db:local
-+
-+Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.
-+
-+# grep enable-smartcard-authentication /etc/dconf/db/local.d/*
-+
-+enable-smartcard-authentication=true
-+
-+If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204398"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204398r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010070</version><title>The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-+
-+The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86517</ident><ident system="http://cyber.mil/legacy">V-71893</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4522r88387_fix">Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:
-+
-+# touch /etc/dconf/db/local.d/00-screensaver
-+
-+Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines:
-+
-+[org/gnome/desktop/session]
-+# Set the lock time out to 900 seconds before the session is considered idle
-+idle-delay=uint32 900
-+
-+You must include the "uint32" along with the integer key values as shown.
-+
-+Update the system databases:
-+
-+# dconf update
-+
-+Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-4522r88387_fix" /><check system="C-4522r88386_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
-+
-+Check to see if GNOME is configured to display a screensaver after a 15 minute delay with the following command:
-+
-+# grep -i idle-delay /etc/dconf/db/local.d/*
-+idle-delay=uint32 900
-+
-+If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-204399"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204399r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010081</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-+
-+The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87807</ident><ident system="http://cyber.mil/legacy">V-73155</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4523r88390_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-+
-+# touch /etc/dconf/db/local.d/locks/session
-+
-+Add the setting to lock the screensaver lock delay:
-+
-+/org/gnome/desktop/screensaver/lock-delay</fixtext><fix id="F-4523r88390_fix" /><check system="C-4523r88389_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. 
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
-+
-+Determine which profile the system database is using with the following command:
-+# grep system-db /etc/dconf/profile/user
-+
-+system-db:local
-+
-+Check for the lock delay setting with the following command:
-+
-+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
-+
-+# grep -i lock-delay /etc/dconf/db/local.d/locks/*
-+
-+/org/gnome/desktop/screensaver/lock-delay
-+
-+If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204400"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204400r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010082</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-+
-+The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87809</ident><ident system="http://cyber.mil/legacy">V-73157</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4524r88393_fix">Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+Note: The example below is using the database "local" for the system, so if the system is using another database in /etc/dconf/profile/user, the file should be created under the appropriate subdirectory.
-+
-+# touch /etc/dconf/db/local.d/locks/session
-+
-+Add the setting to lock the session idle delay:
-+
-+/org/gnome/desktop/session/idle-delay</fixtext><fix id="F-4524r88393_fix" /><check system="C-4524r88392_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. 
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console. 
-+
-+Determine which profile the system database is using with the following command:
-+# grep system-db /etc/dconf/profile/user
-+
-+system-db:local
-+
-+Check for the session idle delay setting with the following command:
-+
-+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
-+
-+# grep -i idle-delay /etc/dconf/db/local.d/locks/*
-+
-+/org/gnome/desktop/session/idle-delay
-+
-+If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204402"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204402r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010100</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-+
-+The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86523</ident><ident system="http://cyber.mil/legacy">V-71899</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4526r88399_fix">Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+# touch /etc/dconf/db/local.d/00-screensaver
-+
-+Add the setting to enable screensaver locking after 15 minutes of inactivity:
-+
-+[org/gnome/desktop/screensaver]
-+
-+idle-activation-enabled=true
-+
-+Update the system databases:
-+
-+# dconf update
-+
-+Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-4526r88399_fix" /><check system="C-4526r88398_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console.
-+
-+Note: If the system does not have a Graphical User Interface installed, this requirement is Not Applicable.
-+
-+Check for the session lock settings with the following commands:
-+
-+# grep -i idle-activation-enabled /etc/dconf/db/local.d/*
-+
-+idle-activation-enabled=true
-+
-+If "idle-activation-enabled" is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204403"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204403r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010101</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-+
-+The session lock is implemented at the point where session activity can be determined.
-+
-+The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-78997</ident><ident system="http://cyber.mil/legacy">SV-93703</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4527r88402_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-+
-+# touch /etc/dconf/db/local.d/locks/session
-+
-+Add the setting to lock the screensaver idle-activation-enabled setting:
-+
-+/org/gnome/desktop/screensaver/idle-activation-enabled</fixtext><fix id="F-4527r88402_fix" /><check system="C-4527r88401_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. 
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
-+
-+Determine which profile the system database is using with the following command:
-+# grep system-db /etc/dconf/profile/user
-+
-+system-db:local
-+
-+Check for the idle-activation-enabled setting with the following command:
-+
-+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
-+
-+# grep -i idle-activation-enabled /etc/dconf/db/local.d/locks/*
-+
-+/org/gnome/desktop/screensaver/idle-activation-enabled
-+
-+If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204404"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204404r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010110</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
-+
-+The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86525</ident><ident system="http://cyber.mil/legacy">V-71901</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4528r88405_fix">Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+# touch /etc/dconf/db/local.d/00-screensaver
-+
-+Add the setting to enable session locking when a screensaver is activated:
-+
-+[org/gnome/desktop/screensaver]
-+lock-delay=uint32 5
-+
-+The "uint32" must be included along with the integer key values as shown.
-+
-+Update the system databases:
-+
-+# dconf update
-+
-+Users must log out and back in again before the system-wide settings take effect.</fixtext><fix id="F-4528r88405_fix" /><check system="C-4528r88404_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. 
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
-+
-+If GNOME is installed, check to see a session lock occurs when the screensaver is activated with the following command:
-+
-+# grep -i lock-delay /etc/dconf/db/local.d/*
-+lock-delay=uint32 5
-+
-+If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-204405"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204405r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010118</version><title>The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.</title><description>&lt;VulnDiscussion&gt;Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95715</ident><ident system="http://cyber.mil/legacy">V-81003</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4529r88408_fix">Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.
-+
-+Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value):
-+
-+password     substack    system-auth</fixtext><fix id="F-4529r88408_fix" /><check system="C-4529r88407_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:
-+
-+# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth
-+password     substack     system-auth
-+
-+If no results are returned, the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204406"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204406r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010119</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87811</ident><ident system="http://cyber.mil/legacy">V-73159</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4530r88411_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
-+
-+Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value):
-+
-+password required pam_pwquality.so retry=3
-+
-+Note: The value of "retry" should be between "1" and "3".</fixtext><fix id="F-4530r88411_fix" /><check system="C-4530r88410_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system uses "pwquality" to enforce the password complexity rules. 
-+
-+Check for the use of "pwquality" with the following command:
-+
-+# cat /etc/pam.d/system-auth | grep pam_pwquality
-+
-+password required pam_pwquality.so retry=3
-+
-+If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding.
-+
-+If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-204407"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204407r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010120</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86527</ident><ident system="http://cyber.mil/legacy">V-71903</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4531r88414_fix">Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
-+
-+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-+
-+ucredit = -1</fixtext><fix id="F-4531r88414_fix" /><check system="C-4531r88413_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: The value to require a number of upper-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
-+
-+Check the value for "ucredit" in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep ucredit /etc/security/pwquality.conf 
-+ucredit = -1
-+
-+If the value of "ucredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204408"><title>SRG-OS-000070-GPOS-00038</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204408r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010130</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71905</ident><ident system="http://cyber.mil/legacy">SV-86529</ident><ident system="http://cyber.mil/cci">CCI-000193</ident><fixtext fixref="F-4532r88417_fix">Configure the system to require at least one lower-case character when creating or changing a password.
-+
-+Add or modify the following line 
-+in "/etc/security/pwquality.conf":
-+
-+lcredit = -1</fixtext><fix id="F-4532r88417_fix" /><check system="C-4532r88416_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: The value to require a number of lower-case characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
-+
-+Check the value for "lcredit" in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep lcredit /etc/security/pwquality.conf 
-+lcredit = -1 
-+
-+If the value of "lcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204409"><title>SRG-OS-000071-GPOS-00039</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204409r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010140</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71907</ident><ident system="http://cyber.mil/legacy">SV-86531</ident><ident system="http://cyber.mil/cci">CCI-000194</ident><fixtext fixref="F-4533r88420_fix">Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
-+
-+Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
-+
-+dcredit = -1</fixtext><fix id="F-4533r88420_fix" /><check system="C-4533r88419_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: The value to require a number of numeric characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
-+
-+Check the value for "dcredit" in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep dcredit /etc/security/pwquality.conf 
-+dcredit = -1 
-+
-+If the value of "dcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204410"><title>SRG-OS-000266-GPOS-00101</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204410r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010150</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86533</ident><ident system="http://cyber.mil/legacy">V-71909</ident><ident system="http://cyber.mil/cci">CCI-001619</ident><fixtext fixref="F-4534r88423_fix">Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
-+
-+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-+
-+ocredit = -1</fixtext><fix id="F-4534r88423_fix" /><check system="C-4534r88422_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system enforces password complexity by requiring that at least one special character be used.
-+
-+Note: The value to require a number of special characters to be set is expressed as a negative number in "/etc/security/pwquality.conf".
-+
-+Check the value for "ocredit" in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep ocredit /etc/security/pwquality.conf 
-+ocredit=-1
-+
-+If the value of "ocredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204411"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204411r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010160</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71911</ident><ident system="http://cyber.mil/legacy">SV-86535</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4535r88426_fix">Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
-+
-+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-+
-+difok = 8</fixtext><fix id="F-4535r88426_fix" /><check system="C-4535r88425_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The "difok" option sets the number of characters in a password that must not be present in the old password.
-+
-+Check for the value of the "difok" option in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep difok /etc/security/pwquality.conf 
-+difok = 8
-+
-+If the value of "difok" is set to less than "8", this is a finding.</check-content></check></Rule></Group><Group id="V-204412"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204412r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010170</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71913</ident><ident system="http://cyber.mil/legacy">SV-86537</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4536r88429_fix">Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
-+
-+Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
-+
-+minclass = 4</fixtext><fix id="F-4536r88429_fix" /><check system="C-4536r88428_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The "minclass" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others).
-+
-+Check for the value of the "minclass" option in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep minclass /etc/security/pwquality.conf 
-+minclass = 4
-+
-+If the value of "minclass" is set to less than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-204413"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204413r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010180</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71915</ident><ident system="http://cyber.mil/legacy">SV-86539</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4537r88432_fix">Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
-+
-+Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
-+
-+maxrepeat = 3</fixtext><fix id="F-4537r88432_fix" /><check system="C-4537r88431_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The "maxrepeat" option sets the maximum number of allowed same consecutive characters in a new password.
-+
-+Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep maxrepeat /etc/security/pwquality.conf 
-+maxrepeat = 3
-+
-+If the value of "maxrepeat" is set to more than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-204414"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204414r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010190</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
-+
-+Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71917</ident><ident system="http://cyber.mil/legacy">SV-86541</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4538r88435_fix">Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
-+
-+Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
-+
-+maxclassrepeat = 4</fixtext><fix id="F-4538r88435_fix" /><check system="C-4538r88434_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The "maxclassrepeat" option sets the maximum number of allowed same consecutive characters in the same class in the new password.
-+
-+Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep maxclassrepeat /etc/security/pwquality.conf 
-+maxclassrepeat = 4
-+
-+If the value of "maxclassrepeat" is set to more than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-204415"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204415r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010200</version><title>The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71919</ident><ident system="http://cyber.mil/legacy">SV-86543</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4539r88438_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
-+
-+Add the following line in "/etc/pam.d/system-auth":
-+pam_unix.so sha512 shadow try_first_pass use_authtok
-+
-+Add the following line in "/etc/pam.d/password-auth":
-+pam_unix.so sha512 shadow try_first_pass use_authtok
-+
-+Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4539r88438_fix" /><check system="C-4539r88437_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
-+
-+Check that the system is configured to create SHA512 hashed passwords with the following command:
-+
-+# grep password /etc/pam.d/system-auth /etc/pam.d/password-auth
-+
-+Outcome should look like following:
-+/etc/pam.d/system-auth-ac:password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
-+/etc/pam.d/password-auth:password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
-+
-+If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204416"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204416r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010210</version><title>The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71921</ident><ident system="http://cyber.mil/legacy">SV-86545</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4540r88441_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
-+
-+Add or update the following line in "/etc/login.defs":
-+
-+ENCRYPT_METHOD SHA512</fixtext><fix id="F-4540r88441_fix" /><check system="C-4540r88440_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512.
-+
-+Check that the system is configured to create SHA512 hashed passwords with the following command:
-+
-+# grep -i encrypt /etc/login.defs
-+ENCRYPT_METHOD SHA512
-+
-+If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204417"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204417r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010220</version><title>The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71923</ident><ident system="http://cyber.mil/legacy">SV-86547</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4541r88444_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
-+
-+Add or update the following line in "/etc/libuser.conf" in the [defaults] section: 
-+
-+crypt_style = sha512</fixtext><fix id="F-4541r88444_fix" /><check system="C-4541r88443_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is "SHA512".
-+
-+Check that the system is configured to create "SHA512" hashed passwords with the following command:
-+
-+# grep -i sha512 /etc/libuser.conf 
-+
-+crypt_style = sha512
-+
-+If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204418"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204418r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010230</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71925</ident><ident system="http://cyber.mil/legacy">SV-86549</ident><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-4542r88447_fix">Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.
-+
-+Add the following line in "/etc/login.defs" (or modify the line to have the required value):
-+
-+PASS_MIN_DAYS     1</fixtext><fix id="F-4542r88447_fix" /><check system="C-4542r88446_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts.
-+
-+Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: 
-+
-+# grep -i pass_min_days /etc/login.defs
-+PASS_MIN_DAYS     1
-+
-+If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204419"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204419r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010240</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71927</ident><ident system="http://cyber.mil/legacy">SV-86551</ident><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-4543r88450_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
-+
-+# chage -m 1 [user]</fixtext><fix id="F-4543r88450_fix" /><check system="C-4543r88449_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check whether the minimum time period between password changes for each user account is one day or greater.
-+
-+# awk -F: '$4 &lt; 1 {print $1 " " $4}' /etc/shadow
-+
-+If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group><Group id="V-204420"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204420r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010250</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86553</ident><ident system="http://cyber.mil/legacy">V-71929</ident><ident system="http://cyber.mil/cci">CCI-000199</ident><fixtext fixref="F-4544r88453_fix">Configure the operating system to enforce a 60-day maximum password lifetime restriction.
-+
-+Add the following line in "/etc/login.defs" (or modify the line to have the required value):
-+
-+PASS_MAX_DAYS     60</fixtext><fix id="F-4544r88453_fix" /><check system="C-4544r88452_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If passwords are not being used for authentication, this is Not Applicable.
-+
-+Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts.
-+
-+Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following command:
-+
-+# grep -i pass_max_days /etc/login.defs
-+PASS_MAX_DAYS 60
-+
-+If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204421"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204421r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010260</version><title>The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86555</ident><ident system="http://cyber.mil/legacy">V-71931</ident><ident system="http://cyber.mil/cci">CCI-000199</ident><fixtext fixref="F-4545r88456_fix">Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
-+
-+# chage -M 60 [user]</fixtext><fix id="F-4545r88456_fix" /><check system="C-4545r88455_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check whether the maximum time period for existing passwords is restricted to 60 days.
-+
-+# awk -F: '$5 &gt; 60 {print $1 " " $5}' /etc/shadow
-+
-+If any results are returned that are not associated with a system account, this is a finding.
-+</check-content></check></Rule></Group><Group id="V-204422"><title>SRG-OS-000077-GPOS-00045</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204422r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010270</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86557</ident><ident system="http://cyber.mil/legacy">V-71933</ident><ident system="http://cyber.mil/cci">CCI-000200</ident><fixtext fixref="F-4546r88459_fix">Configure the operating system to prohibit password reuse for a minimum of five generations.
-+
-+Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value):
-+
-+password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
-+   
-+Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4546r88459_fix" /><check system="C-4546r88458_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prohibits password reuse for a minimum of five generations.
-+
-+Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" with the following command:
-+
-+# grep -i remember /etc/pam.d/system-auth /etc/pam.d/password-auth
-+
-+password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
-+
-+If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-204423"><title>SRG-OS-000078-GPOS-00046</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204423r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010280</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
-+
-+Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86559</ident><ident system="http://cyber.mil/legacy">V-71935</ident><ident system="http://cyber.mil/cci">CCI-000205</ident><fixtext fixref="F-4547r88462_fix">Configure operating system to enforce a minimum 15-character password length.
-+
-+Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
-+
-+minlen = 15</fixtext><fix id="F-4547r88462_fix" /><check system="C-4547r88461_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password.
-+
-+Check for the value of the "minlen" option in "/etc/security/pwquality.conf" with the following command:
-+
-+# grep minlen /etc/security/pwquality.conf
-+minlen = 15
-+
-+If the command does not return a "minlen" value of 15 or greater, this is a finding.</check-content></check></Rule></Group><Group id="V-204424"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204424r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010290</version><title>The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.</title><description>&lt;VulnDiscussion&gt;If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71937</ident><ident system="http://cyber.mil/legacy">SV-86561</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4548r88465_fix">If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
-+
-+Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
-+
-+Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4548r88465_fix" /><check system="C-4548r88464_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>To verify that null passwords cannot be used, run the following command: 
-+
-+# grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
-+
-+If this produces any output, it may be possible to log on with accounts with empty passwords.
-+
-+If null passwords can be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204425"><title>SRG-OS-000106-GPOS-00053</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204425r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010300</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86563</ident><ident system="http://cyber.mil/legacy">V-71939</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><fixtext fixref="F-4549r88468_fix">To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
-+
-+PermitEmptyPasswords no
-+
-+The SSH service must be restarted for changes to take effect.  Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.</fixtext><fix id="F-4549r88468_fix" /><check system="C-4549r88467_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>To determine how the SSH daemon's "PermitEmptyPasswords" option is set, run the following command:
-+
-+# grep -i PermitEmptyPasswords /etc/ssh/sshd_config
-+PermitEmptyPasswords no
-+
-+If no line, a commented line, or a line indicating the value "no" is returned, the required value is set.
-+
-+If the required value is not set, this is a finding.</check-content></check></Rule></Group><Group id="V-204426"><title>SRG-OS-000118-GPOS-00060</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204426r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010310</version><title>The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.</title><description>&lt;VulnDiscussion&gt;Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
-+
-+Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86565</ident><ident system="http://cyber.mil/legacy">V-71941</ident><ident system="http://cyber.mil/cci">CCI-000795</ident><fixtext fixref="F-4550r88471_fix">Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.
-+
-+Add the following line to "/etc/default/useradd" (or modify the line to have the required value):
-+
-+INACTIVE=0</fixtext><fix id="F-4550r88471_fix" /><check system="C-4550r88470_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If passwords are not being used for authentication, this is Not Applicable.
-+
-+Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command:
-+
-+# grep -i inactive /etc/default/useradd
-+INACTIVE=0
-+
-+If the value is not set to "0", is commented out, or is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-204427"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204427r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010320</version><title>The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
-+
-+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71943</ident><ident system="http://cyber.mil/legacy">SV-86567</ident><ident system="http://cyber.mil/cci">CCI-000044</ident><ident system="http://cyber.mil/cci">CCI-002236</ident><ident system="http://cyber.mil/cci">CCI-002237</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-4551r462529_fix">Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
-+
-+Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
-+
-+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+auth sufficient pam_unix.so try_first_pass
-+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+account required pam_faillock.so   
-+
-+Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4551r462529_fix" /><check system="C-4551r462528_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
-+
-+# grep pam_faillock.so /etc/pam.d/password-auth
-+
-+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+account required pam_faillock.so 
-+
-+If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+Note: The maximum configurable value for "unlock_time" is "604800". 
-+
-+If any line referencing the "pam_faillock.so" module is commented out, this is a finding.
-+
-+# grep pam_faillock.so /etc/pam.d/system-auth
-+
-+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+account required pam_faillock.so 
-+
-+If the "deny" parameter is set to "0" or a value greater than "3" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+If the "even_deny_root" parameter is not set on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+If the "fail_interval" parameter is set to "0" or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
-+
-+If the "unlock_time" parameter is not set to "0", "never", or is set to a value less than "900" on both "auth" lines with the "pam_faillock.so" module or is missing from these lines, this is a finding.
-+
-+Note: The maximum configurable value for "unlock_time" is "604800". 
-+
-+If any line referencing the "pam_faillock.so" module is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204428"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204428r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010330</version><title>The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
-+
-+Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71945</ident><ident system="http://cyber.mil/legacy">SV-86569</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-4552r88477_fix">Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
-+
-+Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
-+
-+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+auth sufficient pam_unix.so try_first_pass
-+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+account required pam_faillock.so
-+
-+Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4552r88477_fix" /><check system="C-4552r88476_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
-+
-+# grep pam_faillock.so /etc/pam.d/password-auth
-+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 
-+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900 
-+account required pam_faillock.so
-+
-+If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.
-+
-+# grep pam_faillock.so /etc/pam.d/system-auth
-+auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900 
-+auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
-+account required pam_faillock.so
-+
-+If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.</check-content></check></Rule></Group><Group id="V-204429"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204429r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010340</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
-+
-+When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
-+
-+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71947</ident><ident system="http://cyber.mil/legacy">SV-86571</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-4553r499373_fix">Configure the operating system to require users to supply a password for privilege escalation.
-+
-+Check the configuration of the "/etc/sudoers" file with the following command:
-+# visudo
-+
-+Remove any occurrences of "NOPASSWD" tags in the file.   
-+
-+Check the configuration of the /etc/sudoers.d/* files with the following command:
-+# grep -i nopasswd /etc/sudoers.d/*
-+
-+Remove any occurrences of "NOPASSWD" tags in the file.</fixtext><fix id="F-4553r499373_fix" /><check system="C-4553r499372_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system requires users to supply a password for privilege escalation.
-+
-+Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
-+
-+# grep -i nopasswd /etc/sudoers /etc/sudoers.d/*
-+
-+If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.</check-content></check></Rule></Group><Group id="V-204430"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204430r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010350</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
-+
-+When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
-+
-+Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71949</ident><ident system="http://cyber.mil/legacy">SV-86573</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-4554r88483_fix">Configure the operating system to require users to reauthenticate for privilege escalation.
-+
-+Check the configuration of the "/etc/sudoers" file with the following command:
-+
-+# visudo
-+Remove any occurrences of "!authenticate" tags in the file.
-+
-+Check the configuration of the "/etc/sudoers.d/*" files with the following command:
-+
-+# grep -i authenticate /etc/sudoers /etc/sudoers.d/*
-+Remove any occurrences of "!authenticate" tags in the file(s).</fixtext><fix id="F-4554r88483_fix" /><check system="C-4554r88482_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system requires users to reauthenticate for privilege escalation.
-+
-+Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
-+
-+# grep -i authenticate /etc/sudoers /etc/sudoers.d/*
-+
-+If any uncommented line is found with a "!authenticate" tag, this is a finding.</check-content></check></Rule></Group><Group id="V-204431"><title>SRG-OS-000480-GPOS-00226</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204431r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.</title><description>&lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
-+
-+Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86575</ident><ident system="http://cyber.mil/legacy">V-71951</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4555r88486_fix">Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
-+
-+Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater:
-+
-+FAIL_DELAY 4</fixtext><fix id="F-4555r88486_fix" /><check system="C-4555r88485_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt.
-+
-+Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with the following command:
-+
-+# grep -i fail_delay /etc/login.defs
-+FAIL_DELAY 4
-+
-+If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204432"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204432r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010440</version><title>The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71953</ident><ident system="http://cyber.mil/legacy">SV-86577</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4556r88489_fix">Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
-+
-+Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":
-+
-+[daemon]
-+AutomaticLoginEnable=false</fixtext><fix id="F-4556r88489_fix" /><check system="C-4556r88488_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
-+
-+Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command:
-+
-+# grep -i automaticloginenable /etc/gdm/custom.conf
-+AutomaticLoginEnable=false
-+
-+If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-204433"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204433r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010450</version><title>The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71955</ident><ident system="http://cyber.mil/legacy">SV-86579</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4557r88492_fix">Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable.
-+
-+Add or edit the line for the "TimedLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false":
-+
-+[daemon]
-+TimedLoginEnable=false</fixtext><fix id="F-4557r88492_fix" /><check system="C-4557r88491_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface.
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. 
-+
-+Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf" file with the following command:
-+
-+# grep -i timedloginenable /etc/gdm/custom.conf
-+TimedLoginEnable=false
-+
-+If the value of "TimedLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-204434"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204434r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010460</version><title>The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86581</ident><ident system="http://cyber.mil/legacy">V-71957</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4558r88495_fix">Configure the operating system to not allow users to override environment variables to the SSH daemon.
-+
-+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no":
-+
-+PermitUserEnvironment no
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4558r88495_fix" /><check system="C-4558r88494_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system does not allow users to override environment variables to the SSH daemon.
-+
-+Check for the value of the "PermitUserEnvironment" keyword with the following command:
-+
-+# grep -i permituserenvironment /etc/ssh/sshd_config
-+PermitUserEnvironment no
-+
-+If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204435"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204435r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010470</version><title>The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86583</ident><ident system="http://cyber.mil/legacy">V-71959</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4559r88498_fix">Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.
-+
-+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no":
-+
-+HostbasedAuthentication no
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4559r88498_fix" /><check system="C-4559r88497_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system does not allow a non-certificate trusted host SSH logon to the system.
-+
-+Check for the value of the "HostbasedAuthentication" keyword with the following command:
-+
-+# grep -i hostbasedauthentication /etc/ssh/sshd_config
-+HostbasedAuthentication no
-+
-+If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204436"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204436r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010480</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86585</ident><ident system="http://cyber.mil/legacy">V-71961</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4560r88501_fix">Configure the system to encrypt the boot password for root.
-+
-+Generate an encrypted grub2 password for root with the following command:
-+
-+Note: The hash generated is an example.
-+
-+# grub2-mkpasswd-pbkdf2
-+
-+Enter Password:
-+Reenter Password:
-+PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
-+
-+Edit "/etc/grub.d/40_custom" and add the following lines below the comments:
-+
-+# vi /etc/grub.d/40_custom
-+
-+set superusers="root"
-+
-+password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}
-+
-+Generate a new "grub.conf" file with the new password with the following commands:
-+
-+# grub2-mkconfig --output=/tmp/grub2.cfg
-+# mv /tmp/grub2.cfg /boot/grub2/grub.cfg</fixtext><fix id="F-4560r88501_fix" /><check system="C-4560r88500_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
-+For systems that are running RHEL 7.2 or newer, this is Not Applicable.
-+
-+Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
-+
-+# grep -i password_pbkdf2 /boot/grub2/grub.cfg
-+
-+password_pbkdf2 [superusers-account] [password-hash]
-+
-+If the root password entry does not begin with "password_pbkdf2", this is a finding.
-+
-+If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204437"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204437r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010481</version><title>The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92519</ident><ident system="http://cyber.mil/legacy">V-77823</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4561r88504_fix">Configure the operating system to require authentication upon booting into single-user and maintenance modes.
-+
-+Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":
-+
-+ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</fixtext><fix id="F-4561r88504_fix" /><check system="C-4561r88503_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must require authentication upon booting into single-user and maintenance modes.
-+
-+Check that the operating system requires authentication upon booting into single-user mode with the following command:
-+
-+# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin
-+
-+ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
-+
-+If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.</check-content></check></Rule></Group><Group id="V-204438"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204438r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010482</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81005</ident><ident system="http://cyber.mil/legacy">SV-95717</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4562r88507_fix">Configure the system to encrypt the boot password for root.
-+
-+Generate an encrypted grub2 password for root with the following command:
-+
-+Note: The hash generated is an example.
-+  
-+# grub2-setpassword
-+Enter password:
-+Confirm password:
-+
-+Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
-+
-+set superusers="root"
-+export superusers</fixtext><fix id="F-4562r88507_fix" /><check system="C-4562r88506_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use UEFI, this is Not Applicable.
-+
-+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
-+
-+Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:
-+
-+# grep -iw grub2_password /boot/grub2/user.cfg
-+GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
-+
-+If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
-+
-+Verify that the "root" account is set as the "superusers":
-+
-+# grep -iw "superusers" /boot/grub2/grub.cfg
-+    set superusers="root"
-+    export superusers
-+
-+If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204439"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204439r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010490</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86587</ident><ident system="http://cyber.mil/legacy">V-71963</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4563r88510_fix">Configure the system to encrypt the boot password for root.
-+
-+Generate an encrypted grub2 password for root with the following command:
-+
-+Note: The hash generated is an example.
-+
-+# grub2-mkpasswd-pbkdf2
-+
-+Enter Password:
-+Reenter Password:
-+PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
-+
-+Edit "/etc/grub.d/40_custom" and add the following lines below the comments:
-+
-+# vi /etc/grub.d/40_custom
-+
-+set superusers="root"
-+
-+password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}
-+
-+Generate a new "grub.conf" file with the new password with the following commands:
-+
-+# grub2-mkconfig --output=/tmp/grub2.cfg
-+# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg</fixtext><fix id="F-4563r88510_fix" /><check system="C-4563r88509_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
-+For systems that are running RHEL 7.2 or newer, this is Not Applicable.
-+
-+Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
-+
-+# grep -i password /boot/efi/EFI/redhat/grub.cfg
-+
-+password_pbkdf2 [superusers-account] [password-hash]
-+
-+If the root password entry does not begin with "password_pbkdf2", this is a finding.
-+
-+If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204440"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204440r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010491</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95719</ident><ident system="http://cyber.mil/legacy">V-81007</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4564r88513_fix">Configure the system to encrypt the boot password for root.
-+
-+Generate an encrypted grub2 password for root with the following command:
-+
-+Note: The hash generated is an example.
-+  
-+# grub2-setpassword
-+Enter password:
-+Confirm password:
-+
-+Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
-+
-+set superusers="root"
-+export superusers</fixtext><fix id="F-4564r88513_fix" /><check system="C-4564r88512_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>For systems that use BIOS, this is Not Applicable.
-+
-+For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
-+
-+Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
-+
-+# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
-+GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
-+
-+If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
-+
-+Verify that the "root" account is set as the "superusers":
-+
-+# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
-+    set superusers="root"
-+    export superusers
-+
-+If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204441"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204441r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010500</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
-+
-+Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
-+
-+1) Accesses explicitly identified and documented by the organization. Organizations document specific user actions that can be performed on the information system without identification or authentication; 
-+
-+and
-+
-+2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
-+
-+Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86589</ident><ident system="http://cyber.mil/legacy">V-71965</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><fixtext fixref="F-4565r88516_fix">Configure the operating system to require individuals to be authenticated with a multifactor authenticator.
-+
-+Enable smartcard logons with the following commands:
-+
-+# authconfig --enablesmartcard --smartcardaction=0 --update
-+# authconfig --enablerequiresmartcard -update
-+
-+Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line:
-+
-+#/usr/X11R6/bin/xscreensaver-command -lock
-+
-+Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.</fixtext><fix id="F-4565r88516_fix" /><check system="C-4565r88515_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.
-+
-+Check to see if smartcard authentication is enforced on the system:
-+
-+# authconfig --test | grep "pam_pkcs11 is enabled"
-+
-+If no results are returned, this is a finding.
-+
-+# authconfig --test | grep "smartcard removal action"
-+
-+If "smartcard removal action" is blank, this is a finding.
-+
-+# authconfig --test | grep "smartcard module"
-+
-+If "smartcard module" is blank, this is a finding.</check-content></check></Rule></Group><Group id="V-204442"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204442r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020000</version><title>The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-+
-+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
-+
-+The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.
-+
-+If a privileged user were to log on using this service, the privileged user password could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86591</ident><ident system="http://cyber.mil/legacy">V-71967</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4566r88519_fix">Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:
-+
-+# yum remove rsh-server</fixtext><fix id="F-4566r88519_fix" /><check system="C-4566r88518_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check to see if the rsh-server package is installed with the following command:
-+
-+# yum list installed rsh-server
-+
-+If the rsh-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204443"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204443r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020010</version><title>The Red Hat Enterprise Linux operating system must not have the ypserv package installed.</title><description>&lt;VulnDiscussion&gt;Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86593</ident><ident system="http://cyber.mil/legacy">V-71969</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4567r88522_fix">Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command:
-+
-+# yum remove ypserv</fixtext><fix id="F-4567r88522_fix" /><check system="C-4567r88521_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.
-+
-+Check to see if the "ypserve" package is installed with the following command:
-+
-+# yum list installed ypserv
-+
-+If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204444"><title>SRG-OS-000324-GPOS-00125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204444r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
-+
-+Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86595</ident><ident system="http://cyber.mil/legacy">V-71971</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-4568r462535_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
-+
-+Use the following command to map a new user to the "sysadm_u" role: 
-+
-+#semanage login -a -s sysadm_u &lt;username&gt;
-+
-+Use the following command to map an existing user to the "sysadm_u" role:
-+
-+#semanage login -m -s sysadm_u &lt;username&gt;
-+
-+Use the following command to map a new user to the "staff_u" role:
-+
-+#semanage login -a -s staff_u &lt;username&gt;
-+
-+Use the following command to map an existing user to the "staff_u" role:
-+
-+#semanage login -m -s staff_u &lt;username&gt;
-+
-+Use the following command to map a new user to the "user_u" role:
-+
-+# semanage login -a -s user_u &lt;username&gt;
-+
-+Use the following command to map an existing user to the "user_u" role:
-+
-+# semanage login -m -s user_u &lt;username&gt;</fixtext><fix id="F-4568r462535_fix" /><check system="C-4568r462534_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
-+
-+Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
-+
-+Get a list of authorized users (other than System Administrator and guest accounts) for the system.
-+
-+Check the list against the system by using the following command:
-+
-+# semanage login -l | more
-+
-+Login Name SELinux User MLS/MCS Range Service
-+__default__ user_u s0-s0:c0.c1023 *
-+root unconfined_u s0-s0:c0.c1023 *
-+system_u system_u s0-s0:c0.c1023 *
-+joe staff_u s0-s0:c0.c1023 *
-+
-+All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.
-+
-+All authorized non-administrative users must be mapped to the "user_u" role. 
-+
-+If they are not mapped in this way, this is a finding.</check-content></check></Rule></Group><Group id="V-204445"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204445r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020030</version><title>The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
-+
-+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86597</ident><ident system="http://cyber.mil/legacy">V-71973</ident><ident system="http://cyber.mil/cci">CCI-001744</ident><fixtext fixref="F-4569r499376_fix">Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:  
-+
-+# more /etc/cron.daily/aide
-+#!/bin/bash
-+
-+/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-4569r499376_fix" /><check system="C-4569r499375_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system routinely checks the baseline configuration for unauthorized changes.
-+
-+Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.
-+
-+Check to see if AIDE is installed on the system with the following command:
-+
-+# yum list installed aide
-+
-+If AIDE is not installed, ask the SA how file integrity checks are performed on the system.
-+
-+Check for the presence of a cron job running daily or weekly on the system that executes AIDE daily to scan for changes to the system baseline. The command used in the example will use a daily occurrence.
-+
-+Check the cron directories for a script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
-+
-+# ls -al /etc/cron.* | grep aide
-+-rwxr-xr-x 1 root root 29 Nov 22 2015 aide
-+
-+# grep aide /etc/crontab /var/spool/cron/root
-+/etc/crontab: 30 04 * * * root /usr/sbin/aide  --check
-+/var/spool/cron/root: 30 04 * * * /usr/sbin/aide  --check
-+
-+If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204446"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204446r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020040</version><title>The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
-+
-+Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71975</ident><ident system="http://cyber.mil/legacy">SV-86599</ident><ident system="http://cyber.mil/cci">CCI-001744</ident><fixtext fixref="F-4570r499379_fix">Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. 
-+
-+The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. 
-+
-+# more /etc/cron.daily/aide
-+
-+/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-4570r499379_fix" /><check system="C-4570r499378_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.
-+
-+Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.
-+
-+Check to see if AIDE is installed on the system with the following command:
-+
-+# yum list installed aide
-+
-+If AIDE is not installed, ask the SA how file integrity checks are performed on the system. 
-+
-+Check for the presence of a cron job running routinely on the system that executes AIDE to scan for changes to the system baseline. The commands used in the example will use a daily occurrence.
-+
-+Check the cron directories for a "crontab" script file controlling the execution of the file integrity application. For example, if AIDE is installed on the system, use the following command:
-+
-+# ls -al /etc/cron.* | grep aide
-+-rwxr-xr-x 1 root root 32 Jul 1 2011 aide
-+
-+# grep aide /etc/crontab /var/spool/cron/root
-+/etc/crontab: 30 04 * * * root /usr/sbin/aide  --check
-+/var/spool/cron/root: 30 04 * * * /usr/sbin/aide  --check
-+
-+AIDE does not have a configuration that will send a notification, so the cron job uses the mail application on the system to email the results of the file integrity run as in the following example:
-+
-+# more /etc/cron.daily/aide
-+#!/bin/bash
-+
-+/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
-+
-+If the file integrity application does not notify designated personnel of changes, this is a finding.</check-content></check></Rule></Group><Group id="V-204447"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204447r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020050</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-+
-+Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
-+
-+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71977</ident><ident system="http://cyber.mil/legacy">SV-86601</ident><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-4571r88534_fix">Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.conf" file:
-+
-+gpgcheck=1</fixtext><fix id="F-4571r88534_fix" /><check system="C-4571r88533_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
-+
-+Check that yum verifies the signature of packages from a repository prior to install with the following command:
-+
-+# grep gpgcheck /etc/yum.conf
-+gpgcheck=1
-+
-+If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. 
-+
-+If there is no process to validate certificates that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204448"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204448r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020060</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
-+
-+Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
-+
-+Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71979</ident><ident system="http://cyber.mil/legacy">SV-86603</ident><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-4572r88537_fix">Configure the operating system to verify the signature of local packages prior to install by setting the following option in the "/etc/yum.conf" file:
-+
-+localpkg_gpgcheck=1</fixtext><fix id="F-4572r88537_fix" /><check system="C-4572r88536_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization.
-+
-+Check that yum verifies the signature of local packages prior to install with the following command:
-+
-+# grep localpkg_gpgcheck /etc/yum.conf
-+localpkg_gpgcheck=1
-+
-+If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. 
-+
-+If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204449"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204449r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description>&lt;VulnDiscussion&gt;USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
-+
-+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71983</ident><ident system="http://cyber.mil/legacy">SV-86607</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4573r462538_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
-+
-+Create a file under "/etc/modprobe.d" with the following command:
-+
-+# touch /etc/modprobe.d/usb-storage.conf
-+
-+Add the following line to the created file:
-+
-+install usb-storage /bin/true
-+
-+Configure the operating system to disable the ability to use USB mass storage devices.
-+
-+# vi /etc/modprobe.d/blacklist.conf
-+
-+Add or update the line:
-+
-+blacklist usb-storage</fixtext><fix id="F-4573r462538_fix" /><check system="C-4573r462537_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to load the USB Storage kernel module.
-+
-+# grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
-+
-+install usb-storage /bin/true
-+
-+If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
-+
-+Verify the operating system disables the ability to use USB mass storage devices.
-+
-+Check to see if USB mass storage is disabled with the following command:
-+
-+# grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
-+blacklist usb-storage
-+
-+If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204450"><title>SRG-OS-000378-GPOS-00163</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204450r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020101</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.</title><description>&lt;VulnDiscussion&gt;Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-77821</ident><ident system="http://cyber.mil/legacy">SV-92517</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4574r88543_fix">Configure the operating system to disable the ability to use the DCCP kernel module.
-+
-+Create a file under "/etc/modprobe.d" with the following command:
-+
-+# touch /etc/modprobe.d/dccp.conf
-+
-+Add the following line to the created file:
-+
-+install dccp /bin/true
-+
-+Ensure that the DCCP module is blacklisted: 
-+
-+# vi /etc/modprobe.d/blacklist.conf
-+
-+Add or update the line:
-+
-+blacklist dccp</fixtext><fix id="F-4574r88543_fix" /><check system="C-4574r88542_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to load the DCCP kernel module.
-+
-+# grep -r dccp /etc/modprobe.d/* | grep -i "/bin/true" | grep -v "^#"
-+
-+install dccp /bin/true
-+
-+If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
-+
-+Verify the operating system disables the ability to use the DCCP kernel module.
-+
-+Check to see if the DCCP kernel module is disabled with the following command:
-+
-+# grep -i dccp /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
-+
-+blacklist dccp
-+
-+If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204451"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204451r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020110</version><title>The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
-+
-+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71985</ident><ident system="http://cyber.mil/legacy">SV-86609</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4575r88546_fix">Configure the operating system to disable the ability to automount devices.
-+
-+Turn off the automount service with the following commands:
-+
-+# systemctl stop autofs
-+# systemctl disable autofs
-+
-+If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.</fixtext><fix id="F-4575r88546_fix" /><check system="C-4575r88545_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system disables the ability to automount devices.
-+
-+Check to see if automounter service is active with the following command:
-+
-+# systemctl status autofs
-+autofs.service - Automounts filesystems on demand
-+   Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
-+   Active: inactive (dead)
-+
-+If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204452"><title>SRG-OS-000437-GPOS-00194</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204452r505924_rule" weight="10.0" severity="low"><version>RHEL-07-020200</version><title>The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71987</ident><ident system="http://cyber.mil/legacy">SV-86611</ident><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-4576r88549_fix">Configure the operating system to remove all software components after updated versions have been installed.
-+
-+Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file:
-+
-+clean_requirements_on_remove=1</fixtext><fix id="F-4576r88549_fix" /><check system="C-4576r88548_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system removes all software components after updated versions have been installed.
-+
-+Check if yum is configured to remove unneeded packages with the following command:
-+
-+# grep -i clean_requirements_on_remove /etc/yum.conf
-+clean_requirements_on_remove=1
-+
-+If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204453"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204453r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-+
-+This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71989</ident><ident system="http://cyber.mil/legacy">SV-86613</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4577r499382_fix">Configure the operating system to verify correct operation of all security functions.
-+
-+Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line:
-+
-+SELINUX=enforcing
-+
-+A reboot is required for the changes to take effect.</fixtext><fix id="F-4577r499382_fix" /><check system="C-4577r499381_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux.  McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
-+
-+Verify the operating system verifies correct operation of all security functions.
-+
-+Check if "SELinux" is active and in "Enforcing" mode with the following command:
-+
-+# getenforce
-+Enforcing
-+
-+If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-204454"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204454r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
-+
-+This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71991</ident><ident system="http://cyber.mil/legacy">SV-86615</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4578r499385_fix">Configure the operating system to verify correct operation of all security functions.
-+
-+Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line:
-+
-+SELINUXTYPE=targeted
-+
-+A reboot is required for the changes to take effect.</fixtext><fix id="F-4578r499385_fix" /><check system="C-4578r499384_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
-+
-+Verify the operating system verifies correct operation of all security functions.
-+
-+Check if "SELinux" is active and is enforcing the targeted policy with the following command:
-+
-+# sestatus
-+
-+SELinux status: enabled
-+
-+SELinuxfs mount: /selinux
-+
-+SELinux root directory: /etc/selinux
-+
-+Loaded policy name: targeted
-+
-+Current mode: enforcing
-+
-+Mode from config file: enforcing
-+
-+Policy MLS status: enabled
-+
-+Policy deny_unknown status: allowed
-+
-+Max kernel policy version: 28
-+
-+If the "Loaded policy name" is not set to "targeted", this is a finding.
-+
-+Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted":
-+
-+# grep -i "selinuxtype" /etc/selinux/config | grep -v '^#'
-+
-+SELINUXTYPE = targeted
-+
-+If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.</check-content></check></Rule></Group><Group id="V-204455"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204455r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020230</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86617</ident><ident system="http://cyber.mil/legacy">V-71993</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4579r88558_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
-+
-+# systemctl mask ctrl-alt-del.target</fixtext><fix id="F-4579r88558_fix" /><check system="C-4579r88557_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
-+
-+Check that the ctrl-alt-del.target is masked and not active with the following command:
-+
-+# systemctl status ctrl-alt-del.target
-+
-+ctrl-alt-del.target
-+Loaded: masked (/dev/null; bad)
-+Active: inactive (dead)
-+
-+If the ctrl-alt-del.target is not masked, this is a finding.
-+
-+If the ctrl-alt-del.target is active, this is a finding.</check-content></check></Rule></Group><Group id="V-204456"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204456r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020231</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-94843</ident><ident system="http://cyber.mil/legacy">SV-104673</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4580r297481_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:
-+
-+# touch /etc/dconf/db/local.d/00-disable-CAD 
-+
-+Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:
-+
-+[org/gnome/settings-daemon/plugins/media-keys]
-+logout=''</fixtext><fix id="F-4580r297481_fix" /><check system="C-4580r297488_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
-+
-+Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
-+
-+Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:
-+
-+# grep logout /etc/dconf/db/local.d/*
-+
-+logout=''
-+
-+If "logout" is not set to use two single quotations, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204457"><title>SRG-OS-000480-GPOS-00228</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204457r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020240</version><title>The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.</title><description>&lt;VulnDiscussion&gt;Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86619</ident><ident system="http://cyber.mil/legacy">V-71995</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4581r88564_fix">Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-+
-+Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":
-+
-+UMASK  077</fixtext><fix id="F-4581r88564_fix" /><check system="C-4581r88563_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files.
-+
-+Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command:
-+
-+Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I.
-+
-+# grep -i umask /etc/login.defs
-+UMASK  077
-+
-+If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204458"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204458r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description>&lt;VulnDiscussion&gt;An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
-+
-+Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86621</ident><ident system="http://cyber.mil/legacy">V-71997</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4582r462547_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-4582r462547_fix" /><check system="C-4582r462546_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
-+
-+Check the version of the operating system with the following command:
-+
-+# cat /etc/redhat-release
-+
-+Red Hat Enterprise Linux Server release 7.4 (Maipo)
-+
-+Current End of Extended Update Support for RHEL 7.6 is 31 October 2020.
-+
-+Current End of Extended Update Support for RHEL 7.7 is 31 August 2021.
-+
-+Current End of Maintenance Support for RHEL 7.8 is 31 October 2020.
-+
-+Current End of Maintenance Support for RHEL 7.9 is 30 April 2021.
-+
-+If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-204459"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204459r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020260</version><title>The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.</title><description>&lt;VulnDiscussion&gt;Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86623</ident><ident system="http://cyber.mil/legacy">V-71999</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4583r88570_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-4583r88570_fix" /><check system="C-4583r88569_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). 
-+
-+Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.
-+
-+Check that the available package security updates have been installed on the system with the following command:
-+
-+# yum history list | more
-+Loaded plugins: langpacks, product-id, subscription-manager
-+ID     | Command line             | Date and time    | Action(s)      | Altered
-+-------------------------------------------------------------------------------
-+    70 | install aide             | 2016-05-05 10:58 | Install       |     1   
-+    69 | update -y                | 2016-05-04 14:34 | Update     |   18 EE
-+    68 | install vlc                | 2016-04-21 17:12 | Install        |   21   
-+    67 | update -y                | 2016-04-21 17:04 | Update     |     7 EE
-+    66 | update -y                | 2016-04-15 16:47 | E, I, U         |   84 EE
-+
-+If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding. 
-+
-+Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.
-+
-+If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.</check-content></check></Rule></Group><Group id="V-204460"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204460r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020270</version><title>The Red Hat Enterprise Linux operating system must not have unnecessary accounts.</title><description>&lt;VulnDiscussion&gt;Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86625</ident><ident system="http://cyber.mil/legacy">V-72001</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4584r88573_fix">Configure the system so all accounts on the system are assigned to an active system, application, or user account. 
-+
-+Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. 
-+
-+Document all authorized accounts on the system.</fixtext><fix id="F-4584r88573_fix" /><check system="C-4584r88572_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all accounts on the system are assigned to an active system, application, or user account.
-+
-+Obtain the list of authorized system accounts from the Information System Security Officer (ISSO).
-+
-+Check the system accounts on the system with the following command:
-+
-+# more /etc/passwd
-+root:x:0:0:root:/root:/bin/bash
-+bin:x:1:1:bin:/bin:/sbin/nologin
-+daemon:x:2:2:daemon:/sbin:/sbin/nologin
-+sync:x:5:0:sync:/sbin:/bin/sync
-+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
-+halt:x:7:0:halt:/sbin:/sbin/halt
-+games:x:12:100:games:/usr/games:/sbin/nologin
-+gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
-+
-+Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. 
-+
-+If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.</check-content></check></Rule></Group><Group id="V-204461"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204461r505924_rule" weight="10.0" severity="low"><version>RHEL-07-020300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.</title><description>&lt;VulnDiscussion&gt;If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86627</ident><ident system="http://cyber.mil/legacy">V-72003</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><fixtext fixref="F-4585r88576_fix">Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".</fixtext><fix id="F-4585r88576_fix" /><check system="C-4585r88575_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file.
-+
-+Check that all referenced GIDs exist with the following command:
-+
-+# pwck -r
-+
-+If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.</check-content></check></Rule></Group><Group id="V-204462"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204462r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020310</version><title>The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.</title><description>&lt;VulnDiscussion&gt;If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86629</ident><ident system="http://cyber.mil/legacy">V-72005</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4586r88579_fix">Change the UID of any account on the system, other than root, that has a UID of "0". 
-+
-+If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.</fixtext><fix id="F-4586r88579_fix" /><check system="C-4586r88578_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check the system for duplicate UID "0" assignments with the following command:
-+
-+# awk -F: '$3 == 0 {print $1}' /etc/passwd
-+
-+If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204463"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204463r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.</title><description>&lt;VulnDiscussion&gt;Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86631</ident><ident system="http://cyber.mil/legacy">V-72007</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4587r88582_fix">Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:
-+
-+# chown &lt;user&gt; &lt;file&gt;</fixtext><fix id="F-4587r88582_fix" /><check system="C-4587r88581_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories on the system have a valid owner.
-+
-+Check the owner of all files and directories with the following command:
-+
-+Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
-+
-+# find / -fstype xfs -nouser
-+
-+If any files on the system do not have an assigned owner, this is a finding.</check-content></check></Rule></Group><Group id="V-204464"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204464r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020330</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.</title><description>&lt;VulnDiscussion&gt;Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72009</ident><ident system="http://cyber.mil/legacy">SV-86633</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4588r88585_fix">Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
-+
-+# chgrp &lt;group&gt; &lt;file&gt;</fixtext><fix id="F-4588r88585_fix" /><check system="C-4588r88584_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories on the system have a valid group.
-+
-+Check the owner of all files and directories with the following command:
-+
-+Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example.
-+
-+# find / -fstype xfs -nogroup
-+
-+If any files on the system do not have an assigned group, this is a finding.</check-content></check></Rule></Group><Group id="V-204466"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204466r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020610</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72013</ident><ident system="http://cyber.mil/legacy">SV-86637</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4590r88591_fix">Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
-+
-+CREATE_HOME yes</fixtext><fix id="F-4590r88591_fix" /><check system="C-4590r88590_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all local interactive users on the system are assigned a home directory upon creation.
-+
-+Check to see if the system is configured to create home directories for local interactive users with the following command:
-+
-+# grep -i create_home /etc/login.defs
-+CREATE_HOME yes
-+
-+If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204467"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204467r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020620</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
-+
-+In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72015</ident><ident system="http://cyber.mil/legacy">SV-86639</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4591r462550_fix">Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
-+
-+Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users" assigned in "/etc/passwd".
-+
-+# mkdir /home/smithj 
-+# chown smithj /home/smithj
-+# chgrp users /home/smithj
-+# chmod 0750 /home/smithj</fixtext><fix id="F-4591r462550_fix" /><check system="C-4591r462549_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify local interactive users on the system have a home directory assigned and the directory exists.
-+
-+Check the home directory assignment for all local interactive non-privileged users on the system with the following command:
-+
-+# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-9][0-9]{3}"
-+
-+smithj:1001:/home/smithj
-+
-+Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.
-+
-+Check that all referenced home directories exist with the following command:
-+
-+# pwck -r
-+user 'smithj': directory '/home/smithj' does not exist
-+
-+If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204468"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204468r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020630</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72017</ident><ident system="http://cyber.mil/legacy">SV-86641</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4592r88597_fix">Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
-+
-+Note: The example will be for the user "smithj".
-+
-+# chmod 0750 /home/smithj</fixtext><fix id="F-4592r88597_fix" /><check system="C-4592r88596_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.
-+
-+Check the home directory assignment for all non-privileged users on the system with the following command:
-+
-+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
-+
-+# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
-+-rwxr-x--- 1 smithj users  18 Mar  5 17:06 /home/smithj
-+
-+If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content></check></Rule></Group><Group id="V-204469"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204469r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020640</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.</title><description>&lt;VulnDiscussion&gt;If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72019</ident><ident system="http://cyber.mil/legacy">SV-86643</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4593r88600_fix">Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:
-+
-+Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
-+
-+# chown smithj /home/smithj</fixtext><fix id="F-4593r88600_fix" /><check system="C-4593r88599_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users on the system exists.
-+
-+Check the home directory assignment for all local interactive users on the system with the following command:
-+
-+# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
-+
-+-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
-+
-+If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.</check-content></check></Rule></Group><Group id="V-204470"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204470r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020650</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.</title><description>&lt;VulnDiscussion&gt;If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86645</ident><ident system="http://cyber.mil/legacy">V-72021</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4594r88603_fix">Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
-+
-+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
-+
-+# chgrp users /home/smithj</fixtext><fix id="F-4594r88603_fix" /><check system="C-4594r88602_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
-+
-+Check the home directory assignment for all local interactive users on the system with the following command:
-+
-+# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
-+
-+-rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
-+
-+Check the user's primary group with the following command:
-+
-+# grep users /etc/group
-+
-+users:x:250:smithj,jonesj,jacksons
-+
-+If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204471"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204471r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020660</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86647</ident><ident system="http://cyber.mil/legacy">V-72023</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4595r88606_fix">Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:
-+
-+Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
-+
-+# chown smithj /home/smithj/&lt;file or directory&gt;</fixtext><fix id="F-4595r88606_fix" /><check system="C-4595r88605_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories in a local interactive user's home directory are owned by the user.
-+
-+Check the owner of all files and directories in a local interactive user's home directory with the following command:
-+
-+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
-+
-+# ls -lLR /home/smithj
-+-rw-r--r-- 1 smithj smithj  18 Mar  5 17:06 file1
-+-rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
-+-rw-r--r-- 1 smithj smithj 231 Mar  5 17:06 file3
-+
-+If any files are found with an owner different than the home directory user, this is a finding.</check-content></check></Rule></Group><Group id="V-204472"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204472r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020670</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description>&lt;VulnDiscussion&gt;If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72025</ident><ident system="http://cyber.mil/legacy">SV-86649</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4596r88609_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
-+
-+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
-+
-+# chgrp users /home/smithj/&lt;file&gt;</fixtext><fix id="F-4596r88609_fix" /><check system="C-4596r88608_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of.
-+
-+Check the group owner of all files and directories in a local interactive user's home directory with the following command:
-+
-+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
-+
-+# ls -lLR /&lt;home directory&gt;/&lt;users home directory&gt;/
-+-rw-r--r-- 1 smithj smithj  18 Mar  5 17:06 file1
-+-rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
-+-rw-r--r-- 1 smithj sa        231 Mar  5 17:06 file3
-+
-+If any files are found with an owner different than the group home directory user, check to see if the user is a member of that group with the following command:
-+
-+# grep smithj /etc/group
-+sa:x:100:juan,shelley,bob,smithj 
-+smithj:x:521:smithj
-+
-+If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-204473"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204473r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020680</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72027</ident><ident system="http://cyber.mil/legacy">SV-86651</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4597r88612_fix">Set the mode on files and directories in the local interactive user home directory with the following command:
-+
-+Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
-+
-+# chmod 0750 /home/smithj/&lt;file&gt;</fixtext><fix id="F-4597r88612_fix" /><check system="C-4597r88611_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750".
-+
-+Check the mode of all non-initialization files in a local interactive user home directory with the following command:
-+
-+Files that begin with a "." are excluded from this requirement.
-+
-+Note: The example will be for the user "smithj", who has a home directory of "/home/smithj".
-+
-+# ls -lLR /home/smithj
-+-rwxr-x--- 1 smithj smithj  18 Mar  5 17:06 file1
-+-rwxr----- 1 smithj smithj 193 Mar  5 17:06 file2
-+-rw-r-x--- 1 smithj smithj 231 Mar  5 17:06 file3
-+
-+If any files are found with a mode more permissive than "0750", this is a finding.</check-content></check></Rule></Group><Group id="V-204474"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204474r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020690</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86653</ident><ident system="http://cyber.mil/legacy">V-72029</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4598r462464_fix">Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:
-+
-+Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
-+
-+# chown smithj /home/smithj/.[^.]*</fixtext><fix id="F-4598r462464_fix" /><check system="C-4598r462463_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the local initialization files of all local interactive users are owned by that user.
-+
-+Check the home directory assignment for all non-privileged users on the system with the following command:
-+
-+Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
-+
-+# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
-+smithj:1000:/home/smithj
-+
-+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
-+
-+Check the owner of all local interactive user's initialization files with the following command:
-+
-+# ls -al /home/smithj/.[^.]* | more
-+
-+-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
-+-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
-+-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
-+
-+If all local interactive user's initialization files are not owned by that user or root, this is a finding.</check-content></check></Rule></Group><Group id="V-204475"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204475r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020700</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86655</ident><ident system="http://cyber.mil/legacy">V-72031</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4599r88618_fix">Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command:
-+
-+Note: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users.
-+
-+# chgrp users /home/smithj/.[^.]*</fixtext><fix id="F-4599r88618_fix" /><check system="C-4599r88617_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).
-+
-+Check the home directory assignment for all non-privileged users on the system with the following command:
-+
-+Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".
-+
-+# cut -d: -f 1,4,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
-+smithj:1000:/home/smithj
-+
-+# grep 1000 /etc/group
-+users:x:1000:smithj,jonesj,jacksons 
-+
-+Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
-+
-+Check the group owner of all local interactive user's initialization files with the following command:
-+
-+# ls -al /home/smithj/.[^.]* | more
-+
-+-rwxr-xr-x 1 smithj users 896 Mar 10 2011 .profile
-+-rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
-+-rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
-+
-+If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204476"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204476r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020710</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86657</ident><ident system="http://cyber.mil/legacy">V-72033</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4600r88621_fix">Set the mode of the local initialization files to "0740" with the following command:
-+
-+Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
-+
-+# chmod 0740 /home/smithj/.[^.]*</fixtext><fix id="F-4600r88621_fix" /><check system="C-4600r88620_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that all local initialization files have a mode of "0740" or less permissive.
-+
-+Check the mode on all local initialization files with the following command:
-+
-+Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
-+
-+# ls -al /home/smithj/.[^.]* | more
-+
-+-rwxr----- 1 smithj users 896 Mar 10 2011 .profile
-+-rwxr----- 1 smithj users 497 Jan 6 2007 .login
-+-rwxr----- 1 smithj users 886 Jan 6 2007 .something
-+
-+If any local initialization files have a mode more permissive than "0740", this is a finding.</check-content></check></Rule></Group><Group id="V-204477"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204477r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020720</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.</title><description>&lt;VulnDiscussion&gt;The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72035</ident><ident system="http://cyber.mil/legacy">SV-86659</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4601r88624_fix">Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. 
-+
-+If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.</fixtext><fix id="F-4601r88624_fix" /><check system="C-4601r88623_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory.
-+
-+Check the executable search path statement for all local interactive user initialization files in the users' home directory with the following commands:
-+
-+Note: The example will be for the smithj user, which has a home directory of "/home/smithj".
-+
-+# grep -i path /home/smithj/.*
-+/home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
-+/home/smithj/.bash_profile:export PATH
-+
-+If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-204478"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204478r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020730</version><title>The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.</title><description>&lt;VulnDiscussion&gt;If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86661</ident><ident system="http://cyber.mil/legacy">V-72037</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4602r88627_fix">Set the mode on files being executed by the local initialization files with the following command:
-+
-+# chmod 0755 &lt;file&gt;</fixtext><fix id="F-4602r88627_fix" /><check system="C-4602r88626_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that local initialization files do not execute world-writable programs.
-+
-+Check the system for world-writable files with the following command:
-+
-+# find / -xdev -perm -002 -type f -exec ls -ld {} \; | more
-+
-+For all files listed, check for their presence in the local initialization files with the following commands:
-+
-+Note: The example will be for a system that is configured to create users' home directories in the "/home" directory.
-+
-+# grep &lt;file&gt; /home/*/.*
-+
-+If any local initialization files are found to reference world-writable files, this is a finding.</check-content></check></Rule></Group><Group id="V-204479"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204479r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020900</version><title>The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.</title><description>&lt;VulnDiscussion&gt;If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86663</ident><ident system="http://cyber.mil/legacy">V-72039</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4603r88630_fix">Run the following command to determine which package owns the device file:
-+
-+# rpm -qf &lt;filename&gt;
-+
-+The package can be reinstalled from a yum repository using the command:
-+
-+# sudo yum reinstall &lt;packagename&gt;
-+
-+Alternatively, the package can be reinstalled from trusted media using the command:
-+
-+# sudo rpm -Uvh &lt;packagename&gt;</fixtext><fix id="F-4603r88630_fix" /><check system="C-4603r88629_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that all system device files are correctly labeled to prevent unauthorized modification.
-+
-+List all device files on the system that are incorrectly labeled with the following commands:
-+
-+Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system.
-+
-+#find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
-+
-+#find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n"
-+
-+Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.
-+
-+If there is output from either of these commands, other than already noted, this is a finding.</check-content></check></Rule></Group><Group id="V-204480"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204480r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021000</version><title>The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86665</ident><ident system="http://cyber.mil/legacy">V-72041</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4604r88633_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.</fixtext><fix id="F-4604r88633_fix" /><check system="C-4604r88632_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that contain user home directories are mounted with the "nosuid" option.
-+
-+Find the file system(s) that contain the user home directories with the following command:
-+
-+Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
-+
-+# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
-+smithj:1001:/home/smithj
-+thomasr:1002:/home/thomasr
-+
-+Check the file systems that are mounted at boot time with the following command:
-+
-+# more /etc/fstab
-+
-+UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home   ext4   rw,relatime,discard,data=ordered,nosuid 0 2
-+                                                            
-+If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-204481"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204481r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021010</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86667</ident><ident system="http://cyber.mil/legacy">V-72043</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4605r88636_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.</fixtext><fix id="F-4605r88636_fix" /><check system="C-4605r88635_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are used for removable media are mounted with the "nosuid" option.
-+
-+Check the file systems that are mounted at boot time with the following command:
-+
-+# more /etc/fstab
-+
-+UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0
-+
-+If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-204482"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204482r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021020</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86669</ident><ident system="http://cyber.mil/legacy">V-72045</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4606r88639_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</fixtext><fix id="F-4606r88639_fix" /><check system="C-4606r88638_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are being NFS imported are configured with the "nosuid" option.
-+
-+Find the file system(s) that contain the directories being exported with the following command:
-+
-+# more /etc/fstab | grep nfs
-+
-+UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid 0 0
-+
-+If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
-+
-+Verify the NFS is mounted with the "nosuid" option:
-+
-+# mount | grep nfs | grep nosuid
-+If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204483"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204483r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021021</version><title>The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87813</ident><ident system="http://cyber.mil/legacy">V-73161</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4607r88642_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</fixtext><fix id="F-4607r88642_fix" /><check system="C-4607r88641_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are being NFS imported are configured with the "noexec" option.
-+
-+Find the file system(s) that contain the directories being imported with the following command:
-+
-+# more /etc/fstab | grep nfs
-+
-+UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,noexec 0 0
-+
-+If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
-+
-+Verify the NFS is mounted with the "noexec"option:
-+
-+# mount | grep nfs | grep noexec
-+If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204486"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204486r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021024</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
-+
-+The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
-+
-+The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95725</ident><ident system="http://cyber.mil/legacy">V-81013</ident><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-4610r462553_fix">Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
-+
-+tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</fixtext><fix id="F-4610r462553_fix" /><check system="C-4610r462552_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm:
-+
-+# cat /etc/fstab | grep /dev/shm
-+
-+tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
-+
-+If results are returned and the "nodev", "nosuid", or "noexec" options are missing, this is a finding.
-+
-+Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options:
-+
-+# mount | grep /dev/shm
-+
-+tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
-+
-+If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.</check-content></check></Rule></Group><Group id="V-204487"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204487r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021030</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
-+
-+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72047</ident><ident system="http://cyber.mil/legacy">SV-86671</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4611r499388_fix">All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.</fixtext><fix id="F-4611r499388_fix" /><check system="C-4611r499387_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: 
-+
-+# find [PART] -xdev -type d -perm -0002 -gid +999 -print
-+
-+If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-204488"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204488r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021040</version><title>The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.</title><description>&lt;VulnDiscussion&gt;The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72049</ident><ident system="http://cyber.mil/legacy">SV-86673</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4612r88657_fix">Remove the umask statement from all local interactive user's initialization files. 
-+
-+If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.</fixtext><fix id="F-4612r88657_fix" /><check system="C-4612r88656_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the default umask for all local interactive users is "077".
-+
-+Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.
-+
-+Check all local interactive user initialization files for interactive users with the following command:
-+
-+Note: The example is for a system that is configured to create users home directories in the "/home" directory.
-+
-+# grep -i umask /home/*/.*
-+
-+If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.</check-content></check></Rule></Group><Group id="V-204489"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204489r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021100</version><title>The Red Hat Enterprise Linux operating system must have cron logging implemented.</title><description>&lt;VulnDiscussion&gt;Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72051</ident><ident system="http://cyber.mil/legacy">SV-86675</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4613r88660_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
-+
-+cron.* /var/log/cron.log</fixtext><fix id="F-4613r88660_fix" /><check system="C-4613r88659_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that "rsyslog" is configured to log cron events.
-+
-+Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command:
-+
-+Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
-+
-+# grep cron /etc/rsyslog.conf  /etc/rsyslog.d/*.conf
-+cron.* /var/log/cron.log
-+
-+If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.
-+
-+Look for the following entry:
-+
-+*.* /var/log/messages
-+
-+If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.</check-content></check></Rule></Group><Group id="V-204490"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204490r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021110</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.</title><description>&lt;VulnDiscussion&gt;If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72053</ident><ident system="http://cyber.mil/legacy">SV-86677</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4614r88663_fix">Set the owner on the "/etc/cron.allow" file to root with the following command:
-+
-+# chown root /etc/cron.allow</fixtext><fix id="F-4614r88663_fix" /><check system="C-4614r88662_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the "cron.allow" file is owned by root.
-+
-+Check the owner of the "cron.allow" file with the following command:
-+
-+# ls -al /etc/cron.allow
-+-rw------- 1 root root 6 Mar  5  2011 /etc/cron.allow
-+
-+If the "cron.allow" file exists and has an owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-204491"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204491r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021120</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.</title><description>&lt;VulnDiscussion&gt;If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86679</ident><ident system="http://cyber.mil/legacy">V-72055</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4615r88666_fix">Set the group owner on the "/etc/cron.allow" file to root with the following command:
-+
-+# chgrp root /etc/cron.allow</fixtext><fix id="F-4615r88666_fix" /><check system="C-4615r88665_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the "cron.allow" file is group-owned by root.
-+
-+Check the group owner of the "cron.allow" file with the following command:
-+
-+# ls -al /etc/cron.allow
-+-rw------- 1 root root 6 Mar  5  2011 /etc/cron.allow
-+
-+If the "cron.allow" file exists and has a group owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-204492"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204492r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021300</version><title>The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.</title><description>&lt;VulnDiscussion&gt;Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86681</ident><ident system="http://cyber.mil/legacy">V-72057</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4616r88669_fix">If kernel core dumps are not required, disable the "kdump" service with the following command:
-+
-+# systemctl disable kdump.service
-+
-+If kernel core dumps are required, document the need with the ISSO.</fixtext><fix id="F-4616r88669_fix" /><check system="C-4616r88668_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that kernel core dumps are disabled unless needed.
-+
-+Check the status of the "kdump" service with the following command:
-+
-+# systemctl status kdump.service
-+kdump.service - Crash recovery kernel arming
-+   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled)
-+   Active: active (exited) since Wed 2015-08-26 13:08:09 EDT; 43min ago
-+ Main PID: 1130 (code=exited, status=0/SUCCESS)
-+kernel arming.
-+
-+If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
-+
-+If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-204493"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204493r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021310</version><title>The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72059</ident><ident system="http://cyber.mil/legacy">SV-86683</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4617r88672_fix">Migrate the "/home" directory onto a separate file system/partition.</fixtext><fix id="F-4617r88672_fix" /><check system="C-4617r88671_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.
-+
-+Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:
-+
-+#cut -d: -f 1,3,6,7 /etc/passwd | egrep ":[1-4][0-9]{3}" | tr ":" "\t"
-+
-+adamsj /home/adamsj /bin/bash
-+jacksonm /home/jacksonm /bin/bash
-+smithj /home/smithj /bin/bash
-+
-+The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.
-+
-+Check that a file system/partition has been created for the non-privileged interactive users with the following command:
-+
-+Note: The partition of /home is used in the example.
-+
-+# grep /home /etc/fstab
-+UUID=333ada18    /home                   ext4    noatime,nobarrier,nodev  1 2
-+
-+If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204494"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204494r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021320</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /var.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72061</ident><ident system="http://cyber.mil/legacy">SV-86685</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4618r88675_fix">Migrate the "/var" path onto a separate file system.</fixtext><fix id="F-4618r88675_fix" /><check system="C-4618r88674_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/var".
-+
-+Check that a file system/partition has been created for "/var" with the following command:
-+
-+# grep /var /etc/fstab
-+UUID=c274f65f    /var                    ext4    noatime,nobarrier        1 2
-+
-+If a separate entry for "/var" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-204495"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204495r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021330</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86687</ident><ident system="http://cyber.mil/legacy">V-72063</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4619r88678_fix">Migrate the system audit data path onto a separate file system.</fixtext><fix id="F-4619r88678_fix" /><check system="C-4619r88677_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.
-+
-+# grep /var/log/audit /etc/fstab
-+
-+If no result is returned, or the operating system is not configured to have "/var/log/audit" on a separate file system, this is a finding.
-+
-+Verify that "/var/log/audit" is mounted on a separate file system:
-+
-+# mount | grep "/var/log/audit"
-+
-+If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.</check-content></check></Rule></Group><Group id="V-204496"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204496r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021340</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86689</ident><ident system="http://cyber.mil/legacy">V-72065</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4620r499391_fix">Start the "tmp.mount" service with the following command:
-+
-+# systemctl enable tmp.mount
-+   
-+OR
-+
-+Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.</fixtext><fix id="F-4620r499391_fix" /><check system="C-4620r499390_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/tmp".
-+
-+Check that a file system/partition has been created for "/tmp" with the following command:
-+
-+# systemctl is-enabled tmp.mount
-+enabled
-+
-+If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in the fstab with a device and mount point:
-+
-+# grep -i /tmp /etc/fstab
-+UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp   ext4   rw,relatime,discard,data=ordered,nosuid,noexec, 0 0
-+
-+If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. </check-content></check></Rule></Group><Group id="V-204497"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204497r505924_rule" weight="10.0" severity="high"><version>RHEL-07-021350</version><title>The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</title><description>&lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
-+
-+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86691</ident><ident system="http://cyber.mil/legacy">V-72067</ident><ident system="http://cyber.mil/cci">CCI-001199</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><ident system="http://cyber.mil/cci">CCI-002450</ident><ident system="http://cyber.mil/cci">CCI-002476</ident><fixtext fixref="F-4621r499418_fix">Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
-+
-+To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
-+
-+Configure the operating system to implement DoD-approved encryption by following the steps below: 
-+
-+The fips=1 kernel option needs to be added to the kernel command line during system installation so that key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Users should also ensure that the system has plenty of entropy during the installation process by moving the mouse around, or if no mouse is available, ensuring that many keystrokes are typed. The recommended amount of keystrokes is 256 and more. Less than 256 keystrokes may generate a non-unique key.
-+
-+Install the dracut-fips package with the following command:
-+
-+# yum install dracut-fips
-+
-+Recreate the "initramfs" file with the following command:
-+
-+Note: This command will overwrite the existing "initramfs" file.
-+
-+# dracut -f
-+
-+Modify the kernel command line of the current kernel in the "grub.cfg" file by adding the following option to the GRUB_CMDLINE_LINUX key in the "/etc/default/grub" file and then rebuild the "grub.cfg" file:
-+
-+fips=1
-+
-+Changes to "/etc/default/grub" require rebuilding the "grub.cfg" file as follows:
-+
-+On BIOS-based machines, use the following command:
-+
-+# grub2-mkconfig -o /boot/grub2/grub.cfg
-+
-+On UEFI-based machines, use the following command:
-+
-+# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
-+
-+If /boot or /boot/efi reside on separate partitions, the kernel parameter boot=&lt;partition of /boot or /boot/efi&gt; must be added to the kernel command line. You can identify a partition by running the df /boot or df /boot/efi command:
-+
-+# df /boot
-+Filesystem 1K-blocks Used Available Use% Mounted on
-+/dev/sda1 495844 53780 416464 12% /boot
-+
-+To ensure the "boot=" configuration option will work even if device naming changes occur between boots, identify the universally unique identifier (UUID) of the partition with the following command:
-+
-+# blkid /dev/sda1
-+/dev/sda1: UUID="05c000f1-a213-759e-c7a2-f11b7424c797" TYPE="ext4"
-+
-+For the example above, append the following string to the kernel command line:
-+
-+boot=UUID=05c000f1-a213-759e-c7a2-f11b7424c797
-+
-+If the file /etc/system-fips does not exists, recreate it:
-+
-+# touch /etc/ system-fips
-+
-+Reboot the system for the changes to take effect.</fixtext><fix id="F-4621r499418_fix" /><check system="C-4621r499417_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.
-+
-+Check to see if the "dracut-fips" package is installed with the following command:
-+
-+# yum list installed dracut-fips
-+
-+dracut-fips-033-360.el7_2.x86_64.rpm
-+
-+If a "dracut-fips" package is installed, check to see if the kernel command line is configured to use FIPS mode with the following command:
-+
-+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
-+
-+# grep fips /boot/grub2/grub.cfg
-+/vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb fips=1 quiet
-+
-+If the kernel command line is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command:
-+
-+# cat /proc/sys/crypto/fips_enabled 
-+1
-+
-+If a "dracut-fips" package is not installed, the kernel command line does not have a fips entry, or the system has a value of "0" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
-+
-+Verify the file /etc/system-fips exists.
-+
-+# ls -l /etc/system-fips
-+
-+If this file does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204498"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204498r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021600</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).</title><description>&lt;VulnDiscussion&gt;ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86693</ident><ident system="http://cyber.mil/legacy">V-72069</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4622r88687_fix">Configure the file integrity tool to check file and directory ACLs. 
-+
-+If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-4622r88687_fix" /><check system="C-4622r88686_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file integrity tool is configured to verify ACLs.
-+
-+Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:
-+
-+# yum list installed aide
-+
-+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. 
-+
-+If there is no application installed to perform file integrity checks, this is a finding.
-+
-+Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. 
-+
-+Use the following command to determine if the file is in another location:
-+
-+# find / -name aide.conf
-+
-+Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists.
-+
-+An example rule that includes the "acl" rule is below:
-+
-+All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
-+/bin All # apply the custom rule to the files in bin 
-+/sbin All # apply the same custom rule to the files in sbin 
-+
-+If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-204499"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204499r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021610</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.</title><description>&lt;VulnDiscussion&gt;Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86695</ident><ident system="http://cyber.mil/legacy">V-72071</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4623r88690_fix">Configure the file integrity tool to check file and directory extended attributes. 
-+
-+If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-4623r88690_fix" /><check system="C-4623r88689_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file integrity tool is configured to verify extended attributes.
-+
-+Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command:
-+
-+# yum list installed aide
-+
-+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system.
-+
-+If there is no application installed to perform file integrity checks, this is a finding.
-+
-+Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory.
-+
-+Use the following command to determine if the file is in another location:
-+
-+# find / -name aide.conf
-+
-+Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists.
-+
-+An example rule that includes the "xattrs" rule follows:
-+
-+All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
-+/bin All # apply the custom rule to the files in bin 
-+/sbin All # apply the same custom rule to the files in sbin 
-+
-+If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-204500"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204500r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021620</version><title>The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.</title><description>&lt;VulnDiscussion&gt;File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
-+
-+Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86697</ident><ident system="http://cyber.mil/legacy">V-72073</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4624r462556_fix">Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. 
-+
-+If AIDE is installed, ensure the "sha512" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-4624r462556_fix" /><check system="C-4624r462555_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.
-+
-+Check to see if AIDE is installed on the system with the following command:
-+
-+# yum list installed aide
-+
-+If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. 
-+
-+If there is no application installed to perform file integrity checks, this is a finding.
-+
-+Note: AIDE is highly configurable at install time. These commands assume the "aide.conf" file is under the "/etc" directory. 
-+
-+Use the following command to determine if the file is in another location:
-+
-+# find / -name aide.conf
-+
-+Check the "aide.conf" file to determine if the "sha512" rule has been added to the rule list being applied to the files and directories selection lists.
-+
-+An example rule that includes the "sha512" rule follows:
-+
-+All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
-+/bin All # apply the custom rule to the files in bin 
-+/sbin All # apply the same custom rule to the files in sbin 
-+
-+If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content></check></Rule></Group><Group id="V-204501"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204501r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021700</version><title>The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.</title><description>&lt;VulnDiscussion&gt;Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86699</ident><ident system="http://cyber.mil/legacy">V-72075</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4625r88696_fix">Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.</fixtext><fix id="F-4625r88696_fix" /><check system="C-4625r88695_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is not configured to use a boot loader on removable media.
-+
-+Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
-+
-+Check for the existence of alternate boot loader configuration files with the following command:
-+
-+# find / -name grub.cfg
-+/boot/grub2/grub.cfg
-+
-+If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. 
-+
-+Check that the grub configuration file has the set root command in each menu entry with the following commands:
-+
-+# grep -c menuentry /boot/grub2/grub.cfg
-+1
-+# grep 'set root' /boot/grub2/grub.cfg
-+set root=(hd0,1)
-+
-+If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.</check-content></check></Rule></Group><Group id="V-204502"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204502r505924_rule" weight="10.0" severity="high"><version>RHEL-07-021710</version><title>The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
-+
-+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
-+
-+Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86701</ident><ident system="http://cyber.mil/legacy">V-72077</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4626r88699_fix">Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command:
-+
-+# yum remove telnet-server</fixtext><fix id="F-4626r88699_fix" /><check system="C-4626r88698_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed.
-+
-+The telnet service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session.
-+
-+If a privileged user were to log on using this service, the privileged user password could be compromised. 
-+
-+Check to see if the telnet-server package is installed with the following command:
-+
-+# yum list installed telnet-server
-+
-+If the telnet-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204503"><title>SRG-OS-000038-GPOS-00016</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204503r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030000</version><title>The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.</title><description>&lt;VulnDiscussion&gt;Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
-+
-+Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
-+
-+Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
-+
-+Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86703</ident><ident system="http://cyber.mil/legacy">V-72079</ident><ident system="http://cyber.mil/cci">CCI-000131</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4627r499421_fix">Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
-+
-+Enable the auditd service with the following command:
-+
-+# systemctl start auditd.service</fixtext><fix id="F-4627r499421_fix" /><check system="C-4627r499420_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.
-+
-+Check to see if auditing is active by issuing the following command:
-+
-+# systemctl is-active auditd.service
-+active
-+
-+If the "auditd" status is not active, this is a finding.</check-content></check></Rule></Group><Group id="V-204504"><title>SRG-OS-000046-GPOS-00022</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204504r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030010</version><title>The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
-+
-+Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
-+
-+This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
-+
-+Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86705</ident><ident system="http://cyber.mil/legacy">V-72081</ident><ident system="http://cyber.mil/cci">CCI-000139</ident><fixtext fixref="F-4628r462467_fix">Configure the operating system to shut down in the event of an audit processing failure.
-+
-+Add or correct the option to shut down the operating system with the following command:
-+
-+# auditctl -f 2
-+
-+Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
-+
-+-f 2
-+
-+If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:
-+
-+# auditctl -f 1
-+
-+Edit the "/etc/audit/rules.d/audit.rules" file and add the following line:
-+
-+-f 1
-+
-+Kernel log monitoring must also be configured to properly alert designated staff.
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4628r462467_fix" /><check system="C-4628r462466_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Confirm the audit configuration regarding how auditing processing failures are handled.
-+
-+Check to see what level "auditctl" is set to with following command: 
-+
-+# auditctl -s | grep -i "fail"
-+
-+failure 2
-+
-+Note: If the value of "failure" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure. If the value of "failure" is set to "1", the system is configured to only send information to the kernel log regarding the failure.
-+
-+If the "failure" setting is set to any value other than "1" or "2", this is a finding.
-+
-+If the "failure" setting is not set, this should be upgraded to a CAT I finding.
-+
-+If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.</check-content></check></Rule></Group><Group id="V-204506"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204506r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030201</version><title>The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+
-+Off-loading is a common process in information systems with limited audit storage capacity.
-+
-+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  Without the configuration of the "au-remote" plugin, the audisp-remote daemon will not off load the logs from the system being audited.
-+
-+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95729</ident><ident system="http://cyber.mil/legacy">V-81017</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4630r462470_fix">Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:
-+
-+direction = out
-+path = /sbin/audisp-remote
-+type = always
-+
-+The audit daemon must be restarted for changes to take effect:
-+
-+# service auditd restart</fixtext><fix id="F-4630r462470_fix" /><check system="C-4630r462469_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the "au-remote" plugin is configured to always off-load audit logs using the audisp-remote daemon:
-+
-+# cat /etc/audisp/plugins.d/au-remote.conf | grep -v "^#"
-+
-+active = yes
-+direction = out
-+path = /sbin/audisp-remote
-+type = always
-+format = string
-+
-+If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.
-+
-+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.</check-content></check></Rule></Group><Group id="V-204507"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204507r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030210</version><title>The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+
-+Off-loading is a common process in information systems with limited audit storage capacity.
-+
-+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  When the remote buffer is full, audit logs will not be collected and sent to the central log server.
-+
-+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81019</ident><ident system="http://cyber.mil/legacy">SV-95731</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4631r499400_fix">Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option:
-+
-+overflow_action = syslog
-+
-+The audit daemon must be restarted for changes to take effect:
-+
-+# service auditd restart</fixtext><fix id="F-4631r499400_fix" /><check system="C-4631r499399_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:
-+
-+# grep "overflow_action" /etc/audisp/audispd.conf
-+
-+overflow_action = syslog
-+
-+If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action that system takes when the internal queue is full.
-+
-+If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.</check-content></check></Rule></Group><Group id="V-204508"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204508r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030211</version><title>The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+
-+Off-loading is a common process in information systems with limited audit storage capacity.
-+
-+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
-+
-+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95733</ident><ident system="http://cyber.mil/legacy">V-81021</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4632r499403_fix">Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:
-+
-+name_format = hostname
-+
-+The audit daemon must be restarted for changes to take effect:
-+
-+# service auditd restart</fixtext><fix id="F-4632r499403_fix" /><check system="C-4632r499402_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the audisp daemon is configured to label all off-loaded audit logs:
-+
-+# grep "name_format" /etc/audisp/audispd.conf
-+
-+name_format = hostname
-+
-+If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately.
-+
-+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.</check-content></check></Rule></Group><Group id="V-204509"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204509r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030300</version><title>The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+
-+Off-loading is a common process in information systems with limited audit storage capacity.
-+
-+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72083</ident><ident system="http://cyber.mil/legacy">SV-86707</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4633r88720_fix">Configure the operating system to off-load audit records onto a different system or media from the system being audited.
-+
-+Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.</fixtext><fix id="F-4633r88720_fix" /><check system="C-4633r88719_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system off-loads audit records onto a different system or media from the system being audited.
-+
-+To determine the remote server that the records are being sent to, use the following command:
-+
-+# grep -i remote_server /etc/audisp/audisp-remote.conf
-+remote_server = 10.0.21.1
-+
-+If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
-+
-+If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.</check-content></check></Rule></Group><Group id="V-204510"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204510r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030310</version><title>The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
-+
-+Off-loading is a common process in information systems with limited audit storage capacity.
-+
-+Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72085</ident><ident system="http://cyber.mil/legacy">SV-86709</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4634r88723_fix">Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.
-+
-+Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line:
-+
-+enable_krb5 = yes</fixtext><fix id="F-4634r88723_fix" /><check system="C-4634r88722_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited.
-+
-+To determine if the transfer is encrypted, use the following command:
-+
-+# grep -i enable_krb5 /etc/audisp/audisp-remote.conf
-+enable_krb5 = yes
-+
-+If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
-+
-+If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-204511"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204511r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030320</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
-+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72087</ident><ident system="http://cyber.mil/legacy">SV-86711</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4635r499406_fix">Configure the action the operating system takes if the disk the audit records are written to becomes full.
-+
-+Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:
-+
-+disk_full_action = single</fixtext><fix id="F-4635r499406_fix" /><check system="C-4635r499405_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the action the operating system takes if the disk the audit records are written to becomes full.
-+
-+To determine the action that takes place if the disk is full on the remote server, use the following command:
-+
-+# grep -i disk_full_action /etc/audisp/audisp-remote.conf
-+disk_full_action = single
-+
-+If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server.
-+
-+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.</check-content></check></Rule></Group><Group id="V-204512"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204512r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030321</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
-+One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73163</ident><ident system="http://cyber.mil/legacy">SV-87815</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4636r499409_fix">Configure the action the operating system takes if there is an error sending audit records to a remote system.
-+
-+Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".
-+
-+network_failure_action = syslog</fixtext><fix id="F-4636r499409_fix" /><check system="C-4636r499408_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the action the operating system takes if there is an error sending audit records to a remote system.
-+
-+Check the action that takes place if there is an error sending audit records to a remote system with the following command:
-+
-+# grep -i network_failure_action /etc/audisp/audisp-remote.conf
-+network_failure_action = syslog
-+
-+If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system.
-+
-+If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.</check-content></check></Rule></Group><Group id="V-204513"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204513r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030330</version><title>The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72089</ident><ident system="http://cyber.mil/legacy">SV-86713</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4637r88732_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-+
-+Check the system configuration to determine the partition the audit records are being written to: 
-+
-+# grep -iw log_file /etc/audit/auditd.conf
-+
-+Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
-+
-+# df -h /var/log/audit/
-+
-+Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.</fixtext><fix id="F-4637r88732_fix" /><check system="C-4637r88731_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system initiates an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-+
-+Check the system configuration to determine the partition the audit records are being written to with the following command:
-+
-+# grep -iw log_file /etc/audit/auditd.conf
-+log_file = /var/log/audit/audit.log
-+
-+Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
-+
-+# df -h /var/log/audit/
-+0.9G /var/log/audit
-+
-+If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:
-+
-+# du -sh &lt;partition&gt;
-+1.8G /var
-+
-+Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
-+
-+# grep -iw space_left /etc/audit/auditd.conf
-+space_left = 225 
-+
-+If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.</check-content></check></Rule></Group><Group id="V-204514"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204514r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030340</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72091</ident><ident system="http://cyber.mil/legacy">SV-86715</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4638r88735_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
-+
-+Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". 
-+ 
-+space_left_action = email</fixtext><fix id="F-4638r88735_fix" /><check system="C-4638r88734_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
-+
-+Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command:
-+
-+# grep -i space_left_action  /etc/audit/auditd.conf
-+space_left_action = email
-+
-+If the value of the "space_left_action" keyword is not set to "email", this is a finding.</check-content></check></Rule></Group><Group id="V-204515"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204515r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030350</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72093</ident><ident system="http://cyber.mil/legacy">SV-86717</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4639r88738_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
-+
-+Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. 
-+ 
-+action_mail_acct = root</fixtext><fix id="F-4639r88738_fix" /><check system="C-4639r88737_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
-+
-+Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:
-+
-+# grep -i action_mail_acct  /etc/audit/auditd.conf
-+action_mail_acct = root
-+
-+If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.</check-content></check></Rule></Group><Group id="V-204516"><title>SRG-OS-000327-GPOS-00127</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204516r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030360</version><title>The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.</title><description>&lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72095</ident><ident system="http://cyber.mil/legacy">SV-86719</ident><ident system="http://cyber.mil/cci">CCI-002234</ident><fixtext fixref="F-4640r88741_fix">Configure the operating system to audit the execution of privileged functions.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4640r88741_fix" /><check system="C-4640r88740_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system audits the execution of privileged functions using the following command:
-+
-+# grep -iw execve /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-+-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-+-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-+-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
-+
-+
-+If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
-+
-+If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-204517"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204517r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030370</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72097</ident><ident system="http://cyber.mil/legacy">SV-86721</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4641r462559_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4641r462559_fix" /><check system="C-4641r462558_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chown" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw chown /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204518"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204518r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030380</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72099</ident><ident system="http://cyber.mil/legacy">SV-86723</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4642r462562_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4642r462562_fix" /><check system="C-4642r462561_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchown" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw fchown /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204519"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204519r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030390</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72101</ident><ident system="http://cyber.mil/legacy">SV-86725</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4643r462565_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4643r462565_fix" /><check system="C-4643r462564_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lchown" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw lchown /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204520"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204520r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030400</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72103</ident><ident system="http://cyber.mil/legacy">SV-86727</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4644r462568_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4644r462568_fix" /><check system="C-4644r462567_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchownat" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw fchownat /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204521"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204521r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030410</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86729</ident><ident system="http://cyber.mil/legacy">V-72105</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4645r462571_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4645r462571_fix" /><check system="C-4645r462570_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chmod" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw chmod /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204522"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204522r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030420</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86731</ident><ident system="http://cyber.mil/legacy">V-72107</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4646r462574_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4646r462574_fix" /><check system="C-4646r462573_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmod" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw fchmod /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204523"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204523r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030430</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86733</ident><ident system="http://cyber.mil/legacy">V-72109</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4647r462577_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4647r462577_fix" /><check system="C-4647r462576_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fchmodat" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw fchmodat /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204524"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204524r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030440</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86735</ident><ident system="http://cyber.mil/legacy">V-72111</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4648r462732_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4648r462732_fix" /><check system="C-4648r462731_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setxattr" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw setxattr /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204525"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204525r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030450</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86737</ident><ident system="http://cyber.mil/legacy">V-72113</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4649r462580_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4649r462580_fix" /><check system="C-4649r462579_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fsetxattr" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw fsetxattr /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204526"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204526r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030460</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72115</ident><ident system="http://cyber.mil/legacy">SV-86739</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4650r462583_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4650r462583_fix" /><check system="C-4650r462582_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw lsetxattr /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204527"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204527r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030470</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72117</ident><ident system="http://cyber.mil/legacy">SV-86741</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4651r462586_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4651r462586_fix" /><check system="C-4651r462585_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw removexattr /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204528"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204528r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030480</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86743</ident><ident system="http://cyber.mil/legacy">V-72119</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4652r462589_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4652r462589_fix" /><check system="C-4652r462588_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "fremovexattr" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw fremovexattr /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204529"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204529r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030490</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72121</ident><ident system="http://cyber.mil/legacy">SV-86745</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4653r462592_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4653r462592_fix" /><check system="C-4653r462591_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw lremovexattr /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
-+
-+If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204530"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204530r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030500</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86747</ident><ident system="http://cyber.mil/legacy">V-72123</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4654r462595_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules:
-+
-+-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4654r462595_fix" /><check system="C-4654r462594_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "creat" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw creat /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S creat F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+If both the "b32" and "b64" audit rules are not defined for the "creat" syscall, this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204531"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204531r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030510</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86749</ident><ident system="http://cyber.mil/legacy">V-72125</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4655r462598_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4655r462598_fix" /><check system="C-4655r462597_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw open /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+If both the "b32" and "b64" audit rules are not defined for the "open" syscall, this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204532"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204532r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030520</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72127</ident><ident system="http://cyber.mil/legacy">SV-86751</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4656r462601_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4656r462601_fix" /><check system="C-4656r462600_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw openat /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+If both the "b32" and "b64" audit rules are not defined for the "openat" syscall, this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204533"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204533r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030530</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72129</ident><ident system="http://cyber.mil/legacy">SV-86753</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4657r462604_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4657r462604_fix" /><check system="C-4657r462603_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw open_by_handle_at /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_at" syscall, this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204534"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204534r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030540</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72131</ident><ident system="http://cyber.mil/legacy">SV-86755</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4658r462607_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4658r462607_fix" /><check system="C-4658r462606_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw truncate /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+If both the "b32" and "b64" audit rules are not defined for the "truncate" syscall, this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204535"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204535r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030550</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72133</ident><ident system="http://cyber.mil/legacy">SV-86757</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4659r462610_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4659r462610_fix" /><check system="C-4659r462609_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw ftruncate /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
-+
-+-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-+
-+If both the "b32" and "b64" audit rules are not defined for the "ftruncate" syscall, this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
-+
-+If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204536"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204536r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030560</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86759</ident><ident system="http://cyber.mil/legacy">V-72135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4660r462613_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "semanage" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4660r462613_fix" /><check system="C-4660r462612_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "semanage" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/sbin/semanage /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204537"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204537r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030570</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72137</ident><ident system="http://cyber.mil/legacy">SV-86761</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4661r462616_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4661r462616_fix" /><check system="C-4661r462615_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/sbin/setsebool /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204538"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204538r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030580</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72139</ident><ident system="http://cyber.mil/legacy">SV-86763</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4662r462619_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4662r462619_fix" /><check system="C-4662r462618_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chcon" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/bin/chcon /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204539"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204539r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030590</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72141</ident><ident system="http://cyber.mil/legacy">SV-86765</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4663r462622_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4663r462622_fix" /><check system="C-4663r462621_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw /usr/sbin/setfiles /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204540"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204540r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030610</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72145</ident><ident system="http://cyber.mil/legacy">SV-86769</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4664r88813_fix">Configure the operating system to generate audit records when unsuccessful account access events occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-w /var/run/faillock -p wa -k logins
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4664r88813_fix" /><check system="C-4664r88812_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when unsuccessful account access events occur. 
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following commands: 
-+
-+# grep -i /var/run/faillock /etc/audit/audit.rules
-+
-+-w /var/run/faillock -p wa -k logins
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204541"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204541r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030620</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72147</ident><ident system="http://cyber.mil/legacy">SV-86771</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4665r88816_fix">Configure the operating system to generate audit records when successful account access events occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-w /var/log/lastlog -p wa -k logins
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4665r88816_fix" /><check system="C-4665r88815_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful account access events occur. 
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands: 
-+
-+# grep -i /var/log/lastlog /etc/audit/audit.rules
-+
-+-w /var/log/lastlog -p wa -k logins 
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204542"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204542r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030630</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated.  Daemons are not user sessions and have the loginuid set to -1.  The auid representation is an unsigned 32-bit integer, which equals 4294967295.  The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72149</ident><ident system="http://cyber.mil/legacy">SV-86773</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4666r462625_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4666r462625_fix" /><check system="C-4666r462624_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/bin/passwd /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204543"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204543r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030640</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72151</ident><ident system="http://cyber.mil/legacy">SV-86775</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4667r462628_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4667r462628_fix" /><check system="C-4667r462627_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw /usr/sbin/unix_chkpwd /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204544"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204544r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030650</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72153</ident><ident system="http://cyber.mil/legacy">SV-86777</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4668r462631_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+The audit daemon must be restarted for the changes to take effect. </fixtext><fix id="F-4668r462631_fix" /><check system="C-4668r462630_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/bin/gpasswd /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204545"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204545r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030660</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chage command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86779</ident><ident system="http://cyber.mil/legacy">V-72155</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4669r462634_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4669r462634_fix" /><check system="C-4669r462633_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chage" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/bin/chage /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204546"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204546r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030670</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86781</ident><ident system="http://cyber.mil/legacy">V-72157</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4670r462637_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4670r462637_fix" /><check system="C-4670r462636_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
-+
-+Check the file system rule in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -i /usr/sbin/userhelper /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204547"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204547r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030680</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the su command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72159</ident><ident system="http://cyber.mil/legacy">SV-86783</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4671r462640_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change 
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4671r462640_fix" /><check system="C-4671r462639_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "su" command occur.
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw /usr/bin/su /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204548"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204548r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030690</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86785</ident><ident system="http://cyber.mil/legacy">V-72161</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4672r462643_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "sudo" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change 
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4672r462643_fix" /><check system="C-4672r462642_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "sudo" command occur.
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw /usr/bin/sudo /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204549"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204549r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030700</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86787</ident><ident system="http://cyber.mil/legacy">V-72163</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4673r88840_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-w /etc/sudoers -p wa -k privileged-actions
-+
-+-w /etc/sudoers.d/ -p wa -k privileged-actions
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4673r88840_fix" /><check system="C-4673r88839_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to access the "/etc/sudoers" file and files in the "/etc/sudoers.d/" directory. 
-+
-+Check for modification of the following files being audited by performing the following commands to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -i "/etc/sudoers" /etc/audit/audit.rules
-+
-+-w /etc/sudoers -p wa -k privileged-actions
-+
-+# grep -i "/etc/sudoers.d/" /etc/audit/audit.rules
-+
-+-w /etc/sudoers.d/ -p wa -k privileged-actions
-+
-+If the commands do not return output that match the examples, this is a finding.</check-content></check></Rule></Group><Group id="V-204550"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204550r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030710</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86789</ident><ident system="http://cyber.mil/legacy">V-72165</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4674r462646_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4674r462646_fix" /><check system="C-4674r462645_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "newgrp" command occur.
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -i /usr/bin/newgrp /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204551"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204551r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030720</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86791</ident><ident system="http://cyber.mil/legacy">V-72167</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4675r462649_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4675r462649_fix" /><check system="C-4675r462648_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "chsh" command occur.
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -i /usr/bin/chsh /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204552"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204552r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030740</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86795</ident><ident system="http://cyber.mil/legacy">V-72171</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4676r462652_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4676r462652_fix" /><check system="C-4676r462651_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "mount" command and syscall occur.
-+
-+Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw "mount" /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F arch=b64 -S mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+-a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+
-+If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.
-+
-+If all uses of the "mount" command are not being audited, this is a finding.</check-content></check></Rule></Group><Group id="V-204553"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204553r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030750</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the umount command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72173</ident><ident system="http://cyber.mil/legacy">SV-86797</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4677r462655_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4677r462655_fix" /><check system="C-4677r462654_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "umount" command occur.
-+
-+Check that the following system call is being audited by performing the following series of commands to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw "/usr/bin/umount" /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount 
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204554"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204554r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030760</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72175</ident><ident system="http://cyber.mil/legacy">SV-86799</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4678r462658_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4678r462658_fix" /><check system="C-4678r462657_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw /usr/sbin/postdrop /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204555"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204555r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030770</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72177</ident><ident system="http://cyber.mil/legacy">SV-86801</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4679r462661_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4679r462661_fix" /><check system="C-4679r462660_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw /usr/sbin/postqueue /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204556"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204556r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030780</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72179</ident><ident system="http://cyber.mil/legacy">SV-86803</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4680r462664_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4680r462664_fix" /><check system="C-4680r462663_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw /usr/libexec/openssh/ssh-keysign /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204557"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204557r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030800</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
-+
-+At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72183</ident><ident system="http://cyber.mil/legacy">SV-86807</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4681r462667_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4681r462667_fix" /><check system="C-4681r462666_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
-+
-+Check that the following system call is being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
-+
-+# grep -iw /usr/bin/crontab /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204558"><title>SRG-OS-000471-GPOS-00215</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204558r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030810</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72185</ident><ident system="http://cyber.mil/legacy">SV-86809</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4682r462670_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4682r462670_fix" /><check system="C-4682r462669_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw "/usr/sbin/pam_timestamp_check" /etc/audit/audit.rules
-+
-+-a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam 
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204559"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204559r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030819</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-78999</ident><ident system="http://cyber.mil/legacy">SV-93705</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4683r88870_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur.
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S create_module -k module-change
-+
-+-a always,exit -F arch=b64 -S create_module -k module-change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4683r88870_fix" /><check system="C-4683r88869_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "create_module" syscall occur. 
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw create_module /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S create_module -k module-change
-+
-+-a always,exit -F arch=b64 -S create_module -k module-change
-+
-+If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204560"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204560r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030820</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72187</ident><ident system="http://cyber.mil/legacy">SV-86811</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4684r88873_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. 
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S init_module -k module-change
-+
-+-a always,exit -F arch=b64 -S init_module -k module-change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4684r88873_fix" /><check system="C-4684r88872_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. 
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw init_module /etc/audit/audit.rules 
-+
-+-a always,exit -F arch=b32 -S init_module -k module-change
-+
-+-a always,exit -F arch=b64 -S init_module -k module-change
-+
-+If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204561"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204561r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030821</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-79001</ident><ident system="http://cyber.mil/legacy">SV-93707</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4685r88876_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. 
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F arch=b32 -S finit_module -k module-change
-+
-+-a always,exit -F arch=b64 -S finit_module -k module-change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4685r88876_fix" /><check system="C-4685r88875_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. 
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw finit_module /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S finit_module -k module-change
-+
-+-a always,exit -F arch=b64 -S finit_module -k module-change
-+
-+If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204562"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204562r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030830</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72189</ident><ident system="http://cyber.mil/legacy">SV-86813</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4686r88879_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. 
-+
-+Add or update the following rules in "/etc/audit/rules.d/audit.rules": 
-+
-+-a always,exit -F arch=b32 -S delete_module -k module-change
-+
-+-a always,exit -F arch=b64 -S delete_module -k module-change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4686r88879_fix" /><check system="C-4686r88878_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. 
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw delete_module /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S delete_module -k module-change
-+
-+-a always,exit -F arch=b64 -S delete_module -k module-change
-+
-+If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204563"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204563r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030840</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86815</ident><ident system="http://cyber.mil/legacy">V-72191</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4687r462673_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-w /usr/bin/kmod -p x -F auid!=unset -k module-change
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4687r462673_fix" /><check system="C-4687r462672_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "kmod" command occur. 
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep -iw kmod /etc/audit/audit.rules
-+
-+-w /usr/bin/kmod -p x -F auid!=unset -k module-change
-+
-+If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204564"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204564r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030870</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).
-+
-+Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86821</ident><ident system="http://cyber.mil/legacy">V-72197</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-4688r88885_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
-+
-+Add or update the following rule "/etc/audit/rules.d/audit.rules":
-+
-+-w /etc/passwd -p wa -k identity
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4688r88885_fix" /><check system="C-4688r88884_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep /etc/passwd /etc/audit/audit.rules
-+
-+-w /etc/passwd -p wa -k identity
-+
-+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204565"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204565r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030871</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87817</ident><ident system="http://cyber.mil/legacy">V-73165</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4689r88888_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-w /etc/group -p wa -k identity
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4689r88888_fix" /><check system="C-4689r88887_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep /etc/group /etc/audit/audit.rules
-+
-+-w /etc/group -p wa -k identity
-+
-+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204566"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204566r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030872</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87819</ident><ident system="http://cyber.mil/legacy">V-73167</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-4690r88891_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
-+
-+Add or update the following rule in "/etc/audit/rules.d/audit.rules":
-+
-+-w /etc/gshadow -p wa -k identity
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4690r88891_fix" /><check system="C-4690r88890_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep /etc/gshadow /etc/audit/audit.rules
-+
-+-w /etc/gshadow -p wa -k identity
-+
-+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204567"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204567r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030873</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87823</ident><ident system="http://cyber.mil/legacy">V-73171</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4691r88894_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
-+
-+Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
-+
-+-w /etc/shadow -p wa -k identity
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4691r88894_fix" /><check system="C-4691r88893_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep /etc/shadow /etc/audit/audit.rules
-+
-+-w /etc/shadow -p wa -k identity
-+
-+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204568"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204568r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030874</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
-+
-+Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87825</ident><ident system="http://cyber.mil/legacy">V-73173</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-4692r88897_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
-+
-+Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
-+
-+-w /etc/security/opasswd -p wa -k identity
-+
-+The audit daemon must be restarted for the changes to take effect:
-+# systemctl restart auditd</fixtext><fix id="F-4692r88897_fix" /><check system="C-4692r88896_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
-+
-+Check the auditing rules in "/etc/audit/audit.rules" with the following command:
-+
-+# grep /etc/security/opasswd /etc/audit/audit.rules
-+
-+-w /etc/security/opasswd -p wa -k identity
-+
-+If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204569"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204569r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030880</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86823</ident><ident system="http://cyber.mil/legacy">V-72199</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4693r462676_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
-+
-+Add the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4693r462676_fix" /><check system="C-4693r462675_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rename" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw rename /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204570"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204570r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030890</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86825</ident><ident system="http://cyber.mil/legacy">V-72201</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4694r462679_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
-+
-+Add the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4694r462679_fix" /><check system="C-4694r462678_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "renameat" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw renameat /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204571"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204571r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030900</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72203</ident><ident system="http://cyber.mil/legacy">SV-86827</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4695r462682_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
-+
-+Add the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4695r462682_fix" /><check system="C-4695r462681_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw rmdir /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204572"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204572r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030910</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72205</ident><ident system="http://cyber.mil/legacy">SV-86829</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4696r462685_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
-+
-+Add the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4696r462685_fix" /><check system="C-4696r462684_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw unlink /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204573"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204573r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030920</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
-+
-+When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
-+
-+Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72207</ident><ident system="http://cyber.mil/legacy">SV-86831</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4697r462688_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
-+
-+Add the following rules in "/etc/audit/rules.d/audit.rules":
-+
-+-a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+The audit daemon must be restarted for the changes to take effect.</fixtext><fix id="F-4697r462688_fix" /><check system="C-4697r462687_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system generates audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
-+
-+Check the file system rules in "/etc/audit/audit.rules" with the following commands:
-+
-+# grep -iw unlinkat /etc/audit/audit.rules
-+
-+-a always,exit -F arch=b32 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+-a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
-+
-+If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204574"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204574r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-031000</version><title>The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.</title><description>&lt;VulnDiscussion&gt;Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86833</ident><ident system="http://cyber.mil/legacy">V-72209</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4698r88915_fix">Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system:
-+*.* @@&lt;log aggregation system name&gt;</fixtext><fix id="F-4698r88915_fix" /><check system="C-4698r88914_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify "rsyslog" is configured to send all messages to a log aggregation server.
-+
-+Check the configuration of "rsyslog" with the following command:
-+
-+Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf".
-+
-+# grep @ /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-+*.* @@logagg.site.mil
-+
-+If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
-+
-+If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.</check-content></check></Rule></Group><Group id="V-204575"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204575r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-031010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.</title><description>&lt;VulnDiscussion&gt;Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
-+
-+If the system is intended to be a log aggregation server its use must be documented with the ISSO.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86835</ident><ident system="http://cyber.mil/legacy">V-72211</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><fixtext fixref="F-4699r88918_fix">Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.</fixtext><fix id="F-4699r88918_fix" /><check system="C-4699r88917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
-+
-+Check the configuration of "rsyslog" with the following command:
-+
-+# grep imtcp /etc/rsyslog.conf
-+$ModLoad imtcp
-+# grep imudp /etc/rsyslog.conf
-+$ModLoad imudp
-+# grep imrelp /etc/rsyslog.conf
-+$ModLoad imrelp
-+
-+If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.
-+
-+If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.</check-content></check></Rule></Group><Group id="V-204576"><title>SRG-OS-000027-GPOS-00008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204576r505924_rule" weight="10.0" severity="low"><version>RHEL-07-040000</version><title>The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.</title><description>&lt;VulnDiscussion&gt;Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
-+
-+This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72217</ident><ident system="http://cyber.mil/legacy">SV-86841</ident><ident system="http://cyber.mil/cci">CCI-000054</ident><fixtext fixref="F-4700r88921_fix">Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types.
-+
-+Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/ :
-+
-+* hard maxlogins 10</fixtext><fix id="F-4700r88921_fix" /><check system="C-4700r88920_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command:
-+
-+# grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf
-+
-+* hard maxlogins 10
-+
-+This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
-+
-+If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204577"><title>SRG-OS-000096-GPOS-00050</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204577r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040100</version><title>The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.</title><description>&lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
-+
-+Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
-+
-+To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
-+
-+Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72219</ident><ident system="http://cyber.mil/legacy">SV-86843</ident><ident system="http://cyber.mil/cci">CCI-000382</ident><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-4701r88924_fix">Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.</fixtext><fix id="F-4701r88924_fix" /><check system="C-4701r88923_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.
-+
-+Check which services are currently active with the following command:
-+
-+# firewall-cmd --list-all
-+public (default, active)
-+  interfaces: enp0s3
-+  sources: 
-+  services: dhcpv6-client dns http https ldaps rpc-bind ssh
-+  ports: 
-+  masquerade: no
-+  forward-ports: 
-+  icmp-blocks: 
-+  rich rules: 
-+
-+Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. 
-+
-+If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.</check-content></check></Rule></Group><Group id="V-204578"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204578r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040110</version><title>The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications.</title><description>&lt;VulnDiscussion&gt;Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
-+
-+Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
-+
-+FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
-+
-+Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86845</ident><ident system="http://cyber.mil/legacy">V-72221</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000803</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><fixtext fixref="F-4702r88927_fix">Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
-+
-+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
-+
-+Ciphers aes128-ctr,aes192-ctr,aes256-ctr
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4702r88927_fix" /><check system="C-4702r88926_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
-+
-+Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
-+
-+The location of the "sshd_config" file may vary if a different daemon is in use.
-+
-+Inspect the "Ciphers" configuration with the following command:
-+
-+# grep -i ciphers /etc/ssh/sshd_config
-+Ciphers aes128-ctr,aes192-ctr,aes256-ctr
-+
-+If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204579"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204579r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040160</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 
-+
-+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
-+
-+Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72223</ident><ident system="http://cyber.mil/legacy">SV-86847</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-4703r462735_fix">Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
-+
-+Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
-+
-+#!/bin/bash
-+
-+TMOUT=900
-+readonly TMOUT
-+export TMOUT</fixtext><fix id="F-4703r462735_fix" /><check system="C-4703r462734_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity.
-+
-+Check the value of the system inactivity timeout with the following command:
-+
-+# grep -i tmout /etc/profile.d/*
-+
-+etc/profile.d/tmout.sh:TMOUT=900
-+
-+/etc/profile.d/tmout.sh:readonly TMOUT
-+
-+/etc/profile.d/tmout.sh:export TMOUT
-+
-+If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-204580"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204580r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040170</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
-+
-+System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
-+
-+The banner must be formatted in accordance with applicable DoD policy. Use the following verbiage for operating systems that can accommodate banners of 1300 characters:
-+
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86849</ident><ident system="http://cyber.mil/legacy">V-72225</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><ident system="http://cyber.mil/cci">CCI-000050</ident><ident system="http://cyber.mil/cci">CCI-001384</ident><ident system="http://cyber.mil/cci">CCI-001385</ident><ident system="http://cyber.mil/cci">CCI-001386</ident><ident system="http://cyber.mil/cci">CCI-001387</ident><ident system="http://cyber.mil/cci">CCI-001388</ident><fixtext fixref="F-4704r297486_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
-+
-+Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
-+
-+banner /etc/issue
-+
-+Either create the file containing the banner or replace the text in the file with the Standard Mandatory DoD Notice and Consent Banner. The DoD required text is:
-+
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4704r297486_fix" /><check system="C-4704r297485_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system.
-+
-+Check for the location of the banner file being used with the following command:
-+
-+# grep -i banner /etc/ssh/sshd_config
-+
-+banner /etc/issue
-+
-+This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue").
-+
-+If the line is commented out, this is a finding.
-+
-+View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DoD Notice and Consent Banner:
-+
-+"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
-+
-+By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-+
-+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-+
-+-At any time, the USG may inspect and seize data stored on this IS.
-+
-+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-+
-+-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-+
-+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
-+
-+If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
-+
-+If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204581"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204581r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040180</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-+
-+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72227</ident><ident system="http://cyber.mil/legacy">SV-86851</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4705r88936_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.
-+
-+Add or modify the following line in "/etc/sssd/sssd.conf":
-+
-+ldap_id_use_start_tls = true</fixtext><fix id="F-4705r88936_fix" /><check system="C-4705r88935_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If LDAP is not being utilized, this requirement is Not Applicable.
-+
-+Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions.
-+
-+To determine if LDAP is being used for authentication, use the following command:
-+
-+# systemctl status sssd.service
-+sssd.service - System Security Services Daemon
-+Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
-+Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
-+
-+If the "sssd.service" is "active", then LDAP is being used. 
-+
-+Determine the "id_provider" the LDAP is currently using:
-+
-+# grep -i "id_provider" /etc/sssd/sssd.conf
-+
-+id_provider = ad
-+
-+If "id_provider" is set to "ad", this is Not Applicable.
-+
-+Ensure that LDAP is configured to use TLS by using the following command:
-+
-+# grep -i "start_tls" /etc/sssd/sssd.conf
-+ldap_id_use_start_tls = true
-+
-+If the "ldap_id_use_start_tls" option is not "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204582"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204582r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040190</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-+
-+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72229</ident><ident system="http://cyber.mil/legacy">SV-86853</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4706r88939_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
-+
-+Add or modify the following line in "/etc/sssd/sssd.conf":
-+
-+ldap_tls_reqcert = demand</fixtext><fix id="F-4706r88939_fix" /><check system="C-4706r88938_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If LDAP is not being utilized, this requirement is Not Applicable.
-+
-+Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.
-+
-+To determine if LDAP is being used for authentication, use the following command:
-+
-+# systemctl status sssd.service
-+sssd.service - System Security Services Daemon
-+Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
-+Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
-+
-+If the "sssd.service" is "active", then LDAP is being used. 
-+
-+Determine the "id_provider" the LDAP is currently using:
-+
-+# grep -i "id_provider" /etc/sssd/sssd.conf
-+
-+id_provider = ad
-+
-+If "id_provider" is set to "ad", this is Not Applicable.
-+
-+Verify the sssd service is configured to require the use of certificates:
-+
-+# grep -i tls_reqcert /etc/sssd/sssd.conf
-+ldap_tls_reqcert = demand
-+
-+If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding.
-+
-+If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.</check-content></check></Rule></Group><Group id="V-204583"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204583r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040200</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
-+
-+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86855</ident><ident system="http://cyber.mil/legacy">V-72231</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4707r88942_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
-+
-+Add or modify the following line in "/etc/sssd/sssd.conf":
-+
-+ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt</fixtext><fix id="F-4707r88942_fix" /><check system="C-4707r88941_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If LDAP is not being utilized, this requirement is Not Applicable.
-+
-+Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.
-+
-+To determine if LDAP is being used for authentication, use the following command:
-+
-+# systemctl status sssd.service
-+sssd.service - System Security Services Daemon
-+Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
-+Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago
-+
-+If the "sssd.service" is "active", then LDAP is being used.
-+
-+Determine the "id_provider" that the LDAP is currently using:
-+
-+# grep -i "id_provider" /etc/sssd/sssd.conf
-+
-+id_provider = ad
-+
-+If "id_provider" is set to "ad", this is Not Applicable.
-+
-+Check the path to the X.509 certificate for peer authentication with the following command:
-+
-+# grep -i tls_cacert /etc/sssd/sssd.conf
-+
-+ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
-+
-+Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate.
-+
-+If this file does not exist, or the option is commented out or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204584"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204584r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040201</version><title>The Red Hat Enterprise Linux operating system must implement virtual address space randomization.</title><description>&lt;VulnDiscussion&gt;Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92521</ident><ident system="http://cyber.mil/legacy">V-77825</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4708r88945_fix">Configure the operating system implement virtual address space randomization.
-+
-+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+kernel.randomize_va_space = 2
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4708r88945_fix" /><check system="C-4708r88944_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements virtual address space randomization.
-+
-+# grep kernel.randomize_va_space /etc/sysctl.conf /etc/sysctl.d/*
-+
-+kernel.randomize_va_space = 2
-+
-+If "kernel.randomize_va_space" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "2", this is a finding.
-+
-+Check that the operating system implements virtual address space randomization with the following command:
-+
-+# /sbin/sysctl -a | grep kernel.randomize_va_space 
-+
-+kernel.randomize_va_space = 2
-+
-+If "kernel.randomize_va_space" does not have a value of "2", this is a finding.</check-content></check></Rule></Group><Group id="V-204585"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204585r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-+
-+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-+
-+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
-+
-+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86857</ident><ident system="http://cyber.mil/legacy">V-72233</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><fixtext fixref="F-4709r88948_fix">Install SSH packages onto the host with the following commands:
-+
-+# yum install openssh-server.x86_64</fixtext><fix id="F-4709r88948_fix" /><check system="C-4709r88947_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check to see if sshd is installed with the following command:
-+
-+# yum list installed \*ssh\*
-+libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1
-+openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1
-+openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1
-+
-+If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204586"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204586r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040310</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
-+
-+This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
-+
-+Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa.
-+
-+Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000423-GPOS-00188, SRG-OS-000423-GPOS-00189, SRG-OS-000423-GPOS-00190&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86859</ident><ident system="http://cyber.mil/legacy">V-72235</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><fixtext fixref="F-4710r88951_fix">Configure the SSH service to automatically start after reboot with the following command:
-+
-+# systemctl enable sshd.service</fixtext><fix id="F-4710r88951_fix" /><check system="C-4710r88950_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify SSH is loaded and active with the following command:
-+
-+# systemctl status sshd
-+sshd.service - OpenSSH server daemon
-+Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
-+Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago
-+Main PID: 1348 (sshd)
-+CGroup: /system.slice/sshd.service
-+1053 /usr/sbin/sshd -D
-+
-+If "sshd" does not show a status of "active" and "running", this is a finding.</check-content></check></Rule></Group><Group id="V-204587"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204587r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
-+
-+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
-+
-+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86861</ident><ident system="http://cyber.mil/legacy">V-72237</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-4711r88954_fix">Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown.
-+
-+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
-+
-+ClientAliveInterval 600
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4711r88954_fix" /><check system="C-4711r88953_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system automatically terminates a user session after inactivity time-outs have expired.
-+
-+Check for the value of the "ClientAliveInterval" keyword with the following command:
-+
-+# grep -iw clientaliveinterval /etc/ssh/sshd_config
-+
-+ClientAliveInterval 600
-+
-+If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding.
-+
-+If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204588"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204588r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040330</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72239</ident><ident system="http://cyber.mil/legacy">SV-86863</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4712r88957_fix">Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
-+
-+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
-+
-+RhostsRSAAuthentication no
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4712r88957_fix" /><check system="C-4712r88956_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check the version of the operating system with the following command:
-+
-+# cat /etc/redhat-release
-+
-+If the release is 7.4 or newer this requirement is Not Applicable.
-+
-+Verify the SSH daemon does not allow authentication using RSA rhosts authentication.
-+
-+To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run the following command:
-+
-+# grep RhostsRSAAuthentication /etc/ssh/sshd_config
-+RhostsRSAAuthentication no
-+
-+If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204589"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204589r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040340</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
-+
-+Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
-+
-+Satisfies: SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86865</ident><ident system="http://cyber.mil/legacy">V-72241</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-4713r88960_fix">Configure the operating system to terminate automatically a user session after inactivity time-outs have expired or at shutdown.
-+
-+Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
-+
-+ClientAliveCountMax 0
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4713r88960_fix" /><check system="C-4713r88959_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system automatically terminates a user session after inactivity time-outs have expired.
-+
-+Check for the value of the "ClientAliveCountMax" keyword with the following command:
-+
-+# grep -i clientalivecount /etc/ssh/sshd_config
-+ClientAliveCountMax 0
-+
-+If "ClientAliveCountMax" is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204590"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204590r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040350</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72243</ident><ident system="http://cyber.mil/legacy">SV-86867</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4714r88963_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
-+
-+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
-+
-+IgnoreRhosts yes</fixtext><fix id="F-4714r88963_fix" /><check system="C-4714r88962_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not allow authentication using known hosts authentication.
-+
-+To determine how the SSH daemon's "IgnoreRhosts" option is set, run the following command:
-+
-+# grep -i IgnoreRhosts /etc/ssh/sshd_config
-+
-+IgnoreRhosts yes
-+
-+If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204591"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204591r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040360</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72245</ident><ident system="http://cyber.mil/legacy">SV-86869</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4715r88966_fix">Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
-+
-+Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:
-+
-+PrintLastLog yes
-+
-+The SSH service must be restarted for changes to "sshd_config" to take effect.</fixtext><fix id="F-4715r88966_fix" /><check system="C-4715r88965_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify SSH provides users with feedback on when account accesses last occurred.
-+
-+Check that "PrintLastLog" keyword in the sshd daemon configuration file is used and set to "yes" with the following command:
-+
-+# grep -i printlastlog /etc/ssh/sshd_config
-+PrintLastLog yes
-+
-+If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204592"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204592r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040370</version><title>The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.</title><description>&lt;VulnDiscussion&gt;Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72247</ident><ident system="http://cyber.mil/legacy">SV-86871</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4716r88969_fix">Configure SSH to stop users from logging on remotely as the root user.
-+
-+Edit the appropriate  "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
-+
-+PermitRootLogin no
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4716r88969_fix" /><check system="C-4716r88968_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify remote access using SSH prevents users from logging on directly as root.
-+
-+Check that SSH prevents users from logging on directly as root with the following command:
-+
-+# grep -i permitrootlogin /etc/ssh/sshd_config
-+PermitRootLogin no
-+
-+If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204593"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204593r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040380</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72249</ident><ident system="http://cyber.mil/legacy">SV-86873</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4717r88972_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
-+
-+Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
-+
-+IgnoreUserKnownHosts yes
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4717r88972_fix" /><check system="C-4717r88971_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not allow authentication using known hosts authentication.
-+
-+To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the following command:
-+
-+# grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
-+
-+IgnoreUserKnownHosts yes
-+
-+If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204594"><title>SRG-OS-000074-GPOS-00042</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204594r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040390</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.</title><description>&lt;VulnDiscussion&gt;SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
-+
-+Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72251</ident><ident system="http://cyber.mil/legacy">SV-86875</ident><ident system="http://cyber.mil/cci">CCI-000197</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4718r88975_fix">Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
-+
-+Protocol 2
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4718r88975_fix" /><check system="C-4718r88974_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check the version of the operating system with the following command:
-+
-+# cat /etc/redhat-release
-+
-+If the release is 7.4 or newer this requirement is Not Applicable.
-+
-+Verify the SSH daemon is configured to only use the SSHv2 protocol.
-+
-+Check that the SSH daemon is configured to only use the SSHv2 protocol with the following command:
-+
-+# grep -i protocol /etc/ssh/sshd_config
-+Protocol 2
-+#Protocol 1,2
-+
-+If any protocol line other than "Protocol 2" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-204595"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204595r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040400</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.</title><description>&lt;VulnDiscussion&gt;DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86877</ident><ident system="http://cyber.mil/legacy">V-72253</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4719r88978_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
-+
-+MACs hmac-sha2-256,hmac-sha2-512
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4719r88978_fix" /><check system="C-4719r88977_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.
-+
-+Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
-+
-+Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:
-+
-+# grep -i macs /etc/ssh/sshd_config
-+MACs hmac-sha2-256,hmac-sha2-512
-+
-+If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204596"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204596r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040410</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a public host key file is modified by an unauthorized user, the SSH service may be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72255</ident><ident system="http://cyber.mil/legacy">SV-86879</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4720r88981_fix">Note: SSH public key files may be found in other directories on the system depending on the installation. 
-+
-+Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
-+
-+# chmod 0644 /etc/ssh/*.key.pub</fixtext><fix id="F-4720r88981_fix" /><check system="C-4720r88980_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH public host key files have mode "0644" or less permissive.
-+
-+Note: SSH public key files may be found in other directories on the system depending on the installation.
-+
-+The following command will find all SSH public key files on the system:
-+
-+# find /etc/ssh -name '*.pub' -exec ls -lL {} \;
-+
-+-rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub
-+-rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub
-+-rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub
-+
-+If any file has a mode more permissive than "0644", this is a finding.</check-content></check></Rule></Group><Group id="V-204597"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204597r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040420</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.</title><description>&lt;VulnDiscussion&gt;If an unauthorized user obtains the private SSH host key file, the host could be impersonated.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72257</ident><ident system="http://cyber.mil/legacy">SV-86881</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4721r88984_fix">Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
-+
-+# chmod 0640 /path/to/file/ssh_host*key
-+</fixtext><fix id="F-4721r88984_fix" /><check system="C-4721r88983_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH private host key files have mode "0640" or less permissive.
-+
-+The following command will find all SSH private key files on the system and list their modes:
-+
-+# find / -name '*ssh_host*key' | xargs ls -lL
-+
-+-rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key
-+-rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key
-+-rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key
-+
-+If any file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-204598"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204598r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.</title><description>&lt;VulnDiscussion&gt;GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72259</ident><ident system="http://cyber.mil/legacy">SV-86883</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><fixtext fixref="F-4722r88987_fix">Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": 
-+
-+GSSAPIAuthentication no
-+
-+The SSH service must be restarted for changes to take effect.
-+
-+If GSSAPI authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.</fixtext><fix id="F-4722r88987_fix" /><check system="C-4722r88986_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not permit GSSAPI authentication unless approved.
-+
-+Check that the SSH daemon does not permit GSSAPI authentication with the following command:
-+
-+# grep -i gssapiauth /etc/ssh/sshd_config
-+GSSAPIAuthentication no
-+
-+If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204599"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204599r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040440</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.</title><description>&lt;VulnDiscussion&gt;Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72261</ident><ident system="http://cyber.mil/legacy">SV-86885</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4723r88990_fix">Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
-+
-+KerberosAuthentication no
-+
-+The SSH service must be restarted for changes to take effect.
-+
-+If Kerberos authentication is required, it must be documented, to include the location of the configuration file, with the ISSO.</fixtext><fix id="F-4723r88990_fix" /><check system="C-4723r88989_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved.
-+
-+Check that the SSH daemon does not permit Kerberos to authenticate passwords with the following command:
-+
-+# grep -i kerberosauth /etc/ssh/sshd_config
-+KerberosAuthentication no
-+
-+If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204600"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204600r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040450</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.</title><description>&lt;VulnDiscussion&gt;If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86887</ident><ident system="http://cyber.mil/legacy">V-72263</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4724r88993_fix">Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":
-+
-+StrictModes yes
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4724r88993_fix" /><check system="C-4724r88992_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon performs strict mode checking of home directory configuration files.
-+
-+The location of the "sshd_config" file may vary if a different daemon is in use.
-+
-+Inspect the "sshd_config" file with the following command:
-+
-+# grep -i strictmodes /etc/ssh/sshd_config
-+
-+StrictModes yes
-+
-+If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204601"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204601r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040460</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.</title><description>&lt;VulnDiscussion&gt;SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86889</ident><ident system="http://cyber.mil/legacy">V-72265</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4725r88996_fix">Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":
-+
-+UsePrivilegeSeparation sandbox
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4725r88996_fix" /><check system="C-4725r88995_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon performs privilege separation.
-+
-+Check that the SSH daemon performs privilege separation with the following command:
-+
-+# grep -i usepriv /etc/ssh/sshd_config
-+
-+UsePrivilegeSeparation sandbox
-+
-+If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204602"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204602r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040470</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.</title><description>&lt;VulnDiscussion&gt;If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86891</ident><ident system="http://cyber.mil/legacy">V-72267</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4726r88999_fix">Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":
-+
-+Compression no
-+
-+The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4726r88999_fix" /><check system="C-4726r88998_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon performs compression after a user successfully authenticates.
-+
-+Check that the SSH daemon performs compression after a user successfully authenticates with the following command:
-+
-+# grep -i compression /etc/ssh/sshd_config
-+Compression delayed
-+
-+If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204603"><title>SRG-OS-000355-GPOS-00143</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204603r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040500</version><title>The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).</title><description>&lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
-+
-+Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
-+
-+Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
-+
-+Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72269</ident><ident system="http://cyber.mil/legacy">SV-86893</ident><ident system="http://cyber.mil/cci">CCI-002046</ident><ident system="http://cyber.mil/cci">CCI-001891</ident><fixtext fixref="F-4727r89002_fix">Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows:
-+
-+server 0.rhel.pool.ntp.org iburst maxpoll 10
-+
-+If NTP was running and "maxpoll" was updated, the NTP service must be restarted:
-+
-+# systemctl restart ntpd
-+
-+If NTP was not running, it must be started:
-+
-+# systemctl start ntpd 
-+
-+If "chronyd" was running and "maxpoll" was updated, the service must be restarted:
-+
-+# systemctl restart chronyd.service
-+
-+If "chronyd" was not running, it must be started:
-+
-+# systemctl start chronyd.service</fixtext><fix id="F-4727r89002_fix" /><check system="C-4727r89001_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check to see if NTP is running in continuous mode:
-+
-+# ps -ef | grep ntp
-+
-+If NTP is not running, check to see if "chronyd" is running in continuous mode:
-+
-+# ps -ef | grep chronyd
-+
-+If NTP or "chronyd" is not running, this is a finding.
-+
-+If the NTP process is found, then check the "ntp.conf" file for the "maxpoll" option setting:
-+
-+# grep maxpoll /etc/ntp.conf
-+
-+server 0.rhel.pool.ntp.org iburst maxpoll 10
-+
-+If the option is set to "17" or is not set, this is a finding.
-+
-+If the file does not exist, check the "/etc/cron.daily" subdirectory for a crontab file controlling the execution of the "ntpd -q" command.
-+
-+# grep -i "ntpd -q" /etc/cron.daily/*
-+# ls -al /etc/cron.* | grep ntp
-+
-+ntp
-+
-+If a crontab file does not exist in the "/etc/cron.daily" that executes the "ntpd -q" command, this is a finding.
-+
-+If the "chronyd" process is found, then check the "chrony.conf" file for the "maxpoll" option setting:
-+
-+# grep maxpoll /etc/chrony.conf
-+
-+server 0.rhel.pool.ntp.org iburst maxpoll 10
-+
-+If the option is not set or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204604"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204604r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040520</version><title>The Red Hat Enterprise Linux operating system must enable an application firewall, if available.</title><description>&lt;VulnDiscussion&gt;Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
-+
-+Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86897</ident><ident system="http://cyber.mil/legacy">V-72273</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4728r89005_fix">Ensure the operating system's application firewall is enabled.
-+
-+Install the "firewalld" package, if it is not on the system, with the following command:
-+
-+# yum install firewalld
-+
-+Start the firewall via "systemctl" with the following command:
-+
-+# systemctl start firewalld</fixtext><fix id="F-4728r89005_fix" /><check system="C-4728r89004_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system enabled an application firewall.
-+
-+Check to see if "firewalld" is installed with the following command:
-+
-+# yum list installed firewalld
-+firewalld-0.3.9-11.el7.noarch.rpm
-+
-+If the "firewalld" package is not installed, ask the System Administrator if another firewall application (such as iptables) is installed. 
-+
-+If an application firewall is not installed, this is a finding. 
-+
-+Check to see if the firewall is loaded and active with the following command:
-+
-+# systemctl status firewalld
-+firewalld.service - firewalld - dynamic firewall daemon
-+
-+   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
-+   Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago
-+
-+If "firewalld" does not show a status of "loaded" and "active", this is a finding. 
-+
-+Check the state of the firewall:
-+
-+# firewall-cmd --state 
-+running
-+
-+If "firewalld" does not show a state of "running", this is a finding.</check-content></check></Rule></Group><Group id="V-204605"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204605r505924_rule" weight="10.0" severity="low"><version>RHEL-07-040530</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86899</ident><ident system="http://cyber.mil/legacy">V-72275</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4729r89008_fix">Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". 
-+
-+Add the following line to the top of "/etc/pam.d/postlogin":
-+
-+session required pam_lastlog.so showfailed</fixtext><fix id="F-4729r89008_fix" /><check system="C-4729r89007_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify users are provided with feedback on when account accesses last occurred.
-+
-+Check that "pam_lastlog" is used and not silent with the following command:
-+
-+# grep pam_lastlog /etc/pam.d/postlogin
-+session required pam_lastlog.so showfailed
-+
-+If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.</check-content></check></Rule></Group><Group id="V-204606"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204606r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040540</version><title>The Red Hat Enterprise Linux operating system must not contain .shosts files.</title><description>&lt;VulnDiscussion&gt;The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86901</ident><ident system="http://cyber.mil/legacy">V-72277</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4730r89011_fix">Remove any found ".shosts" files from the system.
-+
-+# rm /[path]/[to]/[file]/.shosts</fixtext><fix id="F-4730r89011_fix" /><check system="C-4730r89010_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify there are no ".shosts" files on the system.
-+
-+Check the system for the existence of these files with the following command:
-+
-+# find / -name '*.shosts'
-+
-+If any ".shosts" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-204607"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204607r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040550</version><title>The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.</title><description>&lt;VulnDiscussion&gt;The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86903</ident><ident system="http://cyber.mil/legacy">V-72279</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4731r89014_fix">Remove any found "shosts.equiv" files from the system.
-+
-+# rm /[path]/[to]/[file]/shosts.equiv</fixtext><fix id="F-4731r89014_fix" /><check system="C-4731r89013_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify there are no "shosts.equiv" files on the system.
-+
-+Check the system for the existence of these files with the following command:
-+
-+# find / -name shosts.equiv
-+
-+If any "shosts.equiv" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-204608"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204608r505924_rule" weight="10.0" severity="low"><version>RHEL-07-040600</version><title>For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.</title><description>&lt;VulnDiscussion&gt;To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86905</ident><ident system="http://cyber.mil/legacy">V-72281</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4732r89017_fix">Configure the operating system to use two or more name servers for DNS resolution.
-+
-+Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:
-+
-+# echo -n &gt; /etc/resolv.conf
-+
-+And then make the file immutable with the following command:
-+
-+# chattr +i /etc/resolv.conf
-+
-+If the "/etc/resolv.conf" file must be mutable, the required configuration must be documented with the Information System Security Officer (ISSO) and the file must be verified by the system file integrity tool.</fixtext><fix id="F-4732r89017_fix" /><check system="C-4732r297492_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Determine whether the system is using local or DNS name resolution with the following command:
-+
-+# grep hosts /etc/nsswitch.conf
-+hosts: files dns
-+
-+If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty.
-+
-+Verify the "/etc/resolv.conf" file is empty with the following command:
-+
-+# ls -al /etc/resolv.conf
-+-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
-+
-+If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding.
-+
-+If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution.
-+
-+Determine the name servers used by the system with the following command:
-+
-+# grep nameserver /etc/resolv.conf
-+nameserver 192.168.1.2
-+nameserver 192.168.1.3
-+
-+If less than two lines are returned that are not commented out, this is a finding.
-+
-+Verify that the "/etc/resolv.conf" file is immutable with the following command:
-+
-+# sudo lsattr /etc/resolv.conf
-+
-+----i----------- /etc/resolv.conf
-+
-+If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-204609"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204609r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040610</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72283</ident><ident system="http://cyber.mil/legacy">SV-86907</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4733r89020_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.all.accept_source_route = 0   
-+
-+Issue the following command to make the changes take effect:
-+ 
-+# sysctl -system</fixtext><fix id="F-4733r89020_fix" /><check system="C-4733r89019_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not accept IPv4 source-routed packets.
-+
-+# grep net.ipv4.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*
-+
-+net.ipv4.conf.all.accept_source_route = 0
-+
-+If " net.ipv4.conf.all.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the accept source route variable with the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route
-+net.ipv4.conf.all.accept_source_route = 0
-+
-+If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204610"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204610r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040611</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92251</ident><ident system="http://cyber.mil/legacy">SV-102353</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4734r89023_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.all.rp_filter = 1 
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4734r89023_fix" /><check system="C-4734r89022_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system uses a reverse-path filter for IPv4:
-+
-+# grep net.ipv4.conf.all.rp_filter /etc/sysctl.conf /etc/sysctl.d/*
-+net.ipv4.conf.all.rp_filter = 1
-+
-+If "net.ipv4.conf.all.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
-+
-+Check that the operating system implements the accept source route variable with the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter
-+net.ipv4.conf.all.rp_filter = 1
-+
-+If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204611"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204611r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040612</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92253</ident><ident system="http://cyber.mil/legacy">SV-102355</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4735r89026_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.default.rp_filter = 1 
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4735r89026_fix" /><check system="C-4735r89025_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system uses a reverse-path filter for IPv4:
-+
-+# grep net.ipv4.conf.default.rp_filter /etc/sysctl.conf /etc/sysctl.d/*
-+net.ipv4.conf.default.rp_filter = 1
-+
-+If "net.ipv4.conf.default.rp_filter" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
-+
-+Check that the operating system implements the accept source route variable with the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter
-+net.ipv4.conf.default.rp_filter = 1
-+
-+If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204612"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204612r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040620</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72285</ident><ident system="http://cyber.mil/legacy">SV-86909</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4736r89029_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.default.accept_source_route = 0   
-+
-+Issue the following command to make the changes take effect:
-+ 
-+# sysctl --system</fixtext><fix id="F-4736r89029_fix" /><check system="C-4736r89028_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not accept IPv4 source-routed packets by default.
-+
-+# grep net.ipv4.conf.default.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*
-+net.ipv4.conf.default.accept_source_route = 0
-+
-+If " net.ipv4.conf.default.accept_source_route " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the accept source route variable with the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route
-+net.ipv4.conf.default.accept_source_route = 0
-+
-+If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204613"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204613r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040630</version><title>The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description>&lt;VulnDiscussion&gt;Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72287</ident><ident system="http://cyber.mil/legacy">SV-86911</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4737r89032_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.icmp_echo_ignore_broadcasts = 1
-+
-+Issue the following command to make the changes take effect: 
-+
-+# sysctl --system</fixtext><fix id="F-4737r89032_fix" /><check system="C-4737r89031_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address.
-+
-+# grep net.ipv4.icmp_echo_ignore_broadcasts /etc/sysctl.conf /etc/sysctl.d/*
-+
-+If " net.ipv4.icmp_echo_ignore_broadcasts" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "1", this is a finding.
-+
-+Check that the operating system implements the "icmp_echo_ignore_broadcasts" variable with the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts
-+net.ipv4.icmp_echo_ignore_broadcasts = 1
-+
-+If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204614"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204614r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040640</version><title>The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86913</ident><ident system="http://cyber.mil/legacy">V-72289</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4738r89035_fix">Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.default.accept_redirects = 0   
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4738r89035_fix" /><check system="C-4738r89034_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system will not accept IPv4 ICMP redirect messages.
-+
-+# grep 'net.ipv4.conf.default.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*
-+
-+If " net.ipv4.conf.default.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the value of the "accept_redirects" variables with the following command:
-+
-+# /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'
-+net.ipv4.conf.default.accept_redirects = 0
-+
-+If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204615"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204615r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040641</version><title>The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87827</ident><ident system="http://cyber.mil/legacy">V-73175</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4739r89038_fix">Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.all.accept_redirects = 0   
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4739r89038_fix" /><check system="C-4739r89037_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system ignores IPv4 ICMP redirect messages.
-+
-+# grep 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf /etc/sysctl.d/*
-+
-+If " net.ipv4.conf.all.accept_redirects " is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the "accept_redirects" variables with the following command:
-+
-+# /sbin/sysctl -a | grep 'net.ipv4.conf.all.accept_redirects'
-+
-+net.ipv4.conf.all.accept_redirects = 0
-+
-+If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204616"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204616r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040650</version><title>The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72291</ident><ident system="http://cyber.mil/legacy">SV-86915</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4740r89041_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. 
-+
-+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.default.send_redirects = 0
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4740r89041_fix" /><check system="C-4740r89040_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default.
-+
-+# grep 'net.ipv4.conf.default.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*
-+
-+If "net.ipv4.conf.default.send_redirects" is not configured in the "/etc/sysctl.conf" file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the "default send_redirects" variables with the following command:
-+
-+# /sbin/sysctl -a | grep 'net.ipv4.conf.default.send_redirects'
-+
-+net.ipv4.conf.default.send_redirects = 0 
-+
-+If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204617"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204617r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040660</version><title>The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72293</ident><ident system="http://cyber.mil/legacy">SV-86917</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4741r89044_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects. 
-+
-+Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.conf.all.send_redirects = 0
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4741r89044_fix" /><check system="C-4741r89043_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not send IPv4 ICMP redirect messages.
-+
-+# grep 'net.ipv4.conf.all.send_redirects' /etc/sysctl.conf /etc/sysctl.d/*
-+
-+If "net.ipv4.conf.all.send_redirects" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the "all send_redirects" variables with the following command:
-+
-+# /sbin/sysctl -a | grep 'net.ipv4.conf.all.send_redirects'
-+
-+net.ipv4.conf.all.send_redirects = 0
-+
-+If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204618"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204618r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040670</version><title>Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.</title><description>&lt;VulnDiscussion&gt;Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.
-+
-+If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72295</ident><ident system="http://cyber.mil/legacy">SV-86919</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4742r89047_fix">Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
-+
-+Set the promiscuous mode of an interface to off with the following command:
-+
-+#ip link set dev &lt;devicename&gt; multicast off promisc off</fixtext><fix id="F-4742r89047_fix" /><check system="C-4742r89046_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented.
-+
-+Check for the status with the following command:
-+
-+# ip link | grep -i promisc
-+
-+If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.</check-content></check></Rule></Group><Group id="V-204619"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204619r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040680</version><title>The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.</title><description>&lt;VulnDiscussion&gt;If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86921</ident><ident system="http://cyber.mil/legacy">V-72297</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4743r89050_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
-+
-+# postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</fixtext><fix id="F-4743r89050_fix" /><check system="C-4743r89049_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is configured to prevent unrestricted mail relaying.
-+
-+Determine if "postfix" is installed with the following commands:
-+
-+# yum list installed postfix
-+postfix-2.6.6-6.el7.x86_64.rpm 
-+
-+If postfix is not installed, this is Not Applicable.
-+
-+If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command:
-+
-+# postconf -n smtpd_client_restrictions
-+smtpd_client_restrictions = permit_mynetworks, reject
-+
-+If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.</check-content></check></Rule></Group><Group id="V-204620"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204620r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040690</version><title>The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.</title><description>&lt;VulnDiscussion&gt;The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86923</ident><ident system="http://cyber.mil/legacy">V-72299</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4744r89053_fix">Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:
-+
-+# yum remove vsftpd</fixtext><fix id="F-4744r89053_fix" /><check system="C-4744r89052_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify an FTP server has not been installed on the system.
-+
-+Check to see if an FTP server has been installed with the following commands:
-+
-+# yum list installed vsftpd
-+
-+ vsftpd-3.0.2.el7.x86_64.rpm
-+
-+If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204621"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204621r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040700</version><title>The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.</title><description>&lt;VulnDiscussion&gt;If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86925</ident><ident system="http://cyber.mil/legacy">V-72301</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><fixtext fixref="F-4745r89056_fix">Remove the TFTP package from the system with the following command:
-+
-+# yum remove tftp-server</fixtext><fix id="F-4745r89056_fix" /><check system="C-4745r89055_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify a TFTP server has not been installed on the system.
-+
-+Check to see if a TFTP server has been installed with the following command:
-+
-+# yum list installed tftp-server
-+tftp-server-0.49-9.el7.x86_64.rpm
-+
-+If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-204622"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204622r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040710</version><title>The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted.</title><description>&lt;VulnDiscussion&gt;Open X displays allow an attacker to capture keystrokes and execute commands remotely.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86927</ident><ident system="http://cyber.mil/legacy">V-72303</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4746r89059_fix">Configure SSH to encrypt connections for interactive users.
-+
-+Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
-+
-+X11Forwarding yes
-+
-+The SSH service must be restarted for changes to take effect:
-+
-+# systemctl restart sshd</fixtext><fix id="F-4746r89059_fix" /><check system="C-4746r89058_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify remote X connections for interactive users are encrypted.
-+
-+Check that remote X connections are encrypted with the following command:
-+
-+# grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#"
-+
-+X11Forwarding yes
-+
-+If the "X11Forwarding" keyword is set to "no" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204623"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204623r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040720</version><title>The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.</title><description>&lt;VulnDiscussion&gt;Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86929</ident><ident system="http://cyber.mil/legacy">V-72305</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4747r89062_fix">Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):
-+
-+server_args = -s /var/lib/tftpboot</fixtext><fix id="F-4747r89062_fix" /><check system="C-4747r89061_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the TFTP daemon is configured to operate in secure mode.
-+
-+Check to see if a TFTP server has been installed with the following commands:
-+
-+# yum list installed tftp-server
-+tftp-server.x86_64 x.x-x.el7 rhel-7-server-rpms
-+
-+If a TFTP server is not installed, this is Not Applicable.
-+
-+If a TFTP server is installed, check for the server arguments with the following command: 
-+
-+# grep server_args /etc/xinetd.d/tftp
-+server_args = -s /var/lib/tftpboot
-+
-+If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204624"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204624r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040730</version><title>The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.</title><description>&lt;VulnDiscussion&gt;Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86931</ident><ident system="http://cyber.mil/legacy">V-72307</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4748r499412_fix">Document the requirement for a graphical user interface with the ISSO or remove the related packages with the following commands:
-+
-+# rpm -e xorg-x11-server-common
-+
-+# systemctl set-default multi-user.target</fixtext><fix id="F-4748r499412_fix" /><check system="C-4748r499411_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is configured to boot to the command line:
-+
-+# systemctl get-default
-+multi-user.target
-+
-+If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.
-+
-+Verify a graphical user interface is not installed:
-+
-+# rpm -qa | grep xorg | grep server
-+
-+Ask the System Administrator if use of a graphical user interface is an operational requirement.
-+
-+If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.
-+</check-content></check></Rule></Group><Group id="V-204625"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204625r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040740</version><title>The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.</title><description>&lt;VulnDiscussion&gt;Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86933</ident><ident system="http://cyber.mil/legacy">V-72309</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4749r89068_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv4.ip_forward = 0
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4749r89068_fix" /><check system="C-4749r89067_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is not performing packet forwarding, unless the system is a router.
-+
-+# grep net.ipv4.ip_forward /etc/sysctl.conf /etc/sysctl.d/*
-+
-+net.ipv4.ip_forward = 0
-+
-+If "net.ipv4.ip_forward" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out, or does not have a value of "0", this is a finding.
-+
-+Check that the operating system does not implement IP forwarding using the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv4.ip_forward
-+net.ipv4.ip_forward = 0
-+
-+If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.</check-content></check></Rule></Group><Group id="V-204626"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204626r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040750</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.</title><description>&lt;VulnDiscussion&gt;When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86935</ident><ident system="http://cyber.mil/legacy">V-72311</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4750r89071_fix">Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. 
-+
-+Ensure the "sec" option is defined as "krb5:krb5i:krb5p".</fixtext><fix id="F-4750r89071_fix" /><check system="C-4750r89070_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify "AUTH_GSS" is being used to authenticate NFS mounts.
-+
-+To check if the system is importing an NFS file system, look for any entries in the "/etc/fstab" file that have a file system type of "nfs" with the following command:
-+
-+# cat /etc/fstab | grep nfs
-+192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p
-+
-+If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204627"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204627r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040800</version><title>SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.</title><description>&lt;VulnDiscussion&gt;Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86937</ident><ident system="http://cyber.mil/legacy">V-72313</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4751r89074_fix">If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.</fixtext><fix id="F-4751r89074_fix" /><check system="C-4751r89073_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a system using SNMP is not using default community strings.
-+
-+Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command:
-+
-+# ls -al /etc/snmp/snmpd.conf
-+ -rw-------   1 root root      52640 Mar 12 11:08 snmpd.conf
-+
-+If the file does not exist, this is Not Applicable.
-+
-+If the file does exist, check for the default community strings with the following commands:
-+
-+# grep public /etc/snmp/snmpd.conf
-+# grep private /etc/snmp/snmpd.conf
-+
-+If either of these commands returns any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204628"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204628r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040810</version><title>The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.</title><description>&lt;VulnDiscussion&gt;If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86939</ident><ident system="http://cyber.mil/legacy">V-72315</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4752r89077_fix">If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. 
-+
-+If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.</fixtext><fix id="F-4752r89077_fix" /><check system="C-4752r89076_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. 
-+
-+Verify the system's access control program is configured to grant or deny system access to specific hosts.
-+
-+Check to see if "firewalld" is active with the following command:
-+
-+# systemctl status firewalld
-+firewalld.service - firewalld - dynamic firewall daemon
-+Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
-+Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago
-+
-+If "firewalld" is active, check to see if it is configured to grant or deny access to specific hosts or services with the following commands:
-+
-+# firewall-cmd --get-default-zone
-+public
-+
-+# firewall-cmd --list-all --zone=public
-+public (active)
-+target: default
-+icmp-block-inversion: no
-+interfaces: eth0
-+sources:
-+services: mdns ssh
-+ports:
-+protocols:
-+masquerade: no
-+forward-ports:
-+icmp-blocks:
-+
-+If "firewalld" is not active, determine whether "tcpwrappers" is being used by checking whether the "hosts.allow" and "hosts.deny" files are empty with the following commands:
-+
-+# ls -al /etc/hosts.allow
-+rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow
-+
-+# ls -al /etc/hosts.deny
-+-rw-r----- 1 root root 9 Apr 9 2007 /etc/hosts.deny
-+
-+If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.
-+
-+If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.</check-content></check></Rule></Group><Group id="V-204629"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204629r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040820</version><title>The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.</title><description>&lt;VulnDiscussion&gt;IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72317</ident><ident system="http://cyber.mil/legacy">SV-86941</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4753r89080_fix">Remove all unapproved tunnels from the system, or document them with the ISSO.</fixtext><fix id="F-4753r89080_fix" /><check system="C-4753r89079_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not have unauthorized IP tunnels configured.
-+
-+Check to see if "libreswan" is installed with the following command:
-+
-+# yum list installed libreswan
-+libreswan.x86-64 3.20-5.el7_4
-+
-+If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:
-+
-+# systemctl status ipsec
-+ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
-+Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
-+Active: inactive (dead)
-+
-+If the "IPsec" service is active, check to see if any tunnels are configured in "/etc/ipsec.conf" and "/etc/ipsec.d/" with the following commands:
-+
-+# grep -iw conn /etc/ipsec.conf /etc/ipsec.d/*.conf
-+
-+If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. 
-+
-+If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.</check-content></check></Rule></Group><Group id="V-204630"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204630r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040830</version><title>The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72319</ident><ident system="http://cyber.mil/legacy">SV-86943</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4754r89083_fix">Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
-+
-+net.ipv6.conf.all.accept_source_route = 0
-+
-+Issue the following command to make the changes take effect:
-+
-+# sysctl --system</fixtext><fix id="F-4754r89083_fix" /><check system="C-4754r89082_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If IPv6 is not enabled, the key will not exist, and this is Not Applicable.
-+
-+Verify the system does not accept IPv6 source-routed packets.
-+
-+# grep net.ipv6.conf.all.accept_source_route /etc/sysctl.conf /etc/sysctl.d/*
-+
-+net.ipv6.conf.all.accept_source_route = 0
-+
-+If "net.ipv6.conf.all.accept_source_route" is not configured in the /etc/sysctl.conf file or in the /etc/sysctl.d/ directory, is commented out or does not have a value of "0", this is a finding.
-+
-+Check that the operating system implements the accept source route variable with the following command:
-+
-+# /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route
-+net.ipv6.conf.all.accept_source_route = 0
-+
-+If the returned lines do not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204631"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204631r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041001</version><title>The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
-+
-+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
-+
-+A privileged account is defined as an information system account with authorizations of a privileged user.
-+
-+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-+
-+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
-+
-+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87041</ident><ident system="http://cyber.mil/legacy">V-72417</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4755r462473_fix">Configure the operating system to implement multifactor authentication by installing the required packages.
-+
-+Install the pam_pkcs11 package with the following command:
-+
-+# yum install pam_pkcs11</fixtext><fix id="F-4755r462473_fix" /><check system="C-4755r462472_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system has the packages required for multifactor authentication installed.
-+
-+Check for the presence of the packages required to support multifactor authentication with the following commands:
-+
-+# yum list installed pam_pkcs11
-+pam_pkcs11-0.6.2-14.el7.noarch.rpm
-+
-+If the "pam_pkcs11" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204632"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204632r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041002</version><title>The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
-+
-+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
-+
-+A privileged account is defined as an information system account with authorizations of a privileged user.
-+
-+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-+
-+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
-+
-+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72427</ident><ident system="http://cyber.mil/legacy">SV-87051</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4756r89089_fix">Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
-+
-+Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.</fixtext><fix id="F-4756r89089_fix" /><check system="C-4756r89088_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
-+
-+Check the "/etc/sssd/sssd.conf" file for the authentication services that are being used with the following command:
-+
-+# grep services /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf
-+
-+services = nss, pam
-+
-+If the "pam" service is not present on all "services" lines, this is a finding.</check-content></check></Rule></Group><Group id="V-204633"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204633r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041003</version><title>The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
-+
-+Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
-+
-+A privileged account is defined as an information system account with authorizations of a privileged user.
-+
-+Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-+
-+This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
-+
-+Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72433</ident><ident system="http://cyber.mil/legacy">SV-87057</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><fixtext fixref="F-4757r89092_fix">Configure the operating system to do certificate status checking for PKI authentication.
-+
-+Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".</fixtext><fix id="F-4757r89092_fix" /><check system="C-4757r89091_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for PKI authentication.
-+
-+Check to see if Online Certificate Status Protocol (OCSP) is enabled on the system with the following command:
-+
-+# grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -v "^#"
-+
-+cert_policy = ca, ocsp_on, signature;
-+cert_policy = ca, ocsp_on, signature;
-+cert_policy = ca, ocsp_on, signature;
-+
-+There should be at least three lines returned. 
-+
-+If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204634"><title>SRG-OS-000424-GPOS-00188</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204634r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041010</version><title>The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.</title><description>&lt;VulnDiscussion&gt;The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73177</ident><ident system="http://cyber.mil/legacy">SV-87829</ident><ident system="http://cyber.mil/cci">CCI-001443</ident><ident system="http://cyber.mil/cci">CCI-001444</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-4758r89095_fix">Configure the system to disable all wireless network interfaces with the following command:
-+
-+#nmcli radio wifi off</fixtext><fix id="F-4758r89095_fix" /><check system="C-4758r89094_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that there are no wireless interfaces configured on the system.
-+
-+This is N/A for systems that do not have wireless network adapters.
-+
-+Check for the presence of active wireless interfaces with the following command:
-+
-+# nmcli device
-+DEVICE TYPE STATE
-+eth0 ethernet connected
-+wlp3s0 wifi disconnected
-+lo loopback unmanaged
-+
-+If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-214799"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214799r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010020</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.
-+
-+Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86479</ident><ident system="http://cyber.mil/legacy">V-71855</ident><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-15997r192363_fix">Run the following command to determine which package owns the file:
-+
-+# rpm -qf &lt;filename&gt;
-+
-+The package can be reinstalled from a yum repository using the command:
-+
-+# sudo yum reinstall &lt;packagename&gt;
-+
-+Alternatively, the package can be reinstalled from trusted media using the command:
-+
-+# sudo rpm -Uvh &lt;packagename&gt;</fixtext><fix id="F-15997r192363_fix" /><check system="C-15999r192362_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the cryptographic hash of system files and commands match the vendor values.
-+
-+Check the cryptographic hash of system files and commands with the following command:
-+
-+Note: System configuration files (indicated by a "c" in the second column) are expected to change over time. Unusual modifications should be investigated through the system audit log.
-+
-+# rpm -Va --noconfig | grep '^..5'
-+
-+If there is any output from the command for system files or binaries, this is a finding.</check-content></check></Rule></Group><Group id="V-214800"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214800r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description>&lt;VulnDiscussion&gt;Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92255</ident><ident system="http://cyber.mil/legacy">SV-102357</ident><ident system="http://cyber.mil/cci">CCI-001263</ident><fixtext fixref="F-15998r462532_fix">Install and enable the latest McAfee HIPS package or McAfee ENSL.</fixtext><fix id="F-15998r462532_fix" /><check system="C-16000r462531_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.
-+
-+Procedure:
-+Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:
-+
-+# rpm -qa | grep MFEhiplsm
-+
-+Verify that the McAfee HIPS module is active on the system:
-+
-+# ps -ef | grep -i “hipclient”
-+
-+If the MFEhiplsm package is not installed, check for another intrusion detection system:
-+
-+# find / -name &lt;daemon name&gt;
-+
-+Where &lt;daemon name&gt; is the name of the primary application daemon to determine if the application is loaded on the system.
-+
-+Determine if the application is active on the system:
-+
-+# ps -ef | grep -i &lt;daemon name&gt;
-+
-+If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.
-+
-+If no host-based intrusion detection system is installed and running on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214801"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214801r505924_rule" weight="10.0" severity="high"><version>RHEL-07-032000</version><title>The Red Hat Enterprise Linux operating system must use a virus scan program.</title><description>&lt;VulnDiscussion&gt;Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.  
-+
-+The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
-+
-+If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72213</ident><ident system="http://cyber.mil/legacy">SV-86837</ident><ident system="http://cyber.mil/cci">CCI-001668</ident><fixtext fixref="F-15999r192369_fix">Install an antivirus solution on the system.</fixtext><fix id="F-15999r192369_fix" /><check system="C-16001r192368_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.
-+
-+If there is no anti-virus solution installed on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214937"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214937r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010062</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-+
-+The session lock is implemented at the point where session activity can be determined.
-+
-+The ability to enable/disable a session lock is given to the user by default. Disabling the user’s ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-78995</ident><ident system="http://cyber.mil/legacy">SV-93701</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-16135r193201_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
-+
-+Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
-+
-+Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.
-+
-+# touch /etc/dconf/db/local.d/locks/session
-+
-+Add the setting to lock the screensaver lock-enabled setting:
-+
-+/org/gnome/desktop/screensaver/lock-enabled
-+</fixtext><fix id="F-16135r193201_fix" /><check system="C-16137r193200_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. 
-+
-+Note: If the system does not have GNOME installed, this requirement is Not Applicable. The screen program must be installed to lock sessions on the console.
-+
-+Determine which profile the system database is using with the following command:
-+# grep system-db /etc/dconf/profile/user
-+
-+system-db:local
-+
-+Check for the lock-enabled setting with the following command:
-+
-+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
-+
-+# grep -i lock-enabled /etc/dconf/db/local.d/locks/*
-+
-+/org/gnome/desktop/screensaver/lock-enabled
-+
-+If the command does not return a result, this is a finding.
-+</check-content></check></Rule></Group><Group id="V-219059"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-219059r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020111</version><title>The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
-+
-+Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-100023</ident><ident system="http://cyber.mil/legacy">SV-109127</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-17871r499415_fix">Configure the graphical user interface to disable the ability to automount devices.
-+
-+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
-+
-+Create or edit the /etc/dconf/db/local.d/00-No-Automount file and add the following:  
-+
-+[org/gnome/desktop/media-handling]
-+
-+automount=false
-+
-+automount-open=false
-+
-+autorun-never=true
-+
-+Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the following:
-+/org/gnome/desktop/media-handling/automount
-+
-+/org/gnome/desktop/media-handling/automount-open
-+
-+/org/gnome/desktop/media-handling/autorun-never
-+
-+Run the following command to update the database:
-+
-+# dconf update</fixtext><fix id="F-17871r499415_fix" /><check system="C-17785r499414_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
-+
-+Verify the operating system disables the ability to automount devices in a graphical user interface.
-+
-+Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
-+
-+Check to see if automounter service is disabled with the following commands:
-+# cat /etc/dconf/db/local.d/00-No-Automount
-+
-+[org/gnome/desktop/media-handling]
-+
-+automount=false
-+
-+automount-open=false
-+
-+autorun-never=true
-+
-+If the output does not match the example above, this is a finding.
-+
-+# cat /etc/dconf/db/local.d/locks/00-No-Automount
-+
-+/org/gnome/desktop/media-handling/automount
-+
-+/org/gnome/desktop/media-handling/automount-open
-+
-+/org/gnome/desktop/media-handling/autorun-never
-+
-+If the output does not match the example, this is a finding.</check-content></check></Rule></Group><Group id="V-228563"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-228563r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021031</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
-+
-+The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-19547r377220_fix">All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</fixtext><fix id="F-19547r377220_fix" /><check system="C-30796r499670_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: 
-+
-+# find [PART] -xdev -type d -perm -0002 -uid +999 -print
-+
-+If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-228564"><title>SRG-OS-000057-GPOS-00027</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-228564r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-910055</version><title>The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.</title><description>&lt;VulnDiscussion&gt;If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
-+
-+To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
-+
-+Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
-+
-+Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000162</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><ident system="http://cyber.mil/cci">CCI-001314</ident><fixtext fixref="F-23603r419770_fix">Change the mode of the audit log files with the following command: 
-+
-+# chmod 0600 [audit_file]
-+
-+Change the owner and group owner of the audit log files with the following command: 
-+
-+# chown root:root [audit_file]</fixtext><fix id="F-23603r419770_fix" /><check system="C-23614r419769_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system audit records have proper permissions and ownership.
-+
-+List the full permissions and ownership of the audit log files with the following command.
-+
-+# ls -la /var/log/audit 
-+total 4512
-+drwx------. 2 root root 23 Apr 25 16:53 .
-+drwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..
-+-rw-------. 1 root root 8675309 Aug 9 12:54 audit.log
-+
-+Audit logs must be mode 0600 or less permissive. 
-+If any are more permissive, this is a finding.
-+
-+The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.</check-content></check></Rule></Group></Benchmark>
-\ No newline at end of file
diff --git a/SOURCES/scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch b/SOURCES/scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch
deleted file mode 100644
index b24a15b..0000000
--- a/SOURCES/scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff --git a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
-index bab42044b..547bd002d 100644
---- a/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
-+++ b/linux_os/guide/system/auditing/service_auditd_enabled/rule.yml
-@@ -18,7 +18,7 @@ rationale: |-
-     individual system users can be uniquely traced to those users so they
-     can be held accountable for their actions.
- 
--severity: high
-+severity: medium
- 
- requires:
-     - package_audit_installed
-diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
-index d861f5f9e..b57012df9 100644
---- a/linux_os/guide/system/selinux/selinux_policytype/rule.yml
-+++ b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
-@@ -25,7 +25,7 @@ rationale: |-
-     is completed, the system should be reconfigured to
-     <tt>{{{ xccdf_value("var_selinux_policy_name") }}}</tt>.
- 
--severity: high
-+severity: medium
- 
- identifiers:
-     cce@rhel6: CCE-26875-5
-diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
-index 94ef78d57..d971c1d03 100644
---- a/linux_os/guide/system/selinux/selinux_state/rule.yml
-+++ b/linux_os/guide/system/selinux/selinux_state/rule.yml
-@@ -16,7 +16,7 @@ rationale: |-
-     prevent them from causing damage to the system or further elevating their
-     privileges.
- 
--severity: high
-+severity: medium
- 
- identifiers:
-     cce@rhel6: CCE-26969-6
diff --git a/SOURCES/scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch b/SOURCES/scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch
deleted file mode 100644
index fc27eab..0000000
--- a/SOURCES/scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch
+++ /dev/null
@@ -1,1284 +0,0 @@
-From 19b8891116537d668a82c2ddaec83d05bece7126 Mon Sep 17 00:00:00 2001
-From: Gabriel Becker <ggasparb@redhat.com>
-Date: Fri, 27 Nov 2020 17:05:22 +0100
-Subject: [PATCH] Bump RHEL7 STIG version to V3R1 and update stig_overlay.xml.
-
----
- rhel7/overlays/stig_overlay.xml | 554 ++++++++++++++++----------------
- rhel7/profiles/stig.profile     |   4 +-
- 2 files changed, 283 insertions(+), 275 deletions(-)
-
-diff --git a/rhel7/overlays/stig_overlay.xml b/rhel7/overlays/stig_overlay.xml
-index 7cd955c977..66ca2bd0d0 100644
---- a/rhel7/overlays/stig_overlay.xml
-+++ b/rhel7/overlays/stig_overlay.xml
-@@ -1,975 +1,983 @@
--<?xml version='1.0' encoding='UTF-8'?>
-+<?xml version="1.0" encoding="UTF-8"?>
- <overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
--  <overlay owner="disastig" ruleid="rpm_verify_permissions" ownerid="RHEL-07-010010" disa="2235" severity="high">
--    <VMSinfo VKey="71849" SVKey="86473" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="rpm_verify_ownership" ownerid="RHEL-07-010010" disa="2235" severity="high">
-+    <VMSinfo VKey="204392" SVKey="204392r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high">
--    <VMSinfo VKey="71855" SVKey="86479" VRelease="4"/>
-+    <VMSinfo VKey="214799" SVKey="214799r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-07-010030" disa="48" severity="medium">
--    <VMSinfo VKey="71859" SVKey="86483" VRelease="4"/>
-+    <VMSinfo VKey="204393" SVKey="204393r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="RHEL-07-010040" disa="48" severity="medium">
--    <VMSinfo VKey="71861" SVKey="86485" VRelease="5"/>
-+    <VMSinfo VKey="204394" SVKey="204394r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-07-010050" disa="48" severity="medium">
--    <VMSinfo VKey="71863" SVKey="86487" VRelease="3"/>
-+    <VMSinfo VKey="204395" SVKey="204395r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-07-010060" disa="56" severity="medium">
--    <VMSinfo VKey="71891" SVKey="86515" VRelease="6"/>
-+    <VMSinfo VKey="204396" SVKey="204396r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="RHEL-07-010061" disa="1954" severity="medium">
--    <VMSinfo VKey="77819" SVKey="92515" VRelease="2"/>
-+    <VMSinfo VKey="204397" SVKey="204397r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="RHEL-07-010062" disa="57" severity="medium">
--    <VMSinfo VKey="78995" SVKey="93701" VRelease="3"/>
-+    <VMSinfo VKey="214937" SVKey="214937r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-07-010070" disa="57" severity="medium">
--    <VMSinfo VKey="71893" SVKey="86517" VRelease="5"/>
-+    <VMSinfo VKey="204398" SVKey="204398r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="RHEL-07-010081" disa="57" severity="medium">
--    <VMSinfo VKey="73155" SVKey="87807" VRelease="4"/>
-+    <VMSinfo VKey="204399" SVKey="204399r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="RHEL-07-010082" disa="57" severity="medium">
--    <VMSinfo VKey="73157" SVKey="87809" VRelease="4"/>
-+    <VMSinfo VKey="204400" SVKey="204400r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="RHEL-07-010100" disa="57" severity="medium">
--    <VMSinfo VKey="71899" SVKey="86523" VRelease="5"/>
-+    <VMSinfo VKey="204402" SVKey="204402r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="RHEL-07-010101" disa="57" severity="medium">
--    <VMSinfo VKey="78997" SVKey="93703" VRelease="2"/>
-+    <VMSinfo VKey="204403" SVKey="204403r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="RHEL-07-010110" disa="57" severity="medium">
--    <VMSinfo VKey="71901" SVKey="86525" VRelease="3"/>
-+    <VMSinfo VKey="204404" SVKey="204404r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-010118" disa="192" severity="medium">
--    <VMSinfo VKey="81003" SVKey="95715" VRelease="1"/>
-+    <VMSinfo VKey="204405" SVKey="204405r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010119" disa="192" severity="medium">
--    <VMSinfo VKey="73159" SVKey="87811" VRelease="4"/>
-+    <VMSinfo VKey="204406" SVKey="204406r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-07-010120" disa="192" severity="medium">
--    <VMSinfo VKey="71903" SVKey="86527" VRelease="3"/>
-+    <VMSinfo VKey="204407" SVKey="204407r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-07-010130" disa="193" severity="medium">
--    <VMSinfo VKey="71905" SVKey="86529" VRelease="5"/>
-+    <VMSinfo VKey="204408" SVKey="204408r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-07-010140" disa="194" severity="medium">
--    <VMSinfo VKey="71907" SVKey="86531" VRelease="3"/>
-+    <VMSinfo VKey="204409" SVKey="204409r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-07-010150" disa="1619" severity="medium">
--    <VMSinfo VKey="71909" SVKey="86533" VRelease="2"/>
-+    <VMSinfo VKey="204410" SVKey="204410r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-07-010160" disa="195" severity="medium">
--    <VMSinfo VKey="71911" SVKey="86535" VRelease="2"/>
-+    <VMSinfo VKey="204411" SVKey="204411r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-07-010170" disa="195" severity="medium">
--    <VMSinfo VKey="71913" SVKey="86537" VRelease="2"/>
-+    <VMSinfo VKey="204412" SVKey="204412r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-07-010180" disa="195" severity="medium">
--    <VMSinfo VKey="71915" SVKey="86539" VRelease="3"/>
-+    <VMSinfo VKey="204413" SVKey="204413r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-07-010190" disa="195" severity="medium">
--    <VMSinfo VKey="71917" SVKey="86541" VRelease="2"/>
-+    <VMSinfo VKey="204414" SVKey="204414r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-07-010200" disa="196" severity="medium">
--    <VMSinfo VKey="71919" SVKey="86543" VRelease="3"/>
-+    <VMSinfo VKey="204415" SVKey="204415r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-07-010210" disa="196" severity="medium">
--    <VMSinfo VKey="71921" SVKey="86545" VRelease="2"/>
-+    <VMSinfo VKey="204416" SVKey="204416r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-07-010220" disa="196" severity="medium">
--    <VMSinfo VKey="71923" SVKey="86547" VRelease="3"/>
-+    <VMSinfo VKey="204417" SVKey="204417r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-07-010230" disa="198" severity="medium">
--    <VMSinfo VKey="71925" SVKey="86549" VRelease="2"/>
-+    <VMSinfo VKey="204418" SVKey="204418r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-07-010240" disa="198" severity="medium">
--    <VMSinfo VKey="71927" SVKey="86551" VRelease="2"/>
-+    <VMSinfo VKey="204419" SVKey="204419r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-07-010250" disa="199" severity="medium">
--    <VMSinfo VKey="71929" SVKey="86553" VRelease="2"/>
-+    <VMSinfo VKey="204420" SVKey="204420r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-07-010260" disa="199" severity="medium">
--    <VMSinfo VKey="71931" SVKey="86555" VRelease="3"/>
-+    <VMSinfo VKey="204421" SVKey="204421r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-07-010270" disa="200" severity="medium">
--    <VMSinfo VKey="71933" SVKey="86557" VRelease="3"/>
-+    <VMSinfo VKey="204422" SVKey="204422r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-07-010280" disa="205" severity="medium">
--    <VMSinfo VKey="71935" SVKey="86559" VRelease="2"/>
-+    <VMSinfo VKey="204423" SVKey="204423r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-07-010290" disa="366" severity="high">
--    <VMSinfo VKey="71937" SVKey="86561" VRelease="3"/>
-+    <VMSinfo VKey="204424" SVKey="204424r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-07-010300" disa="766" severity="high">
--    <VMSinfo VKey="71939" SVKey="86563" VRelease="3"/>
-+    <VMSinfo VKey="204425" SVKey="204425r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-07-010310" disa="795" severity="medium">
--    <VMSinfo VKey="71941" SVKey="86565" VRelease="2"/>
-+    <VMSinfo VKey="204426" SVKey="204426r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-07-010320" disa="2238" severity="medium">
--    <VMSinfo VKey="71943" SVKey="86567" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-07-010320" disa="2238" severity="medium">
-+    <VMSinfo VKey="204427" SVKey="204427r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-07-010330" disa="2238" severity="medium">
--    <VMSinfo VKey="71945" SVKey="86569" VRelease="4"/>
-+    <VMSinfo VKey="204428" SVKey="204428r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010340" disa="2038" severity="medium">
--    <VMSinfo VKey="71947" SVKey="86571" VRelease="3"/>
-+    <VMSinfo VKey="204429" SVKey="204429r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium">
--    <VMSinfo VKey="71949" SVKey="86573" VRelease="3"/>
-+    <VMSinfo VKey="204430" SVKey="204430r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-07-010430" disa="366" severity="medium">
--    <VMSinfo VKey="71951" SVKey="86575" VRelease="2"/>
-+    <VMSinfo VKey="204431" SVKey="204431r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-07-010440" disa="366" severity="high">
--    <VMSinfo VKey="71953" SVKey="86577" VRelease="2"/>
-+    <VMSinfo VKey="204432" SVKey="204432r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="RHEL-07-010450" disa="366" severity="high">
--    <VMSinfo VKey="71955" SVKey="86579" VRelease="3"/>
-+    <VMSinfo VKey="204433" SVKey="204433r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-07-010460" disa="366" severity="medium">
--    <VMSinfo VKey="71957" SVKey="86581" VRelease="3"/>
-+    <VMSinfo VKey="204434" SVKey="204434r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-07-010470" disa="366" severity="medium">
--    <VMSinfo VKey="71959" SVKey="86583" VRelease="3"/>
-+    <VMSinfo VKey="204435" SVKey="204435r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-07-010480" disa="213" severity="high">
--    <VMSinfo VKey="71961" SVKey="86585" VRelease="6"/>
-+    <VMSinfo VKey="204436" SVKey="204436r5059" VRelease="r505924"/>
-     <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-07-010481" disa="213" severity="medium">
--    <VMSinfo VKey="77823" SVKey="92519" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="require_emergency_target_auth" ownerid="RHEL-07-010481" disa="213" severity="medium">
-+    <VMSinfo VKey="204437" SVKey="204437r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="grub2_password" ownerid="RHEL-07-010482" disa="213" severity="high">
--    <VMSinfo VKey="81005" SVKey="95717" VRelease="1"/>
-+    <VMSinfo VKey="204438" SVKey="204438r5059" VRelease="r505924"/>
-     <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-07-010490" disa="213" severity="high">
--    <VMSinfo VKey="71963" SVKey="86587" VRelease="4"/>
-+    <VMSinfo VKey="204439" SVKey="204439r5059" VRelease="r505924"/>
-     <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="RHEL-07-010491" disa="213" severity="high">
--    <VMSinfo VKey="81007" SVKey="95719" VRelease="1"/>
-+    <VMSinfo VKey="204440" SVKey="204440r5059" VRelease="r505924"/>
-     <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-07-010500" disa="766" severity="medium">
--    <VMSinfo VKey="71965" SVKey="86589" VRelease="2"/>
-+    <VMSinfo VKey="204441" SVKey="204441r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-07-020000" disa="381" severity="high">
--    <VMSinfo VKey="71967" SVKey="86591" VRelease="2"/>
-+    <VMSinfo VKey="204442" SVKey="204442r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the rsh-server package installed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="RHEL-07-020010" disa="381" severity="high">
--    <VMSinfo VKey="71969" SVKey="86593" VRelease="2"/>
-+    <VMSinfo VKey="204443" SVKey="204443r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the ypserv package installed."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-020019" disa="1263" severity="medium">
--    <VMSinfo VKey="92255" SVKey="102357" VRelease="r2"/>
-+  <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="RHEL-07-020019" disa="1263" severity="medium">
-+    <VMSinfo VKey="214800" SVKey="214800r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2235" severity="medium">
--    <VMSinfo VKey="71971" SVKey="86595" VRelease="4"/>
-+    <VMSinfo VKey="204444" SVKey="204444r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-07-020030" disa="1744" severity="medium">
--    <VMSinfo VKey="71973" SVKey="86597" VRelease="2"/>
-+    <VMSinfo VKey="204445" SVKey="204445r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-07-020040" disa="1744" severity="medium">
--    <VMSinfo VKey="71975" SVKey="86599" VRelease="2"/>
-+    <VMSinfo VKey="204446" SVKey="204446r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-07-020050" disa="1749" severity="high">
--    <VMSinfo VKey="71977" SVKey="86601" VRelease="2"/>
-+    <VMSinfo VKey="204447" SVKey="204447r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-07-020060" disa="1749" severity="high">
--    <VMSinfo VKey="71979" SVKey="86603" VRelease="2"/>
-+    <VMSinfo VKey="204448" SVKey="204448r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="1958" severity="medium">
--    <VMSinfo VKey="71983" SVKey="86607" VRelease="5"/>
-+    <VMSinfo VKey="204449" SVKey="204449r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-07-020101" disa="1958" severity="medium">
--    <VMSinfo VKey="77821" SVKey="92517" VRelease="3"/>
-+    <VMSinfo VKey="204450" SVKey="204450r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="1958" severity="medium">
--    <VMSinfo VKey="71985" SVKey="86609" VRelease="2"/>
-+    <VMSinfo VKey="204451" SVKey="204451r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="1958" severity="medium">
--    <VMSinfo VKey="100023" SVKey="109127" VRelease="r1"/>
-+    <VMSinfo VKey="219059" SVKey="219059r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-07-020200" disa="2617" severity="low">
--    <VMSinfo VKey="71987" SVKey="86611" VRelease="2"/>
-+    <VMSinfo VKey="204452" SVKey="204452r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2696" severity="high">
--    <VMSinfo VKey="71989" SVKey="86613" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2165" severity="medium">
-+    <VMSinfo VKey="204453" SVKey="204453r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable SELinux."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2696" severity="high">
--    <VMSinfo VKey="71991" SVKey="86615" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2165" severity="medium">
-+    <VMSinfo VKey="204454" SVKey="204454r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-07-020230" disa="366" severity="high">
--    <VMSinfo VKey="71993" SVKey="86617" VRelease="5"/>
-+    <VMSinfo VKey="204455" SVKey="204455r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-07-020231" disa="366" severity="high">
--    <VMSinfo VKey="94843" SVKey="104673" VRelease="r2"/>
-+    <VMSinfo VKey="204456" SVKey="204456r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-07-020240" disa="366" severity="medium">
--    <VMSinfo VKey="71995" SVKey="86619" VRelease="2"/>
-+    <VMSinfo VKey="204457" SVKey="204457r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-07-020250" disa="366" severity="high">
--    <VMSinfo VKey="71997" SVKey="86621" VRelease="6"/>
-+    <VMSinfo VKey="204458" SVKey="204458r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be a vendor supported release."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-07-020260" disa="366" severity="medium">
--    <VMSinfo VKey="71999" SVKey="86623" VRelease="4"/>
-+    <VMSinfo VKey="204459" SVKey="204459r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-020270" disa="366" severity="medium">
--    <VMSinfo VKey="72001" SVKey="86625" VRelease="2"/>
-+    <VMSinfo VKey="204460" SVKey="204460r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-07-020300" disa="764" severity="low">
--    <VMSinfo VKey="72003" SVKey="86627" VRelease="2"/>
-+    <VMSinfo VKey="204461" SVKey="204461r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-07-020310" disa="366" severity="high">
--    <VMSinfo VKey="72005" SVKey="86629" VRelease="2"/>
-+    <VMSinfo VKey="204462" SVKey="204462r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-07-020320" disa="2165" severity="medium">
--    <VMSinfo VKey="72007" SVKey="86631" VRelease="3"/>
-+    <VMSinfo VKey="204463" SVKey="204463r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-07-020330" disa="2165" severity="medium">
--    <VMSinfo VKey="72009" SVKey="86633" VRelease="3"/>
-+    <VMSinfo VKey="204464" SVKey="204464r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-07-020610" disa="366" severity="medium">
--    <VMSinfo VKey="72013" SVKey="86637" VRelease="2"/>
-+    <VMSinfo VKey="204466" SVKey="204466r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-07-020620" disa="366" severity="medium">
--    <VMSinfo VKey="72015" SVKey="86639" VRelease="3"/>
-+    <VMSinfo VKey="204467" SVKey="204467r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-07-020630" disa="366" severity="medium">
--    <VMSinfo VKey="72017" SVKey="86641" VRelease="3"/>
-+    <VMSinfo VKey="204468" SVKey="204468r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="RHEL-07-020640" disa="366" severity="medium">
--    <VMSinfo VKey="72019" SVKey="86643" VRelease="5"/>
-+    <VMSinfo VKey="204469" SVKey="204469r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-07-020650" disa="366" severity="medium">
--    <VMSinfo VKey="72021" SVKey="86645" VRelease="5"/>
-+    <VMSinfo VKey="204470" SVKey="204470r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="RHEL-07-020660" disa="366" severity="medium">
--    <VMSinfo VKey="72023" SVKey="86647" VRelease="2"/>
-+    <VMSinfo VKey="204471" SVKey="204471r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="RHEL-07-020670" disa="366" severity="medium">
--    <VMSinfo VKey="72025" SVKey="86649" VRelease="2"/>
-+    <VMSinfo VKey="204472" SVKey="204472r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="RHEL-07-020680" disa="366" severity="medium">
--    <VMSinfo VKey="72027" SVKey="86651" VRelease="2"/>
-+    <VMSinfo VKey="204473" SVKey="204473r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="RHEL-07-020690" disa="366" severity="medium">
--    <VMSinfo VKey="72029" SVKey="86653" VRelease="4"/>
-+    <VMSinfo VKey="204474" SVKey="204474r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="RHEL-07-020700" disa="366" severity="medium">
--    <VMSinfo VKey="72031" SVKey="86655" VRelease="4"/>
-+    <VMSinfo VKey="204475" SVKey="204475r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-07-020710" disa="366" severity="medium">
--    <VMSinfo VKey="72033" SVKey="86657" VRelease="3"/>
-+    <VMSinfo VKey="204476" SVKey="204476r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-07-020720" disa="366" severity="medium">
--    <VMSinfo VKey="72035" SVKey="86659" VRelease="4"/>
-+    <VMSinfo VKey="204477" SVKey="204477r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-07-020730" disa="366" severity="medium">
--    <VMSinfo VKey="72037" SVKey="86661" VRelease="2"/>
-+    <VMSinfo VKey="204478" SVKey="204478r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="1814" severity="medium">
--    <VMSinfo VKey="72039" SVKey="86663" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="1812" severity="medium">
-+    <VMSinfo VKey="204479" SVKey="204479r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-07-021000" disa="366" severity="medium">
--    <VMSinfo VKey="72041" SVKey="86665" VRelease="4"/>
-+    <VMSinfo VKey="204480" SVKey="204480r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-07-021010" disa="366" severity="medium">
--    <VMSinfo VKey="72043" SVKey="86667" VRelease="2"/>
-+    <VMSinfo VKey="204481" SVKey="204481r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-07-021020" disa="366" severity="medium">
--    <VMSinfo VKey="72045" SVKey="86669" VRelease="2"/>
-+    <VMSinfo VKey="204482" SVKey="204482r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-07-021021" disa="366" severity="medium">
--    <VMSinfo VKey="73161" SVKey="87813" VRelease="2"/>
-+    <VMSinfo VKey="204483" SVKey="204483r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-07-021024" disa="1764" severity="low">
--    <VMSinfo VKey="81013" SVKey="95725" VRelease="3"/>
-+    <VMSinfo VKey="204486" SVKey="204486r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021030" disa="366" severity="medium">
--    <VMSinfo VKey="72047" SVKey="86671" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="RHEL-07-021030" disa="366" severity="medium">
-+    <VMSinfo VKey="204487" SVKey="204487r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/>
-   </overlay>
-+  <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021031" disa="366" severity="medium">
-+    <VMSinfo VKey="228563" SVKey="228563r5059" VRelease="r505924"/>
-+    <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/>
-+  </overlay>
-   <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1814" severity="medium">
--    <VMSinfo VKey="72049" SVKey="86673" VRelease="2"/>
-+    <VMSinfo VKey="204488" SVKey="204488r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-07-021100" disa="366" severity="medium">
--    <VMSinfo VKey="72051" SVKey="86675" VRelease="2"/>
-+    <VMSinfo VKey="204489" SVKey="204489r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must have cron logging implemented."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="RHEL-07-021110" disa="366" severity="medium">
--    <VMSinfo VKey="72053" SVKey="86677" VRelease="3"/>
-+    <VMSinfo VKey="204490" SVKey="204490r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="RHEL-07-021120" disa="366" severity="medium">
--    <VMSinfo VKey="72055" SVKey="86679" VRelease="2"/>
-+    <VMSinfo VKey="204491" SVKey="204491r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-07-021300" disa="366" severity="medium">
--    <VMSinfo VKey="72057" SVKey="86681" VRelease="2"/>
-+    <VMSinfo VKey="204492" SVKey="204492r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-07-021310" disa="366" severity="low">
--    <VMSinfo VKey="72059" SVKey="86683" VRelease="2"/>
-+    <VMSinfo VKey="204493" SVKey="204493r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-07-021320" disa="366" severity="low">
--    <VMSinfo VKey="72061" SVKey="86685" VRelease="2"/>
-+    <VMSinfo VKey="204494" SVKey="204494r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /var."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-07-021330" disa="366" severity="low">
--    <VMSinfo VKey="72063" SVKey="86687" VRelease="6"/>
-+    <VMSinfo VKey="204495" SVKey="204495r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-07-021340" disa="366" severity="low">
--    <VMSinfo VKey="72065" SVKey="86689" VRelease="3"/>
-+    <VMSinfo VKey="204496" SVKey="204496r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="RHEL-07-021350" disa="2476" severity="high">
--    <VMSinfo VKey="72067" SVKey="86691" VRelease="4"/>
-+    <VMSinfo VKey="204497" SVKey="204497r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-07-021600" disa="366" severity="low">
--    <VMSinfo VKey="72069" SVKey="86693" VRelease="3"/>
-+    <VMSinfo VKey="204498" SVKey="204498r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-07-021610" disa="366" severity="low">
--    <VMSinfo VKey="72071" SVKey="86695" VRelease="3"/>
-+    <VMSinfo VKey="204499" SVKey="204499r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="RHEL-07-021620" disa="366" severity="medium">
--    <VMSinfo VKey="72073" SVKey="86697" VRelease="4"/>
-+    <VMSinfo VKey="204500" SVKey="204500r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="uefi_no_removeable_media" ownerid="RHEL-07-021700" disa="1814" severity="medium">
--    <VMSinfo VKey="72075" SVKey="86699" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="uefi_no_removeable_media" ownerid="RHEL-07-021700" disa="1812" severity="medium">
-+    <VMSinfo VKey="204501" SVKey="204501r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-07-021710" disa="381" severity="high">
--    <VMSinfo VKey="72077" SVKey="86701" VRelease="2"/>
-+    <VMSinfo VKey="204502" SVKey="204502r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="131" severity="high">
--    <VMSinfo VKey="72079" SVKey="86703" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="126" severity="medium">
-+    <VMSinfo VKey="204503" SVKey="204503r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="RHEL-07-030010" disa="139" severity="medium">
--    <VMSinfo VKey="72081" SVKey="86705" VRelease="5"/>
-+    <VMSinfo VKey="204504" SVKey="204504r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030201" disa="1851" severity="medium">
--    <VMSinfo VKey="81017" SVKey="95729" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030201" disa="1851" severity="medium">
-+    <VMSinfo VKey="204506" SVKey="204506r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030210" disa="1851" severity="medium">
--    <VMSinfo VKey="81019" SVKey="95731" VRelease="1"/>
--    <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full."/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030210" disa="1851" severity="medium">
-+    <VMSinfo VKey="204507" SVKey="204507r5059" VRelease="r505924"/>
-+    <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030211" disa="1851" severity="medium">
--    <VMSinfo VKey="81021" SVKey="95733" VRelease="1"/>
-+  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030211" disa="1851" severity="medium">
-+    <VMSinfo VKey="204508" SVKey="204508r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030300" disa="1851" severity="medium">
--    <VMSinfo VKey="72083" SVKey="86707" VRelease="2"/>
-+    <VMSinfo VKey="204509" SVKey="204509r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030310" disa="1851" severity="medium">
--    <VMSinfo VKey="72085" SVKey="86709" VRelease="2"/>
-+    <VMSinfo VKey="204510" SVKey="204510r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="RHEL-07-030320" disa="1851" severity="medium">
--    <VMSinfo VKey="72087" SVKey="86711" VRelease="3"/>
-+    <VMSinfo VKey="204511" SVKey="204511r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="RHEL-07-030321" disa="1851" severity="medium">
--    <VMSinfo VKey="73163" SVKey="87815" VRelease="3"/>
-+    <VMSinfo VKey="204512" SVKey="204512r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-07-030330" disa="1855" severity="medium">
--    <VMSinfo VKey="72089" SVKey="86713" VRelease="4"/>
-+    <VMSinfo VKey="204513" SVKey="204513r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium">
--    <VMSinfo VKey="72091" SVKey="86715" VRelease="2"/>
-+    <VMSinfo VKey="204514" SVKey="204514r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-07-030350" disa="1855" severity="medium">
--    <VMSinfo VKey="72093" SVKey="86717" VRelease="3"/>
-+    <VMSinfo VKey="204515" SVKey="204515r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="RHEL-07-030360" disa="2234" severity="medium">
--    <VMSinfo VKey="72095" SVKey="86719" VRelease="7"/>
-+    <VMSinfo VKey="204516" SVKey="204516r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="172" severity="medium">
--    <VMSinfo VKey="72097" SVKey="86721" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="126" severity="medium">
-+    <VMSinfo VKey="204517" SVKey="204517r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-07-030380" disa="172" severity="medium">
--    <VMSinfo VKey="72099" SVKey="86723" VRelease="6"/>
-+    <VMSinfo VKey="204518" SVKey="204518r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="172" severity="medium">
--    <VMSinfo VKey="72101" SVKey="86725" VRelease="6"/>
-+  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="126" severity="medium">
-+    <VMSinfo VKey="204519" SVKey="204519r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-07-030400" disa="172" severity="medium">
--    <VMSinfo VKey="72103" SVKey="86727" VRelease="6"/>
-+    <VMSinfo VKey="204520" SVKey="204520r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-07-030410" disa="172" severity="medium">
--    <VMSinfo VKey="72105" SVKey="86729" VRelease="6"/>
-+    <VMSinfo VKey="204521" SVKey="204521r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-07-030420" disa="172" severity="medium">
--    <VMSinfo VKey="72107" SVKey="86731" VRelease="6"/>
-+    <VMSinfo VKey="204522" SVKey="204522r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-07-030430" disa="172" severity="medium">
--    <VMSinfo VKey="72109" SVKey="86733" VRelease="6"/>
-+    <VMSinfo VKey="204523" SVKey="204523r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-07-030440" disa="172" severity="medium">
--    <VMSinfo VKey="72111" SVKey="86735" VRelease="6"/>
-+    <VMSinfo VKey="204524" SVKey="204524r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-07-030450" disa="172" severity="medium">
--    <VMSinfo VKey="72113" SVKey="86737" VRelease="6"/>
-+    <VMSinfo VKey="204525" SVKey="204525r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-07-030460" disa="172" severity="medium">
--    <VMSinfo VKey="72115" SVKey="86739" VRelease="6"/>
-+    <VMSinfo VKey="204526" SVKey="204526r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-07-030470" disa="172" severity="medium">
--    <VMSinfo VKey="72117" SVKey="86741" VRelease="6"/>
-+    <VMSinfo VKey="204527" SVKey="204527r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-07-030480" disa="172" severity="medium">
--    <VMSinfo VKey="72119" SVKey="86743" VRelease="6"/>
-+    <VMSinfo VKey="204528" SVKey="204528r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-07-030490" disa="172" severity="medium">
--    <VMSinfo VKey="72121" SVKey="86745" VRelease="6"/>
-+    <VMSinfo VKey="204529" SVKey="204529r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="RHEL-07-030500" disa="2884" severity="medium">
--    <VMSinfo VKey="72123" SVKey="86747" VRelease="6"/>
-+    <VMSinfo VKey="204530" SVKey="204530r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="RHEL-07-030510" disa="2884" severity="medium">
--    <VMSinfo VKey="72125" SVKey="86749" VRelease="6"/>
-+    <VMSinfo VKey="204531" SVKey="204531r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="RHEL-07-030520" disa="2884" severity="medium">
--    <VMSinfo VKey="72127" SVKey="86751" VRelease="6"/>
-+    <VMSinfo VKey="204532" SVKey="204532r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="RHEL-07-030530" disa="2884" severity="medium">
--    <VMSinfo VKey="72129" SVKey="86753" VRelease="6"/>
-+    <VMSinfo VKey="204533" SVKey="204533r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="RHEL-07-030540" disa="2884" severity="medium">
--    <VMSinfo VKey="72131" SVKey="86755" VRelease="6"/>
-+    <VMSinfo VKey="204534" SVKey="204534r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="RHEL-07-030550" disa="2884" severity="medium">
--    <VMSinfo VKey="72133" SVKey="86757" VRelease="6"/>
-+    <VMSinfo VKey="204535" SVKey="204535r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="RHEL-07-030560" disa="2884" severity="medium">
--    <VMSinfo VKey="72135" SVKey="86759" VRelease="5"/>
-+    <VMSinfo VKey="204536" SVKey="204536r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="RHEL-07-030570" disa="2884" severity="medium">
--    <VMSinfo VKey="72137" SVKey="86761" VRelease="5"/>
-+    <VMSinfo VKey="204537" SVKey="204537r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="RHEL-07-030580" disa="2884" severity="medium">
--    <VMSinfo VKey="72139" SVKey="86763" VRelease="5"/>
-+    <VMSinfo VKey="204538" SVKey="204538r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="RHEL-07-030590" disa="2884" severity="medium">
--    <VMSinfo VKey="72141" SVKey="86765" VRelease="6"/>
-+    <VMSinfo VKey="204539" SVKey="204539r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="RHEL-07-030610" disa="2884" severity="medium">
--    <VMSinfo VKey="72145" SVKey="86769" VRelease="4"/>
-+    <VMSinfo VKey="204540" SVKey="204540r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-07-030620" disa="2884" severity="medium">
--    <VMSinfo VKey="72147" SVKey="86771" VRelease="3"/>
-+    <VMSinfo VKey="204541" SVKey="204541r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="RHEL-07-030630" disa="2884" severity="medium">
--    <VMSinfo VKey="72149" SVKey="86773" VRelease="6"/>
-+    <VMSinfo VKey="204542" SVKey="204542r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="RHEL-07-030640" disa="2884" severity="medium">
--    <VMSinfo VKey="72151" SVKey="86775" VRelease="6"/>
-+    <VMSinfo VKey="204543" SVKey="204543r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="RHEL-07-030650" disa="2884" severity="medium">
--    <VMSinfo VKey="72153" SVKey="86777" VRelease="6"/>
-+    <VMSinfo VKey="204544" SVKey="204544r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="RHEL-07-030660" disa="2884" severity="medium">
--    <VMSinfo VKey="72155" SVKey="86779" VRelease="6"/>
-+    <VMSinfo VKey="204545" SVKey="204545r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chage command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="RHEL-07-030670" disa="2884" severity="medium">
--    <VMSinfo VKey="72157" SVKey="86781" VRelease="6"/>
-+    <VMSinfo VKey="204546" SVKey="204546r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="RHEL-07-030680" disa="2884" severity="medium">
--    <VMSinfo VKey="72159" SVKey="86783" VRelease="6"/>
-+    <VMSinfo VKey="204547" SVKey="204547r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the su command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="RHEL-07-030690" disa="2884" severity="medium">
--    <VMSinfo VKey="72161" SVKey="86785" VRelease="5"/>
-+    <VMSinfo VKey="204548" SVKey="204548r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-07-030700" disa="2884" severity="medium">
--    <VMSinfo VKey="72163" SVKey="86787" VRelease="5"/>
-+    <VMSinfo VKey="204549" SVKey="204549r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="RHEL-07-030710" disa="2884" severity="medium">
--    <VMSinfo VKey="72165" SVKey="86789" VRelease="5"/>
-+    <VMSinfo VKey="204550" SVKey="204550r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="RHEL-07-030720" disa="2884" severity="medium">
--    <VMSinfo VKey="72167" SVKey="86791" VRelease="5"/>
-+    <VMSinfo VKey="204551" SVKey="204551r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="RHEL-07-030740" disa="2884" severity="medium">
--    <VMSinfo VKey="72171" SVKey="86795" VRelease="8"/>
-+    <VMSinfo VKey="204552" SVKey="204552r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="RHEL-07-030750" disa="2884" severity="medium">
--    <VMSinfo VKey="72173" SVKey="86797" VRelease="6"/>
-+    <VMSinfo VKey="204553" SVKey="204553r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the umount command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="RHEL-07-030760" disa="2884" severity="medium">
--    <VMSinfo VKey="72175" SVKey="86799" VRelease="5"/>
-+    <VMSinfo VKey="204554" SVKey="204554r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="RHEL-07-030770" disa="2884" severity="medium">
--    <VMSinfo VKey="72177" SVKey="86801" VRelease="4"/>
-+    <VMSinfo VKey="204555" SVKey="204555r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="RHEL-07-030780" disa="2884" severity="medium">
--    <VMSinfo VKey="72179" SVKey="86803" VRelease="4"/>
-+    <VMSinfo VKey="204556" SVKey="204556r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="RHEL-07-030800" disa="2884" severity="medium">
--    <VMSinfo VKey="72183" SVKey="86807" VRelease="4"/>
-+    <VMSinfo VKey="204557" SVKey="204557r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="RHEL-07-030810" disa="172" severity="medium">
--    <VMSinfo VKey="72185" SVKey="86809" VRelease="5"/>
-+    <VMSinfo VKey="204558" SVKey="204558r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium">
--    <VMSinfo VKey="78999" SVKey="93705" VRelease="3"/>
-+    <VMSinfo VKey="204559" SVKey="204559r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="RHEL-07-030820" disa="172" severity="medium">
--    <VMSinfo VKey="72187" SVKey="86811" VRelease="5"/>
-+    <VMSinfo VKey="204560" SVKey="204560r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030821" disa="172" severity="medium">
--    <VMSinfo VKey="79001" SVKey="93707" VRelease="3"/>
-+    <VMSinfo VKey="204561" SVKey="204561r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030830" disa="172" severity="medium">
--    <VMSinfo VKey="72189" SVKey="86813" VRelease="5"/>
-+    <VMSinfo VKey="204562" SVKey="204562r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium">
--    <VMSinfo VKey="72191" SVKey="86815" VRelease="6"/>
-+    <VMSinfo VKey="204563" SVKey="204563r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="2130" severity="medium">
--    <VMSinfo VKey="72197" SVKey="86821" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="1403" severity="medium">
-+    <VMSinfo VKey="204564" SVKey="204564r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-07-030871" disa="2130" severity="medium">
--    <VMSinfo VKey="73165" SVKey="87817" VRelease="3"/>
-+    <VMSinfo VKey="204565" SVKey="204565r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="2130" severity="medium">
--    <VMSinfo VKey="73167" SVKey="87819" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="1403" severity="medium">
-+    <VMSinfo VKey="204566" SVKey="204566r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-07-030873" disa="2130" severity="medium">
--    <VMSinfo VKey="73171" SVKey="87823" VRelease="4"/>
-+    <VMSinfo VKey="204567" SVKey="204567r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="2130" severity="medium">
--    <VMSinfo VKey="73173" SVKey="87825" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="1403" severity="medium">
-+    <VMSinfo VKey="204568" SVKey="204568r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="RHEL-07-030880" disa="2884" severity="medium">
--    <VMSinfo VKey="72199" SVKey="86823" VRelease="6"/>
-+    <VMSinfo VKey="204569" SVKey="204569r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="RHEL-07-030890" disa="2884" severity="medium">
--    <VMSinfo VKey="72201" SVKey="86825" VRelease="6"/>
-+    <VMSinfo VKey="204570" SVKey="204570r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="RHEL-07-030900" disa="2884" severity="medium">
--    <VMSinfo VKey="72203" SVKey="86827" VRelease="6"/>
-+    <VMSinfo VKey="204571" SVKey="204571r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="RHEL-07-030910" disa="2884" severity="medium">
--    <VMSinfo VKey="72205" SVKey="86829" VRelease="6"/>
-+    <VMSinfo VKey="204572" SVKey="204572r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="RHEL-07-030920" disa="2884" severity="medium">
--    <VMSinfo VKey="72207" SVKey="86831" VRelease="6"/>
-+    <VMSinfo VKey="204573" SVKey="204573r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-031000" disa="366" severity="medium">
--    <VMSinfo VKey="72209" SVKey="86833" VRelease="2"/>
-+    <VMSinfo VKey="204574" SVKey="204574r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="1814" severity="medium">
--    <VMSinfo VKey="72211" SVKey="86835" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="368" severity="medium">
-+    <VMSinfo VKey="204575" SVKey="204575r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="RHEL-07-032000" disa="1668" severity="high">
--    <VMSinfo VKey="72213" SVKey="86837" VRelease="3"/>
-+    <VMSinfo VKey="214801" SVKey="214801r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a virus scan program."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-07-040000" disa="54" severity="low">
--    <VMSinfo VKey="72217" SVKey="86841" VRelease="3"/>
-+    <VMSinfo VKey="204576" SVKey="204576r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-07-040100" disa="2314" severity="medium">
--    <VMSinfo VKey="72219" SVKey="86843" VRelease="2"/>
-+    <VMSinfo VKey="204577" SVKey="204577r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-07-040110" disa="803" severity="medium">
--    <VMSinfo VKey="72221" SVKey="86845" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-07-040110" disa="68" severity="medium">
-+    <VMSinfo VKey="204578" SVKey="204578r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium">
--    <VMSinfo VKey="72223" SVKey="86847" VRelease="5"/>
-+    <VMSinfo VKey="204579" SVKey="204579r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="1388" severity="medium">
--    <VMSinfo VKey="72225" SVKey="86849" VRelease="5"/>
-+    <VMSinfo VKey="204580" SVKey="204580r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="RHEL-07-040180" disa="1453" severity="medium">
--    <VMSinfo VKey="72227" SVKey="86851" VRelease="4"/>
-+    <VMSinfo VKey="204581" SVKey="204581r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040190" disa="1453" severity="medium">
--    <VMSinfo VKey="72229" SVKey="86853" VRelease="4"/>
-+  <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="RHEL-07-040190" disa="1453" severity="medium">
-+    <VMSinfo VKey="204582" SVKey="204582r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="RHEL-07-040200" disa="1453" severity="medium">
--    <VMSinfo VKey="72231" SVKey="86855" VRelease="4"/>
-+    <VMSinfo VKey="204583" SVKey="204583r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-07-040201" disa="366" severity="medium">
--    <VMSinfo VKey="77825" SVKey="92521" VRelease="2"/>
-+    <VMSinfo VKey="204584" SVKey="204584r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement virtual address space randomization."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2422" severity="medium">
--    <VMSinfo VKey="72233" SVKey="86857" VRelease="3"/>
-+    <VMSinfo VKey="204585" SVKey="204585r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2422" severity="medium">
--    <VMSinfo VKey="72235" SVKey="86859" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2420" severity="medium">
-+    <VMSinfo VKey="204586" SVKey="204586r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-07-040320" disa="2361" severity="medium">
--    <VMSinfo VKey="72237" SVKey="86861" VRelease="4"/>
-+    <VMSinfo VKey="204587" SVKey="204587r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="RHEL-07-040330" disa="366" severity="medium">
--    <VMSinfo VKey="72239" SVKey="86863" VRelease="4"/>
-+    <VMSinfo VKey="204588" SVKey="204588r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="RHEL-07-040340" disa="2361" severity="medium">
--    <VMSinfo VKey="72241" SVKey="86865" VRelease="4"/>
-+    <VMSinfo VKey="204589" SVKey="204589r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-07-040350" disa="366" severity="medium">
--    <VMSinfo VKey="72243" SVKey="86867" VRelease="3"/>
-+    <VMSinfo VKey="204590" SVKey="204590r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-07-040360" disa="366" severity="medium">
--    <VMSinfo VKey="72245" SVKey="86869" VRelease="3"/>
-+    <VMSinfo VKey="204591" SVKey="204591r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-040370" disa="366" severity="medium">
--    <VMSinfo VKey="72247" SVKey="86871" VRelease="3"/>
-+    <VMSinfo VKey="204592" SVKey="204592r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-07-040380" disa="366" severity="medium">
--    <VMSinfo VKey="72249" SVKey="86873" VRelease="3"/>
-+    <VMSinfo VKey="204593" SVKey="204593r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="366" severity="high">
--    <VMSinfo VKey="72251" SVKey="86875" VRelease="4"/>
-+    <VMSinfo VKey="204594" SVKey="204594r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040400" disa="1453" severity="medium">
--    <VMSinfo VKey="72253" SVKey="86877" VRelease="3"/>
-+    <VMSinfo VKey="204595" SVKey="204595r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-07-040410" disa="366" severity="medium">
--    <VMSinfo VKey="72255" SVKey="86879" VRelease="2"/>
-+    <VMSinfo VKey="204596" SVKey="204596r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-07-040420" disa="366" severity="medium">
--    <VMSinfo VKey="72257" SVKey="86881" VRelease="3"/>
-+    <VMSinfo VKey="204597" SVKey="204597r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1814" severity="medium">
--    <VMSinfo VKey="72259" SVKey="86883" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1813" severity="medium">
-+    <VMSinfo VKey="204598" SVKey="204598r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="1814" severity="medium">
--    <VMSinfo VKey="72261" SVKey="86885" VRelease="3"/>
-+  <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="1812" severity="medium">
-+    <VMSinfo VKey="204599" SVKey="204599r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-07-040450" disa="366" severity="medium">
--    <VMSinfo VKey="72263" SVKey="86887" VRelease="3"/>
-+    <VMSinfo VKey="204600" SVKey="204600r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="RHEL-07-040460" disa="366" severity="medium">
--    <VMSinfo VKey="72265" SVKey="86889" VRelease="3"/>
-+    <VMSinfo VKey="204601" SVKey="204601r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-07-040470" disa="366" severity="medium">
--    <VMSinfo VKey="72267" SVKey="86891" VRelease="3"/>
-+    <VMSinfo VKey="204602" SVKey="204602r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="2046" severity="medium">
--    <VMSinfo VKey="72269" SVKey="86893" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="1891" severity="medium">
-+    <VMSinfo VKey="204603" SVKey="204603r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-07-040520" disa="366" severity="medium">
--    <VMSinfo VKey="72273" SVKey="86897" VRelease="2"/>
-+    <VMSinfo VKey="204604" SVKey="204604r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must enable an application firewall, if available."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-07-040530" disa="366" severity="low">
--    <VMSinfo VKey="72275" SVKey="86899" VRelease="4"/>
-+    <VMSinfo VKey="204605" SVKey="204605r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-07-040540" disa="366" severity="high">
--    <VMSinfo VKey="72277" SVKey="86901" VRelease="2"/>
-+    <VMSinfo VKey="204606" SVKey="204606r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not contain .shosts files."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-07-040550" disa="366" severity="high">
--    <VMSinfo VKey="72279" SVKey="86903" VRelease="2"/>
-+    <VMSinfo VKey="204607" SVKey="204607r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-07-040600" disa="366" severity="low">
--    <VMSinfo VKey="72281" SVKey="86905" VRelease="3"/>
-+    <VMSinfo VKey="204608" SVKey="204608r5059" VRelease="r505924"/>
-     <title text="For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-07-040610" disa="366" severity="medium">
--    <VMSinfo VKey="72283" SVKey="86907" VRelease="2"/>
-+    <VMSinfo VKey="204609" SVKey="204609r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-07-040611" disa="366" severity="medium">
--    <VMSinfo VKey="92251" SVKey="102353" VRelease="r1"/>
-+    <VMSinfo VKey="204610" SVKey="204610r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-07-040612" disa="366" severity="medium">
--    <VMSinfo VKey="92253" SVKey="102355" VRelease="r1"/>
-+    <VMSinfo VKey="204611" SVKey="204611r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-07-040620" disa="366" severity="medium">
--    <VMSinfo VKey="72285" SVKey="86909" VRelease="2"/>
-+    <VMSinfo VKey="204612" SVKey="204612r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-07-040630" disa="366" severity="medium">
--    <VMSinfo VKey="72287" SVKey="86911" VRelease="2"/>
-+    <VMSinfo VKey="204613" SVKey="204613r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-07-040640" disa="366" severity="medium">
--    <VMSinfo VKey="72289" SVKey="86913" VRelease="3"/>
-+    <VMSinfo VKey="204614" SVKey="204614r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-07-040641" disa="366" severity="medium">
--    <VMSinfo VKey="73175" SVKey="87827" VRelease="4"/>
-+    <VMSinfo VKey="204615" SVKey="204615r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-07-040650" disa="366" severity="medium">
--    <VMSinfo VKey="72291" SVKey="86915" VRelease="4"/>
-+    <VMSinfo VKey="204616" SVKey="204616r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-07-040660" disa="366" severity="medium">
--    <VMSinfo VKey="72293" SVKey="86917" VRelease="3"/>
-+    <VMSinfo VKey="204617" SVKey="204617r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-07-040670" disa="366" severity="medium">
--    <VMSinfo VKey="72295" SVKey="86919" VRelease="2"/>
-+    <VMSinfo VKey="204618" SVKey="204618r5059" VRelease="r505924"/>
-     <title text="Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-07-040680" disa="366" severity="medium">
--    <VMSinfo VKey="72297" SVKey="86921" VRelease="3"/>
-+    <VMSinfo VKey="204619" SVKey="204619r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-040690" disa="366" severity="high">
--    <VMSinfo VKey="72299" SVKey="86923" VRelease="3"/>
-+    <VMSinfo VKey="204620" SVKey="204620r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="1814" severity="high">
--    <VMSinfo VKey="72301" SVKey="86925" VRelease="2"/>
-+  <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="368" severity="high">
-+    <VMSinfo VKey="204621" SVKey="204621r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sshd_enable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="high">
--    <VMSinfo VKey="72303" SVKey="86927" VRelease="4"/>
-+    <VMSinfo VKey="204622" SVKey="204622r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-07-040720" disa="366" severity="medium">
--    <VMSinfo VKey="72305" SVKey="86929" VRelease="3"/>
-+    <VMSinfo VKey="204623" SVKey="204623r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="RHEL-07-040730" disa="366" severity="medium">
--    <VMSinfo VKey="72307" SVKey="86931" VRelease="4"/>
--    <title text="The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved."/>
-+    <VMSinfo VKey="204624" SVKey="204624r5059" VRelease="r505924"/>
-+    <title text="The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium">
--    <VMSinfo VKey="72309" SVKey="86933" VRelease="2"/>
-+    <VMSinfo VKey="204625" SVKey="204625r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="RHEL-07-040750" disa="366" severity="medium">
--    <VMSinfo VKey="72311" SVKey="86935" VRelease="4"/>
-+    <VMSinfo VKey="204626" SVKey="204626r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-07-040800" disa="366" severity="high">
--    <VMSinfo VKey="72313" SVKey="86937" VRelease="2"/>
-+    <VMSinfo VKey="204627" SVKey="204627r5059" VRelease="r505924"/>
-     <title text="SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="RHEL-07-040810" disa="366" severity="medium">
--    <VMSinfo VKey="72315" SVKey="86939" VRelease="3"/>
-+    <VMSinfo VKey="204628" SVKey="204628r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="RHEL-07-040820" disa="366" severity="medium">
--    <VMSinfo VKey="72317" SVKey="86941" VRelease="2"/>
-+    <VMSinfo VKey="204629" SVKey="204629r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-07-040830" disa="366" severity="medium">
--    <VMSinfo VKey="72319" SVKey="86943" VRelease="2"/>
-+    <VMSinfo VKey="204630" SVKey="204630r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1954" severity="medium">
--    <VMSinfo VKey="72417" SVKey="87041" VRelease="5"/>
-+    <VMSinfo VKey="204631" SVKey="204631r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1954" severity="medium">
--    <VMSinfo VKey="72427" SVKey="87051" VRelease="4"/>
-+    <VMSinfo VKey="204632" SVKey="204632r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
-   </overlay>
--  <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1954" severity="medium">
--    <VMSinfo VKey="72433" SVKey="87057" VRelease="5"/>
-+  <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1953" severity="medium">
-+    <VMSinfo VKey="204633" SVKey="204633r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."/>
-   </overlay>
-   <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-07-041010" disa="2418" severity="medium">
--    <VMSinfo VKey="73177" SVKey="87829" VRelease="2"/>
-+    <VMSinfo VKey="204634" SVKey="204634r5059" VRelease="r505924"/>
-     <title text="The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."/>
-   </overlay>
-+  <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="RHEL-07-910055" disa="1314" severity="medium">
-+    <VMSinfo VKey="228564" SVKey="228564r5059" VRelease="r505924"/>
-+    <title text="The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion."/>
-+  </overlay>
- </overlays>
-diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
-index 1d94e79964..1841024572 100644
---- a/rhel7/profiles/stig.profile
-+++ b/rhel7/profiles/stig.profile
-@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7'
- 
- description: |-
-     This profile contains configuration checks that align to the
--    DISA STIG for Red Hat Enterprise Linux V2R8.
-+    DISA STIG for Red Hat Enterprise Linux V3R1.
- 
-     In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
-     configuration baseline as applicable to the operating system tier of
diff --git a/SOURCES/scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch b/SOURCES/scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
new file mode 100644
index 0000000..12a7e8e
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
@@ -0,0 +1,34 @@
+From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 19 Jan 2021 09:42:26 +0100
+Subject: [PATCH] Add metadata to ANSSI R35
+
+Current implementation cannot diferentiate between system and
+standard user umask, they are both set to the same value.
+---
+ controls/anssi.yml | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index dec9d68c99..621996e985 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -572,10 +572,18 @@ controls:
+       only be read by the user and his group, and be editable only by his owner).
+       The umask for users must be set to 0077 (any file created by a user is
+       readable and editable only by him).
++    notes: >-
++      There is no simple way to check and remediate different umask values for
++      system and standard users reliably.
++      The different values are set in a conditional clause in a shell script
++      (e.g. /etc/profile or /etc/bashrc).
++      The current implementation checks and fixes both umask to the same value.
++    automated: partially
+     rules:
+     - var_accounts_user_umask=077
+     - accounts_umask_etc_login_defs
+     - accounts_umask_etc_profile
++    - accounts_umask_etc_bashrc
+ 
+   - id: R36
+     title: Rights to access sensitive content files
diff --git a/SOURCES/scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch b/SOURCES/scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
new file mode 100644
index 0000000..5efbf60
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
@@ -0,0 +1,75 @@
+From d5673795ba2f87ae1649c84591ee13d7876af0b2 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 13 Jan 2021 14:01:03 +0100
+Subject: [PATCH 1/3] add rule
+
+---
+ .../sysctl_kernel_modules_disabled/rule.yml   | 34 +++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+ create mode 100644 linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+new file mode 100644
+index 0000000000..1811c43815
+--- /dev/null
++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+@@ -0,0 +1,34 @@
++documentation_complete: true
++
++prodtype: fedora,ol8,rhel7,rhel8
++
++title: 'Disable loading and unloading of kernel modules'
++
++description: '{{{ describe_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}'
++
++rationale: |-
++    Malicious kernel modules can have a significant impact on system security and
++    availability. Disabling loading of kernel modules prevents this threat. Note
++    that once this option has been set, it cannot be reverted without doing a
++    system reboot. Make sure that all needed kernel modules are loaded before
++    setting this option.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-83392-1
++    cce@rhel8: CCE-83397-0
++
++references:
++    anssi: BP28(R24)
++
++{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.modules_disabled", value="1") }}}
++
++platform: machine
++
++template:
++    name: sysctl
++    vars:
++        sysctlvar: kernel.modules_disabled
++        sysctlval: '1'
++        datatype: int
+
+From 5e4f6a4a0b70c07488595080cfd98fdbfb02e352 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 13 Jan 2021 14:01:15 +0100
+Subject: [PATCH 2/3] add rule to anssi profile
+
+---
+ controls/anssi.yml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 9e2b899b6d..f435459af3 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -483,7 +483,8 @@ controls:
+       sysctl kernel.modules_disabledconf:
+       Prohibition of loading modules (except those already loaded to this point)
+       kernel.modules_disabled = 1
+-    # rules: TBD
++    rules:
++    - sysctl_kernel_modules_disabled
+ 
+   - id: R25
+     level: enhanced
+
diff --git a/SOURCES/scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch b/SOURCES/scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
new file mode 100644
index 0000000..4ac24a2
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
@@ -0,0 +1,117 @@
+From 2df02e3988525eee8360db1e829655a761adb461 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 19 Oct 2020 17:25:05 +0200
+Subject: [PATCH 1/2] var pam unix remember, add selector
+
+Add selector "2" to var_password_pam_unix_remember.
+---
+ .../accounts/accounts-pam/var_password_pam_unix_remember.var     | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
+index f533a36963..6e7abb3b78 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
++++ b/linux_os/guide/system/accounts/accounts-pam/var_password_pam_unix_remember.var
+@@ -18,6 +18,7 @@ options:
+     "0": "0"
+     10: 10
+     24: 24
++    2: 2
+     4: 4
+     5: 5
+     default: 5
+
+From 5503605d2f9e56b07686a9f1f2f3f8418e61b8cb Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 19 Oct 2020 17:29:47 +0200
+Subject: [PATCH 2/2] Select rules for password strenght management
+
+Rule selection is based on ANSSI DAT-NT-001
+---
+ controls/anssi.yml                            | 45 ++++++++++++++++++-
+ .../var_password_pam_minlen.var               |  2 +
+ ...ar_accounts_password_minlen_login_defs.var |  2 +
+ 3 files changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 26bc7f4694..3ccd0f8cb3 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -281,7 +281,50 @@ controls:
+   - id: R18
+     level: minimal
+     title: Administrator password robustness
+-    # rules: TBD
++    notes: >-
++      The rules selected below establish a general password strength baseline of 100 bits,
++      inspired by DAT-NT-001 and the "Password Strenght Calculator"
++      (https://www.ssi.gouv.fr/administration/precautions-elementaires/calculer-la-force-dun-mot-de-passe/).
++
++      The baseline should be reviewed and tailored to the system's use case and needs.
++    automated: partially
++    rules:
++    # Renew passwords every 90 days
++    - var_accounts_maximum_age_login_defs=90
++    - accounts_maximum_age_login_defs
++
++    # Ensure passwords with minimum of 18 characters
++    - var_password_pam_minlen=18
++    - accounts_password_pam_minlen
++    # Enforce password lenght for new accounts
++    - var_accounts_password_minlen_login_defs=18
++    - accounts_password_minlen_login_defs
++    # Require at Least 1 Special Character in Password
++    - var_password_pam_ocredit=1
++    - accounts_password_pam_ocredit
++    # Require at Least 1 Numeric Character in Password
++    - var_password_pam_dcredit=1
++    - accounts_password_pam_dcredit
++    # Require at Least 1 Uppercase Character in Password
++    - var_password_pam_ucredit=1
++    - accounts_password_pam_ucredit
++    # Require at Least 1 Lowercase Character in Password
++    - var_password_pam_lcredit=1
++    - accounts_password_pam_lcredit
++
++    # Lock out users after 3 failed authentication attempts within 15 min
++    - var_accounts_passwords_pam_faillock_fail_interval=900
++    - accounts_passwords_pam_faillock_interval
++    - var_accounts_passwords_pam_faillock_deny=3
++    - accounts_passwords_pam_faillock_deny
++    - accounts_passwords_pam_faillock_deny_root
++    # Automatically unlock users after 15 min to prevent DoS
++    - var_accounts_passwords_pam_faillock_unlock_time=900
++    - accounts_passwords_pam_faillock_unlock_time
++
++    # Do not reuse last two passwords
++    - var_password_pam_unix_remember=2
++    - accounts_password_pam_unix_remember
+ 
+   - id: R19
+     level: intermediary
+diff --git a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
+index f506a090bb..873d907ab9 100644
+--- a/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
++++ b/linux_os/guide/system/accounts/accounts-pam/password_quality/password_quality_pwquality/var_password_pam_minlen.var
+@@ -15,6 +15,8 @@ options:
+     12: 12
+     14: 14
+     15: 15
++    18: 18
++    20: 20
+     6: 6
+     7: 7
+     8: 8
+diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
+index f41ff432ec..662c53b076 100644
+--- a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
++++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/var_accounts_password_minlen_login_defs.var
+@@ -13,6 +13,8 @@ options:
+     12: 12
+     14: 14
+     15: 15
++    18: 18
++    20: 20
+     6: 6
+     8: 8
+     default: 15
diff --git a/SOURCES/scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch b/SOURCES/scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
new file mode 100644
index 0000000..9491d13
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
@@ -0,0 +1,47 @@
+From 76aede9cea67f4ea37eaa05ad74bf80273638de2 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 28 Oct 2020 18:52:13 +0100
+Subject: [PATCH] Select rules for ANSSI R37
+
+These rules are better fit for R37 than R38.
+R37 is about binaries designed to be used with setuid or setgid bits.
+R38 is about reducing number of binaries with setuid root.
+---
+ controls/anssi.yml | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 26bc7f4694..4648b98dff 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -590,8 +590,17 @@ controls:
+ 
+   - id: R37
+     level: minimal
+-    title: Executables with setuid and/or setgid bits
+-    # rules: TBD
++    title: Executables with setuid and setgid bits
++    notes: >-
++      Only programs specifically designed to be used with setuid or setgid bits can have these privilege bits set.
++      This requirement considers apropriate for setuid and setgid bits the binaries that are installed from
++      recognized and authorized repositories (covered in R15).
++      The remediation resets the sticky bit to intended value by vendor/developer, any finding after remediation
++      should be reviewed.
++    automated: yes
++    rules:
++    - file_permissions_unauthorized_suid
++    - file_permissions_unauthorized_sgid
+ 
+   - id: R38
+     level: enhanced
+@@ -600,9 +609,7 @@ controls:
+       Setuid executables should be as small as possible. When it is expected
+       that only the administrators of the machine execute them, the setuid bit
+       must be removed and prefer them commands like su or sudo, which can be monitored
+-    rules:
+-    - file_permissions_unauthorized_suid
+-    - file_permissions_unauthorized_sgid
++    # rules: TBD
+ 
+   - id: R39
+     level: intermediary
diff --git a/SOURCES/scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch b/SOURCES/scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
new file mode 100644
index 0000000..e0a3221
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
@@ -0,0 +1,37 @@
+From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Thu, 21 Jan 2021 11:04:05 +0100
+Subject: [PATCH] Add variable selector and notes for R29
+
+---
+ controls/anssi.yml | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index dec9d68c99..3303d70295 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -521,10 +521,22 @@ controls:
+     description: >-
+       Remote user sessions (shell access, graphical clients) must be closed
+       after a certain period of inactivity.
++    notes: >-
++      There is no specific capability to check remote user inactivity, but some shells allow the
++      session inactivity time out to be configured via TMOUT variable.
++      In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.
++      The server is configured to disconnect sessions if no data has been received within the idle timeout,
++      regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).
++      In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.
++      The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to
++      "don't disconnect network inactive sessions". The server either probes for the client liveness
++      or keeps inactive sessions connected.
++    automated: yes
+     rules:
+     - accounts_tmout
++    - var_accounts_tmout=10_min
+     - sshd_set_idle_timeout
+-    - sshd_idle_timeout_value=5_minutes
++    - sshd_idle_timeout_value=10_minutes
+     - sshd_set_keepalive
+ 
+   - id: R30
diff --git a/SOURCES/scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch b/SOURCES/scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
new file mode 100644
index 0000000..0ec0a01
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
@@ -0,0 +1,140 @@
+From 389d25be2b69e4e5c828d9b0b72573e0962cabb4 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 13 Jan 2021 17:07:48 +0100
+Subject: [PATCH 1/4] add rule
+
+---
+ .../sshd_x11_use_localhost/rule.yml           | 43 +++++++++++++++++++
+ shared/references/cce-redhat-avail.txt        |  3 --
+ 2 files changed, 43 insertions(+), 3 deletions(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+new file mode 100644
+index 0000000000..67131e509c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+@@ -0,0 +1,43 @@
++documentation_complete: true
++
++prodtype: fedora,ol7,rhel7
++
++title: 'Prevent remote hosts from connecting to the proxy display'
++
++description: |-
++    The SSH daemon should prevent remote hosts from connecting to the proxy
++    display. Make sure that the option <tt>X11UseLocalhost</tt> is set to
++    <tt>yes</tt> within the SSH server configuration file.
++
++
++rationale: |-
++    When X11 forwarding is enabled, there may be additional exposure to the
++    server and client displays if the sshd proxy display is configured to listen
++    on the wildcard address. By default, sshd binds the forwarding server to the
++    loopback address and sets the hostname part of the <tt>DISPLAY</tt>
++    environment variable to localhost. This prevents remote hosts from
++    connecting to the proxy display.  
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-83404-4
++
++references:
++    srg: SRG-OS-000480-GPOS-00227
++    stig@rhel7: RHEL-07-040711
++    disa: CCI-000366
++    nist: CM-6(b)
++
++ocil_clause: "the display proxy is listening on wildcard address"
++
++ocil: |-
++    {{{ ocil_sshd_option(default="yes", option="X11UseLocalhost", value="yes") }}}
++
++template:
++    name: sshd_lineinfile
++    vars:
++        missing_parameter_pass: 'false'
++        parameter: X11UseLocalhost
++        rule_id: sshd_x11_use_localhost
++        value: 'yes'
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 4dbec8255c..fb59a52ca7 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -1,8 +1,5 @@
+-CCE-83392-1
+-CCE-83397-0
+ CCE-83398-8
+ CCE-83399-6
+-CCE-83404-4
+ CCE-83405-1
+ CCE-83406-9
+ CCE-83407-7
+
+From a40b9e68305afb52c2c674848b71cbcaee25fe32 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Wed, 13 Jan 2021 17:08:08 +0100
+Subject: [PATCH 2/4] add rule to the stig profile
+
+---
+ rhel7/profiles/stig.profile | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
+index 88b50d5ef4..817e0982e5 100644
+--- a/rhel7/profiles/stig.profile
++++ b/rhel7/profiles/stig.profile
+@@ -286,6 +286,7 @@ selections:
+     - package_vsftpd_removed
+     - package_tftp-server_removed
+     - sshd_enable_x11_forwarding
++    - sshd_x11_use_localhost
+     - tftpd_uses_secure_mode
+     - package_xorg-x11-server-common_removed
+     - xwindows_runlevel_target
+
+From 588912842af0164d79c4aa4c076bfa6cb3ac8f8b Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 14 Jan 2021 09:34:14 +0100
+Subject: [PATCH 3/4] return erroneously removed cces
+
+---
+ shared/references/cce-redhat-avail.txt | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index fb59a52ca7..d6ccab5dbf 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -1,3 +1,5 @@
++CCE-83392-1
++CCE-83397-0
+ CCE-83398-8
+ CCE-83399-6
+ CCE-83405-1
+
+From be2f96b80fbfb74708381e15a2a6e76c3952bbb5 Mon Sep 17 00:00:00 2001
+From: vojtapolasek <krecoun@gmail.com>
+Date: Fri, 15 Jan 2021 07:46:09 +0100
+Subject: [PATCH 4/4] Update
+ linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+
+Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
+---
+ .../services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml     | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+index 67131e509c..7267d2443a 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+@@ -37,7 +37,7 @@ ocil: |-
+ template:
+     name: sshd_lineinfile
+     vars:
+-        missing_parameter_pass: 'false'
++        missing_parameter_pass: 'true'
+         parameter: X11UseLocalhost
+         rule_id: sshd_x11_use_localhost
+         value: 'yes'
diff --git a/SOURCES/scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff b/SOURCES/scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
new file mode 100644
index 0000000..7795228
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
@@ -0,0 +1,196 @@
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 851993512..515a4a172 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -850,7 +850,8 @@ controls:
+   - id: R63
+     level: intermediary
+     title: Explicit arguments in sudo specifications
+-    # rules: TBD
++    rules:
++    - sudoers_explicit_command_args
+ 
+   - id: R64
+     level: intermediary
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
+new file mode 100644
+index 000000000..94a0cb421
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
+@@ -0,0 +1,25 @@
++<def-group>
++     <definition class="compliance" id="{{{ rule_id }}}" version="1">
++     {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
++     <criteria operator="AND">
++	     <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
++     </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="none_exist"
++  comment="Make sure that no command in user spec is without any argument"
++	  id="test_{{{ rule_id }}}" version="1">
++  <ind:object object_ref="object_{{{ rule_id }}}" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
++    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
++    <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
++         where a command is <runas spec>?<anything except ,>+,
++           - ',' is a command delimiter, while
++         The last capturing group holds the offending command without args.
++    -->
++    <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++</def-group>
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
+new file mode 100644
+index 000000000..a0590c8b0
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
+@@ -0,0 +1,46 @@
++documentation_complete: true
++
++title: "Explicit arguments in sudo specifications"
++
++description: |-
++    All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
++    If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
++
++rationale: |-
++    Any argument can modify quite significantly the behavior of a program, whether regarding the
++    realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
++    avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
++    level of its specification.
++
++    For example, on some systems, the kernel messages are only accessible by root.
++    If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
++    in order to prevent the user from flushing the buffer through the -c option:
++    <pre>
++    user ALL = dmesg ""
++    </pre>
++
++severity: medium
++
++identifiers:
++  cce@rhel7: CCE-83631-2
++  cce@rhel8: CCE-83632-0
++
++references:
++    anssi: BP28(R63)
++
++ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
++
++ocil: |-
++    To determine if arguments that commands can be executed with are restricted, run the following command:
++    <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
++    The command should return no output.
++
++platform: sudo
++
++warnings:
++  - general:
++      This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
++
++  - general:
++      The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
++      For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
+new file mode 100644
+index 000000000..b0d05b2a5
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
+@@ -0,0 +1,5 @@
++# platform = multi_platform_all
++# packages = sudo
++
++echo '#jen,!fred		ALL, !SERVERS = !/bin/sh' > /etc/sudoers
++echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
+new file mode 100644
+index 000000000..c6f885f9f
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
+@@ -0,0 +1,5 @@
++# platform = multi_platform_all
++# packages = sudo
++# remediation = none
++
++echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
+new file mode 100644
+index 000000000..fce851f55
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
+@@ -0,0 +1,5 @@
++# platform = multi_platform_all
++# packages = sudo
++# remediation = none
++
++echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
+new file mode 100644
+index 000000000..baf66468d
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
+@@ -0,0 +1,9 @@
++# platform = multi_platform_all
++# remediation = none
++# packages = sudo
++
++# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
++# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
++# and val2 is another command in the user spec.
++echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
++
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
+new file mode 100644
+index 000000000..9a04a205a
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
+@@ -0,0 +1,5 @@
++# platform = multi_platform_all
++# packages = sudo
++# remediation = none
++
++echo 'jen,!fred		ALL,SERVERS = /bin/sh ' > /etc/sudoers
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
+new file mode 100644
+index 000000000..4a3a7c94b
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
+@@ -0,0 +1,6 @@
++# platform = multi_platform_all
++# packages = sudo
++
++echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
++echo 'jen,!fred		ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
++echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
+diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
+new file mode 100644
+index 000000000..9643a3337
+--- /dev/null
++++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
+@@ -0,0 +1,9 @@
++# platform = multi_platform_all
++# packages = sudo
++# remediation = none
++
++echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
++echo 'jen,!fred		ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
++echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
++
++echo 'user ALL = ALL' > /etc/sudoers.d/bar
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 4dbec8255..94a116b59 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -140,8 +140,6 @@ CCE-83626-2
+ CCE-83627-0
+ CCE-83628-8
+ CCE-83629-6
+-CCE-83631-2
+-CCE-83632-0
+ CCE-83633-8
+ CCE-83634-6
+ CCE-83635-3
diff --git a/SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch b/SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
new file mode 100644
index 0000000..74a0793
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
@@ -0,0 +1,213 @@
+From afa3b348ed0af551967870f48334afbabecb89ab Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.com>
+Date: Thu, 4 Feb 2021 09:43:51 +0100
+Subject: [PATCH] Extend /var partition to 3GB in rhel8 kickstarts
+
+---
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg     | 4 ++--
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg         | 4 ++--
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 4 ++--
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg      | 4 ++--
+ rhel8/kickstart/ssg-rhel8-cis-ks.cfg                     | 4 ++--
+ rhel8/kickstart/ssg-rhel8-cui-ks.cfg                     | 4 ++--
+ rhel8/kickstart/ssg-rhel8-ospp-ks.cfg                    | 4 ++--
+ rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg                 | 4 ++--
+ rhel8/kickstart/ssg-rhel8-stig-ks.cfg                    | 4 ++--
+ 9 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+index 52af3ef47e..4e249f61e2 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+ # Ensure /usr Located On Separate Partition
+ logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+ # Ensure /opt Located On Separate Partition
+@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+index 702f23d4dc..a1511b157a 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+ # Ensure /usr Located On Separate Partition
+ logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+ # Ensure /opt Located On Separate Partition
+@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+index b875692944..981d291847 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+ # Ensure /usr Located On Separate Partition
+ logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+ # Ensure /opt Located On Separate Partition
+@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+index 4a114aebb6..7fc4945518 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+@@ -110,7 +110,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+ # Ensure /usr Located On Separate Partition
+ logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+ # Ensure /opt Located On Separate Partition
+@@ -124,7 +124,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
+index bf3804b3fa..ee3a20bcc2 100644
+--- a/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-cis-ks.cfg
+@@ -109,7 +109,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+ # Ensure /home Located On Separate Partition
+ logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+ # Ensure /tmp Located On Separate Partition
+@@ -117,7 +117,7 @@ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptio
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048
++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+index 6e0f83ebb7..8e4b92584f 100644
+--- a/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-cui-ks.cfg
+@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+ # Ensure /home Located On Separate Partition
+ logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+ # Ensure /tmp Located On Separate Partition
+@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
+index 119e98364f..ec490c38ee 100644
+--- a/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-ospp-ks.cfg
+@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+ # Ensure /home Located On Separate Partition
+ logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+ # Ensure /tmp Located On Separate Partition
+@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
+index 21a50f52fd..386cbcc169 100644
+--- a/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-pci-dss-ks.cfg
+@@ -103,13 +103,13 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=12288 --grow
++logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=11264 --grow
+ # CCE-26557-9: Ensure /home Located On Separate Partition
+ logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+ # CCE-26435-8: Ensure /tmp Located On Separate Partition
+ logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+ # CCE-26639-5: Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # CCE-26215-4: Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+ # CCE-26436-6: Ensure /var/log/audit Located On Separate Partition
+diff --git a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+index a3e5e5fec1..28f7ff0927 100644
+--- a/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-stig-ks.cfg
+@@ -107,7 +107,7 @@ part pv.01 --grow --size=1
+ volgroup VolGroup --pesize=4096 pv.01
+ 
+ # Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=root --vgname=VolGroup --size=11264 --grow
++logvol / --fstype=xfs --name=root --vgname=VolGroup --size=10240 --grow
+ # Ensure /home Located On Separate Partition
+ logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+ # Ensure /tmp Located On Separate Partition
+@@ -115,7 +115,7 @@ logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="n
+ # Ensure /var/tmp Located On Separate Partition
+ logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --fsoptions="nodev"
++logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+ # Ensure /var/log Located On Separate Partition
+ logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+ # Ensure /var/log/audit Located On Separate Partition
diff --git a/SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch b/SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
new file mode 100644
index 0000000..4f32181
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
@@ -0,0 +1,426 @@
+From fad3761eff3a3857bb4201ac90642dfc37217a2a Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Feb 2021 09:41:26 +0100
+Subject: [PATCH 1/4] Remove extra configurations from ANSSI minimal ks
+
+- No need to restrict IPv6
+- Root login is not restricted
+- Simplify boot command
+- Simplify paritioning
+- No requirement to enforce use of SELinux
+---
+ .../ssg-rhel7-anssi_nt28_minimal-ks.cfg       | 46 ++--------------
+ .../ssg-rhel8-anssi_bp28_minimal-ks.cfg       | 53 +------------------
+ 2 files changed, 5 insertions(+), 94 deletions(-)
+
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
+index 4160ac094c..9bc4eae44f 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_minimal-ks.cfg
+@@ -54,7 +54,7 @@ keyboard us
+ #       "--bootproto=static" must be used. For example:
+ # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+ #
+-network --onboot yes --device eth0 --bootproto dhcp --noipv6
++network --onboot yes --device eth0 --bootproto dhcp
+ 
+ # Set the system's root password (required)
+ # Plaintext password is: server
+@@ -62,26 +62,12 @@ network --onboot yes --device eth0 --bootproto dhcp --noipv6
+ # encrypted password form for different plaintext password
+ rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+ 
+-# The selected profile will restrict root login
+-# Add a user that can login and escalate privileges
+-# Plaintext password is: admin123
+-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+-
+-# Configure firewall settings for the system (optional)
+-# --enabled	reject incoming connections that are not in response to outbound requests
+-# --ssh		allow sshd service through the firewall
+-firewall --enabled --ssh
+-
+ # Set up the authentication options for the system (required)
+ # --enableshadow	enable shadowed passwords by default
+ # --passalgo		hash / crypt algorithm for new passwords
+ # See the manual page for authconfig for a complete list of possible options.
+ authconfig --enableshadow --passalgo=sha512
+ 
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+ # Set the system time zone (required)
+ timezone --utc America/New_York
+ 
+@@ -89,7 +75,7 @@ timezone --utc America/New_York
+ # Plaintext password is: password
+ # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+ # encrypted password form for different plaintext password
+-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+@@ -103,33 +89,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
+-part pv.01 --grow --size=1
+-
+-# Create a Logical Volume Management (LVM) group (optional)
+-volgroup VolGroup --pesize=4096 pv.01
+-
+-# Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=4216 --grow
+-# Ensure /usr Located On Separate Partition
+-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+-# Ensure /opt Located On Separate Partition
+-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /srv Located On Separate Partition
+-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /home Located On Separate Partition
+-logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+-# Ensure /tmp Located On Separate Partition
+-logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+-# Ensure /var/tmp Located On Separate Partition
+-logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=2048 --fsoptions="nodev"
+-# Ensure /var/log Located On Separate Partition
+-logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+-# Ensure /var/log/audit Located On Separate Partition
+-logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512 --fsoptions="nodev"
+-logvol swap --name=lv_swap --vgname=VolGroup --size=2016
++autopart
+ 
+ # Despite the ID referencing NT-28, the profile is aligned to BP-028
+ %addon org_fedora_oscap
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+index 7fc4945518..1d62b55d55 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_minimal-ks.cfg
+@@ -6,9 +6,6 @@
+ # https://pykickstart.readthedocs.io/en/latest/
+ # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+ 
+-# Install a fresh new system (optional)
+-install
+-
+ # Specify installation method to use for installation
+ # To use a different one comment out the 'url' one below, update
+ # the selected choice with proper options & un-comment it
+@@ -61,26 +58,6 @@ network --onboot yes --bootproto dhcp
+ # to see how to create encrypted password form for different plaintext password
+ rootpw --iscrypted $6$0WWGZ1e6icT$1KiHZK.Nzp3HQerfiy8Ic3pOeCWeIzA.zkQ7mkvYT3bNC5UeGK2ceE5b6TkSg4D/kiSudkT04QlSKknsrNE220
+ 
+-# The selected profile will restrict root login
+-# Add a user that can login and escalate privileges
+-# Plaintext password is: admin123
+-user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+-
+-# Configure firewall settings for the system (optional)
+-# --enabled	reject incoming connections that are not in response to outbound requests
+-# --ssh		allow sshd service through the firewall
+-firewall --enabled --ssh
+-
+-# Set up the authentication options for the system (required)
+-# --enableshadow	enable shadowed passwords by default
+-# --passalgo		hash / crypt algorithm for new passwords
+-# See the manual page for authconfig for a complete list of possible options.
+-authconfig --enableshadow --passalgo=sha512
+-
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+ # Set the system time zone (required)
+ timezone --utc America/New_York
+ 
+@@ -89,7 +66,7 @@ timezone --utc America/New_York
+ # Refer to e.g.
+ #   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+ # to see how to create encrypted password form for different plaintext password
+-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+@@ -103,33 +80,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
+-part pv.01 --grow --size=1
+-
+-# Create a Logical Volume Management (LVM) group (optional)
+-volgroup VolGroup --pesize=4096 pv.01
+-
+-# Create particular logical volumes (optional)
+-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=3192 --grow
+-# Ensure /usr Located On Separate Partition
+-logvol /usr --fstype=xfs --name=LogVol08 --vgname=VolGroup --size=5000 --fsoptions="nodev"
+-# Ensure /opt Located On Separate Partition
+-logvol /opt --fstype=xfs --name=LogVol09 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /srv Located On Separate Partition
+-logvol /srv --fstype=xfs --name=LogVol10 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid"
+-# Ensure /home Located On Separate Partition
+-logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev"
+-# Ensure /tmp Located On Separate Partition
+-logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var/tmp Located On Separate Partition
+-logvol /var/tmp --fstype=xfs --name=vartmp --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var Located On Separate Partition
+-logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=3072 --fsoptions="nodev"
+-# Ensure /var/log Located On Separate Partition
+-logvol /var/log --fstype=xfs --name=log --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+-# Ensure /var/log/audit Located On Separate Partition
+-logvol /var/log/audit --fstype=xfs --name=audit --vgname=VolGroup --size=512 --fsoptions="nodev,nosuid,noexec"
+-logvol swap --name=swap --vgname=VolGroup --size=2016
++autopart
+ 
+ # The OpenSCAP installer add-on is used to apply SCAP (Security Content Automation Protocol)
+ # content - security policies - on the installed system.This add-on has been enabled by default
+
+From 3884ae59b59d69c928acb1d3d52a3f68834aa709 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Feb 2021 09:53:20 +0100
+Subject: [PATCH 2/4] Align ANSSI kickstarts with intermediary level
+
+- Simplify boot command
+- No requirement to enforce use of SELinux
+---
+ .../ssg-rhel7-anssi_nt28_intermediary-ks.cfg    |  6 +-----
+ .../ssg-rhel8-anssi_bp28_intermediary-ks.cfg    | 17 ++---------------
+ 2 files changed, 3 insertions(+), 20 deletions(-)
+
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+index ab654410b5..20c4c59a78 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+@@ -78,10 +78,6 @@ firewall --enabled --ssh
+ # See the manual page for authconfig for a complete list of possible options.
+ authconfig --enableshadow --passalgo=sha512
+ 
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+ # Set the system time zone (required)
+ timezone --utc America/New_York
+ 
+@@ -89,7 +85,7 @@ timezone --utc America/New_York
+ # Plaintext password is: password
+ # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+ # encrypted password form for different plaintext password
+-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+index 981d291847..3a241b06f4 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+@@ -6,9 +6,6 @@
+ # https://pykickstart.readthedocs.io/en/latest/
+ # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+ 
+-# Install a fresh new system (optional)
+-install
+-
+ # Specify installation method to use for installation
+ # To use a different one comment out the 'url' one below, update
+ # the selected choice with proper options & un-comment it
+@@ -52,7 +49,7 @@ keyboard us
+ #       "--bootproto=static" must be used. For example:
+ # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+ #
+-network --onboot yes --bootproto dhcp
++network --onboot yes --bootproto dhcp --noipv6
+ 
+ # Set the system's root password (required)
+ # Plaintext password is: server
+@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
+ # --ssh		allow sshd service through the firewall
+ firewall --enabled --ssh
+ 
+-# Set up the authentication options for the system (required)
+-# --enableshadow	enable shadowed passwords by default
+-# --passalgo		hash / crypt algorithm for new passwords
+-# See the manual page for authconfig for a complete list of possible options.
+-authconfig --enableshadow --passalgo=sha512
+-
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+ # Set the system time zone (required)
+ timezone --utc America/New_York
+ 
+@@ -89,7 +76,7 @@ timezone --utc America/New_York
+ # Refer to e.g.
+ #   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+ # to see how to create encrypted password form for different plaintext password
+-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+
+From 745ec9b02bb45ca89d2705e79b36b17060508765 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Feb 2021 14:03:09 +0100
+Subject: [PATCH 3/4] Align ANSSI kickstarts with enhanced level
+
+- Keep restricting IPv6
+- Audit enabled during boot
+- No requirement to enforce use of SELinux
+---
+ .../ssg-rhel7-anssi_nt28_enhanced-ks.cfg        |  6 +-----
+ .../ssg-rhel8-anssi_bp28_enhanced-ks.cfg        | 17 ++---------------
+ 2 files changed, 3 insertions(+), 20 deletions(-)
+
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+index 2e75873a28..1d35bedb91 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+@@ -78,10 +78,6 @@ firewall --enabled --ssh
+ # See the manual page for authconfig for a complete list of possible options.
+ authconfig --enableshadow --passalgo=sha512
+ 
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+ # Set the system time zone (required)
+ timezone --utc America/New_York
+ 
+@@ -89,7 +85,7 @@ timezone --utc America/New_York
+ # Plaintext password is: password
+ # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+ # encrypted password form for different plaintext password
+-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr --append="audit=1 audit_backlog_limig=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+index 4e249f61e2..728946ecb7 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+@@ -6,9 +6,6 @@
+ # https://pykickstart.readthedocs.io/en/latest/
+ # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+ 
+-# Install a fresh new system (optional)
+-install
+-
+ # Specify installation method to use for installation
+ # To use a different one comment out the 'url' one below, update
+ # the selected choice with proper options & un-comment it
+@@ -52,7 +49,7 @@ keyboard us
+ #       "--bootproto=static" must be used. For example:
+ # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+ #
+-network --onboot yes --bootproto dhcp
++network --onboot yes --bootproto dhcp --noipv6
+ 
+ # Set the system's root password (required)
+ # Plaintext password is: server
+@@ -71,16 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
+ # --ssh		allow sshd service through the firewall
+ firewall --enabled --ssh
+ 
+-# Set up the authentication options for the system (required)
+-# --enableshadow	enable shadowed passwords by default
+-# --passalgo		hash / crypt algorithm for new passwords
+-# See the manual page for authconfig for a complete list of possible options.
+-authconfig --enableshadow --passalgo=sha512
+-
+-# State of SELinux on the installed system (optional)
+-# Defaults to enforcing
+-selinux --enforcing
+-
+ # Set the system time zone (required)
+ timezone --utc America/New_York
+ 
+@@ -89,7 +76,7 @@ timezone --utc America/New_York
+ # Refer to e.g.
+ #   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+ # to see how to create encrypted password form for different plaintext password
+-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+
+From 6804cdfbdea9992daf48fe545d8005be9f37bc56 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Feb 2021 14:08:15 +0100
+Subject: [PATCH 4/4] Align ANSSI Kickstarts with high level
+
+---
+ rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg |  2 +-
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg | 13 ++-----------
+ 2 files changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+index 745dcbd058..73225c2fab 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+@@ -89,7 +89,7 @@ timezone --utc America/New_York
+ # Plaintext password is: password
+ # Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+ # encrypted password form for different plaintext password
+-bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+index a1511b157a..cd0eff2625 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+@@ -6,9 +6,6 @@
+ # https://pykickstart.readthedocs.io/en/latest/
+ # http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg
+ 
+-# Install a fresh new system (optional)
+-install
+-
+ # Specify installation method to use for installation
+ # To use a different one comment out the 'url' one below, update
+ # the selected choice with proper options & un-comment it
+@@ -52,7 +49,7 @@ keyboard us
+ #       "--bootproto=static" must be used. For example:
+ # network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+ #
+-network --onboot yes --bootproto dhcp
++network --onboot yes --bootproto dhcp --noipv6
+ 
+ # Set the system's root password (required)
+ # Plaintext password is: server
+@@ -71,12 +68,6 @@ user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUaf
+ # --ssh		allow sshd service through the firewall
+ firewall --enabled --ssh
+ 
+-# Set up the authentication options for the system (required)
+-# --enableshadow	enable shadowed passwords by default
+-# --passalgo		hash / crypt algorithm for new passwords
+-# See the manual page for authconfig for a complete list of possible options.
+-authconfig --enableshadow --passalgo=sha512
+-
+ # State of SELinux on the installed system (optional)
+ # Defaults to enforcing
+ selinux --enforcing
+@@ -89,7 +80,7 @@ timezone --utc America/New_York
+ # Refer to e.g.
+ #   https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw
+ # to see how to create encrypted password form for different plaintext password
+-bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192 slub_debug=P page_poison=1 vsyscall=none" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
++bootloader --location=mbr --append="audit=1 audit_backlog_limit=8192" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+ 
+ # Initialize (format) all disks (optional)
+ zerombr
diff --git a/SOURCES/scap-security-guide-0.1.55-bump_rhel7_stig_version_to-PR_6576.patch b/SOURCES/scap-security-guide-0.1.55-bump_rhel7_stig_version_to-PR_6576.patch
new file mode 100644
index 0000000..3bd1585
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-bump_rhel7_stig_version_to-PR_6576.patch
@@ -0,0 +1,4268 @@
+From 279a1dca247d1fa61a9004623defa32711552055 Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Thu, 28 Jan 2021 11:01:47 +0100
+Subject: [PATCH] Bump RHEL7 STIG version to v3r2.
+
+Replace all related artifacts with new version of them.
+---
+ rhel7/overlays/stig_overlay.xml               | 568 ++++++------
+ rhel7/profiles/stig.profile                   |   2 +-
+ ... => disa-stig-rhel7-v3r2-xccdf-manual.xml} | 837 +++++++++---------
+ 3 files changed, 711 insertions(+), 696 deletions(-)
+ rename shared/references/{disa-stig-rhel7-v3r1-xccdf-manual.xml => disa-stig-rhel7-v3r2-xccdf-manual.xml} (84%)
+
+diff --git a/rhel7/overlays/stig_overlay.xml b/rhel7/overlays/stig_overlay.xml
+index 66ca2bd0d0..cd50f655bc 100644
+--- a/rhel7/overlays/stig_overlay.xml
++++ b/rhel7/overlays/stig_overlay.xml
+@@ -1,983 +1,987 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+ <overlays xmlns="http://checklists.nist.gov/xccdf/1.1">
+   <overlay owner="disastig" ruleid="rpm_verify_ownership" ownerid="RHEL-07-010010" disa="2235" severity="high">
+-    <VMSinfo VKey="204392" SVKey="204392r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204392" SVKey="204392r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="rpm_verify_hashes" ownerid="RHEL-07-010020" disa="1749" severity="high">
+-    <VMSinfo VKey="214799" SVKey="214799r5059" VRelease="r505924"/>
++    <VMSinfo VKey="214799" SVKey="214799r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_banner_enabled" ownerid="RHEL-07-010030" disa="48" severity="medium">
+-    <VMSinfo VKey="204393" SVKey="204393r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204393" SVKey="204393r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_login_banner_text" ownerid="RHEL-07-010040" disa="48" severity="medium">
+-    <VMSinfo VKey="204394" SVKey="204394r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204394" SVKey="204394r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="banner_etc_issue" ownerid="RHEL-07-010050" disa="48" severity="medium">
+-    <VMSinfo VKey="204395" SVKey="204395r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204395" SVKey="204395r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_enabled" ownerid="RHEL-07-010060" disa="56" severity="medium">
+-    <VMSinfo VKey="204396" SVKey="204396r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204396" SVKey="204396r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_enable_smartcard_auth" ownerid="RHEL-07-010061" disa="1954" severity="medium">
+-    <VMSinfo VKey="204397" SVKey="204397r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204397" SVKey="204397r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_locked" ownerid="RHEL-07-010062" disa="57" severity="medium">
+-    <VMSinfo VKey="214937" SVKey="214937r5059" VRelease="r505924"/>
++    <VMSinfo VKey="214937" SVKey="214937r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_delay" ownerid="RHEL-07-010070" disa="57" severity="medium">
+-    <VMSinfo VKey="204398" SVKey="204398r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204398" SVKey="204398r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_user_locks" ownerid="RHEL-07-010081" disa="57" severity="medium">
+-    <VMSinfo VKey="204399" SVKey="204399r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204399" SVKey="204399r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_session_idle_user_locks" ownerid="RHEL-07-010082" disa="57" severity="medium">
+-    <VMSinfo VKey="204400" SVKey="204400r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204400" SVKey="204400r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_enabled" ownerid="RHEL-07-010100" disa="57" severity="medium">
+-    <VMSinfo VKey="204402" SVKey="204402r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204402" SVKey="204402r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_idle_activation_locked" ownerid="RHEL-07-010101" disa="57" severity="medium">
+-    <VMSinfo VKey="204403" SVKey="204403r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204403" SVKey="204403r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_screensaver_lock_delay" ownerid="RHEL-07-010110" disa="57" severity="medium">
+-    <VMSinfo VKey="204404" SVKey="204404r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204404" SVKey="204404r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="XXXX" ownerid="RHEL-07-010118" disa="192" severity="medium">
+-    <VMSinfo VKey="204405" SVKey="204405r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204405" SVKey="204405r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_retry" ownerid="RHEL-07-010119" disa="192" severity="medium">
+-    <VMSinfo VKey="204406" SVKey="204406r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204406" SVKey="204406r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_ucredit" ownerid="RHEL-07-010120" disa="192" severity="medium">
+-    <VMSinfo VKey="204407" SVKey="204407r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204407" SVKey="204407r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_lcredit" ownerid="RHEL-07-010130" disa="193" severity="medium">
+-    <VMSinfo VKey="204408" SVKey="204408r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204408" SVKey="204408r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_dcredit" ownerid="RHEL-07-010140" disa="194" severity="medium">
+-    <VMSinfo VKey="204409" SVKey="204409r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204409" SVKey="204409r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_ocredit" ownerid="RHEL-07-010150" disa="1619" severity="medium">
+-    <VMSinfo VKey="204410" SVKey="204410r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204410" SVKey="204410r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_difok" ownerid="RHEL-07-010160" disa="195" severity="medium">
+-    <VMSinfo VKey="204411" SVKey="204411r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204411" SVKey="204411r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_minclass" ownerid="RHEL-07-010170" disa="195" severity="medium">
+-    <VMSinfo VKey="204412" SVKey="204412r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204412" SVKey="204412r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_maxrepeat" ownerid="RHEL-07-010180" disa="195" severity="medium">
+-    <VMSinfo VKey="204413" SVKey="204413r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204413" SVKey="204413r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_maxclassrepeat" ownerid="RHEL-07-010190" disa="195" severity="medium">
+-    <VMSinfo VKey="204414" SVKey="204414r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204414" SVKey="204414r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="set_password_hashing_algorithm_systemauth" ownerid="RHEL-07-010200" disa="196" severity="medium">
+-    <VMSinfo VKey="204415" SVKey="204415r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204415" SVKey="204415r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="set_password_hashing_algorithm_logindefs" ownerid="RHEL-07-010210" disa="196" severity="medium">
+-    <VMSinfo VKey="204416" SVKey="204416r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204416" SVKey="204416r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="set_password_hashing_algorithm_libuserconf" ownerid="RHEL-07-010220" disa="196" severity="medium">
+-    <VMSinfo VKey="204417" SVKey="204417r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204417" SVKey="204417r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_minimum_age_login_defs" ownerid="RHEL-07-010230" disa="198" severity="medium">
+-    <VMSinfo VKey="204418" SVKey="204418r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204418" SVKey="204418r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_set_min_life_existing" ownerid="RHEL-07-010240" disa="198" severity="medium">
+-    <VMSinfo VKey="204419" SVKey="204419r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204419" SVKey="204419r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_maximum_age_login_defs" ownerid="RHEL-07-010250" disa="199" severity="medium">
+-    <VMSinfo VKey="204420" SVKey="204420r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204420" SVKey="204420r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_set_max_life_existing" ownerid="RHEL-07-010260" disa="199" severity="medium">
+-    <VMSinfo VKey="204421" SVKey="204421r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204421" SVKey="204421r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_unix_remember" ownerid="RHEL-07-010270" disa="200" severity="medium">
+-    <VMSinfo VKey="204422" SVKey="204422r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204422" SVKey="204422r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_password_pam_minlen" ownerid="RHEL-07-010280" disa="205" severity="medium">
+-    <VMSinfo VKey="204423" SVKey="204423r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204423" SVKey="204423r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="no_empty_passwords" ownerid="RHEL-07-010290" disa="366" severity="high">
+-    <VMSinfo VKey="204424" SVKey="204424r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204424" SVKey="204424r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_disable_empty_passwords" ownerid="RHEL-07-010300" disa="766" severity="high">
+-    <VMSinfo VKey="204425" SVKey="204425r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204425" SVKey="204425r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="account_disable_post_pw_expiration" ownerid="RHEL-07-010310" disa="795" severity="medium">
+-    <VMSinfo VKey="204426" SVKey="204426r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204426" SVKey="204426r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_unlock_time" ownerid="RHEL-07-010320" disa="2238" severity="medium">
+-    <VMSinfo VKey="204427" SVKey="204427r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_interval" ownerid="RHEL-07-010320" disa="2238" severity="medium">
++    <VMSinfo VKey="204427" SVKey="204427r6038" VRelease="r603824"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_passwords_pam_faillock_deny_root" ownerid="RHEL-07-010330" disa="2238" severity="medium">
+-    <VMSinfo VKey="204428" SVKey="204428r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204428" SVKey="204428r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sudo_remove_nopasswd" ownerid="RHEL-07-010340" disa="2038" severity="medium">
+-    <VMSinfo VKey="204429" SVKey="204429r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204429" SVKey="204429r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sudo_remove_no_authenticate" ownerid="RHEL-07-010350" disa="2038" severity="medium">
+-    <VMSinfo VKey="204430" SVKey="204430r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204430" SVKey="204430r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_logon_fail_delay" ownerid="RHEL-07-010430" disa="366" severity="medium">
+-    <VMSinfo VKey="204431" SVKey="204431r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204431" SVKey="204431r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="gnome_gdm_disable_automatic_login" ownerid="RHEL-07-010440" disa="366" severity="high">
+-    <VMSinfo VKey="204432" SVKey="204432r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204432" SVKey="204432r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="gnome_gdm_disable_guest_login" ownerid="RHEL-07-010450" disa="366" severity="high">
+-    <VMSinfo VKey="204433" SVKey="204433r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204433" SVKey="204433r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_do_not_permit_user_env" ownerid="RHEL-07-010460" disa="366" severity="medium">
+-    <VMSinfo VKey="204434" SVKey="204434r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204434" SVKey="204434r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="disable_host_auth" ownerid="RHEL-07-010470" disa="366" severity="medium">
+-    <VMSinfo VKey="204435" SVKey="204435r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204435" SVKey="204435r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="grub2_admin_username" ownerid="RHEL-07-010480" disa="213" severity="high">
+-    <VMSinfo VKey="204436" SVKey="204436r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204436" SVKey="204436r6032" VRelease="r603261"/>
+     <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="require_emergency_target_auth" ownerid="RHEL-07-010481" disa="213" severity="medium">
+-    <VMSinfo VKey="204437" SVKey="204437r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="require_singleuser_auth" ownerid="RHEL-07-010481" disa="213" severity="medium">
++    <VMSinfo VKey="204437" SVKey="204437r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="grub2_password" ownerid="RHEL-07-010482" disa="213" severity="high">
+-    <VMSinfo VKey="204438" SVKey="204438r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204438" SVKey="204438r6032" VRelease="r603261"/>
+     <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="grub2_uefi_admin_username" ownerid="RHEL-07-010490" disa="213" severity="high">
+-    <VMSinfo VKey="204439" SVKey="204439r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204439" SVKey="204439r6032" VRelease="r603261"/>
+     <title text="Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="grub2_uefi_password" ownerid="RHEL-07-010491" disa="213" severity="high">
+-    <VMSinfo VKey="204440" SVKey="204440r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204440" SVKey="204440r6032" VRelease="r603261"/>
+     <title text="Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="smartcard_auth" ownerid="RHEL-07-010500" disa="766" severity="medium">
+-    <VMSinfo VKey="204441" SVKey="204441r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204441" SVKey="204441r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="package_rsh-server_removed" ownerid="RHEL-07-020000" disa="381" severity="high">
+-    <VMSinfo VKey="204442" SVKey="204442r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204442" SVKey="204442r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have the rsh-server package installed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="package_ypserv_removed" ownerid="RHEL-07-020010" disa="381" severity="high">
+-    <VMSinfo VKey="204443" SVKey="204443r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204443" SVKey="204443r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have the ypserv package installed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="package_MFEhiplsm_installed" ownerid="RHEL-07-020019" disa="1263" severity="medium">
+-    <VMSinfo VKey="214800" SVKey="214800r5059" VRelease="r505924"/>
++    <VMSinfo VKey="214800" SVKey="214800r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2235" severity="medium">
+-    <VMSinfo VKey="204444" SVKey="204444r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="selinux_user_login_roles" ownerid="RHEL-07-020020" disa="2165" severity="medium">
++    <VMSinfo VKey="204444" SVKey="204444r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="aide_periodic_cron_checking" ownerid="RHEL-07-020030" disa="1744" severity="medium">
+-    <VMSinfo VKey="204445" SVKey="204445r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204445" SVKey="204445r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="aide_scan_notification" ownerid="RHEL-07-020040" disa="1744" severity="medium">
+-    <VMSinfo VKey="204446" SVKey="204446r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204446" SVKey="204446r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="ensure_gpgcheck_globally_activated" ownerid="RHEL-07-020050" disa="1749" severity="high">
+-    <VMSinfo VKey="204447" SVKey="204447r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204447" SVKey="204447r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="ensure_gpgcheck_local_packages" ownerid="RHEL-07-020060" disa="1749" severity="high">
+-    <VMSinfo VKey="204448" SVKey="204448r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204448" SVKey="204448r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="1958" severity="medium">
+-    <VMSinfo VKey="204449" SVKey="204449r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020100" disa="366" severity="medium">
++    <VMSinfo VKey="204449" SVKey="204449r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="kernel_module_dccp_disabled" ownerid="RHEL-07-020101" disa="1958" severity="medium">
+-    <VMSinfo VKey="204450" SVKey="204450r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204450" SVKey="204450r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="1958" severity="medium">
+-    <VMSinfo VKey="204451" SVKey="204451r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="service_autofs_disabled" ownerid="RHEL-07-020110" disa="778" severity="medium">
++    <VMSinfo VKey="204451" SVKey="204451r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="1958" severity="medium">
+-    <VMSinfo VKey="219059" SVKey="219059r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="kernel_module_usb-storage_disabled" ownerid="RHEL-07-020111" disa="366" severity="medium">
++    <VMSinfo VKey="219059" SVKey="219059r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="clean_components_post_updating" ownerid="RHEL-07-020200" disa="2617" severity="low">
+-    <VMSinfo VKey="204452" SVKey="204452r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204452" SVKey="204452r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="selinux_state" ownerid="RHEL-07-020210" disa="2165" severity="medium">
+-    <VMSinfo VKey="204453" SVKey="204453r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204453" SVKey="204453r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must enable SELinux."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2165" severity="medium">
+-    <VMSinfo VKey="204454" SVKey="204454r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="selinux_policytype" ownerid="RHEL-07-020220" disa="2696" severity="medium">
++    <VMSinfo VKey="204454" SVKey="204454r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="disable_ctrlaltdel_reboot" ownerid="RHEL-07-020230" disa="366" severity="high">
+-    <VMSinfo VKey="204455" SVKey="204455r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204455" SVKey="204455r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dconf_gnome_disable_ctrlaltdel_reboot" ownerid="RHEL-07-020231" disa="366" severity="high">
+-    <VMSinfo VKey="204456" SVKey="204456r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204456" SVKey="204456r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_umask_etc_login_defs" ownerid="RHEL-07-020240" disa="366" severity="medium">
+-    <VMSinfo VKey="204457" SVKey="204457r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204457" SVKey="204457r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="installed_OS_is_vendor_supported" ownerid="RHEL-07-020250" disa="366" severity="high">
+-    <VMSinfo VKey="204458" SVKey="204458r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204458" SVKey="204458r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be a vendor supported release."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="security_patches_up_to_date" ownerid="RHEL-07-020260" disa="366" severity="medium">
+-    <VMSinfo VKey="204459" SVKey="204459r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204459" SVKey="204459r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-020270" disa="366" severity="medium">
+-    <VMSinfo VKey="204460" SVKey="204460r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-020270" disa="366" severity="medium">
++    <VMSinfo VKey="204460" SVKey="204460r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have unnecessary accounts."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="gid_passwd_group_same" ownerid="RHEL-07-020300" disa="764" severity="low">
+-    <VMSinfo VKey="204461" SVKey="204461r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204461" SVKey="204461r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_no_uid_except_zero" ownerid="RHEL-07-020310" disa="366" severity="high">
+-    <VMSinfo VKey="204462" SVKey="204462r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204462" SVKey="204462r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="no_files_unowned_by_user" ownerid="RHEL-07-020320" disa="2165" severity="medium">
+-    <VMSinfo VKey="204463" SVKey="204463r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204463" SVKey="204463r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_permissions_ungroupowned" ownerid="RHEL-07-020330" disa="2165" severity="medium">
+-    <VMSinfo VKey="204464" SVKey="204464r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204464" SVKey="204464r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_have_homedir_login_defs" ownerid="RHEL-07-020610" disa="366" severity="medium">
+-    <VMSinfo VKey="204466" SVKey="204466r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204466" SVKey="204466r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_user_interactive_home_directory_exists" ownerid="RHEL-07-020620" disa="366" severity="medium">
+-    <VMSinfo VKey="204467" SVKey="204467r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204467" SVKey="204467r6038" VRelease="r603826"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_permissions_home_directories" ownerid="RHEL-07-020630" disa="366" severity="medium">
+-    <VMSinfo VKey="204468" SVKey="204468r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204468" SVKey="204468r6038" VRelease="r603828"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_ownership_home_directories" ownerid="RHEL-07-020640" disa="366" severity="medium">
+-    <VMSinfo VKey="204469" SVKey="204469r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204469" SVKey="204469r6038" VRelease="r603830"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_groupownership_home_directories" ownerid="RHEL-07-020650" disa="366" severity="medium">
+-    <VMSinfo VKey="204470" SVKey="204470r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204470" SVKey="204470r6038" VRelease="r603832"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_users_home_files_ownership" ownerid="RHEL-07-020660" disa="366" severity="medium">
+-    <VMSinfo VKey="204471" SVKey="204471r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204471" SVKey="204471r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_users_home_files_groupownership" ownerid="RHEL-07-020670" disa="366" severity="medium">
+-    <VMSinfo VKey="204472" SVKey="204472r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204472" SVKey="204472r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_users_home_files_permissions" ownerid="RHEL-07-020680" disa="366" severity="medium">
+-    <VMSinfo VKey="204473" SVKey="204473r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204473" SVKey="204473r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_user_dot_user_ownership" ownerid="RHEL-07-020690" disa="366" severity="medium">
+-    <VMSinfo VKey="204474" SVKey="204474r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204474" SVKey="204474r6038" VRelease="r603834"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_user_dot_group_ownership" ownerid="RHEL-07-020700" disa="366" severity="medium">
+-    <VMSinfo VKey="204475" SVKey="204475r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204475" SVKey="204475r6038" VRelease="r603836"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_permission_user_init_files" ownerid="RHEL-07-020710" disa="366" severity="medium">
+-    <VMSinfo VKey="204476" SVKey="204476r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204476" SVKey="204476r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_user_home_paths_only" ownerid="RHEL-07-020720" disa="366" severity="medium">
+-    <VMSinfo VKey="204477" SVKey="204477r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204477" SVKey="204477r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_user_dot_no_world_writable_programs" ownerid="RHEL-07-020730" disa="366" severity="medium">
+-    <VMSinfo VKey="204478" SVKey="204478r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204478" SVKey="204478r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="1812" severity="medium">
+-    <VMSinfo VKey="204479" SVKey="204479r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="selinux_all_devicefiles_labeled" ownerid="RHEL-07-020900" disa="318" severity="medium">
++    <VMSinfo VKey="204479" SVKey="204479r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="mount_option_home_nosuid" ownerid="RHEL-07-021000" disa="366" severity="medium">
+-    <VMSinfo VKey="204480" SVKey="204480r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204480" SVKey="204480r6038" VRelease="r603838"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="mount_option_nosuid_removable_partitions" ownerid="RHEL-07-021010" disa="366" severity="medium">
+-    <VMSinfo VKey="204481" SVKey="204481r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204481" SVKey="204481r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="mount_option_nosuid_remote_filesystems" ownerid="RHEL-07-021020" disa="366" severity="medium">
+-    <VMSinfo VKey="204482" SVKey="204482r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204482" SVKey="204482r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="mount_option_noexec_remote_filesystems" ownerid="RHEL-07-021021" disa="366" severity="medium">
+-    <VMSinfo VKey="204483" SVKey="204483r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204483" SVKey="204483r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="mount_option_dev_shm_noexec" ownerid="RHEL-07-021024" disa="1764" severity="low">
+-    <VMSinfo VKey="204486" SVKey="204486r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204486" SVKey="204486r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned_group" ownerid="RHEL-07-021030" disa="366" severity="medium">
+-    <VMSinfo VKey="204487" SVKey="204487r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204487" SVKey="204487r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="dir_perms_world_writable_system_owned" ownerid="RHEL-07-021031" disa="366" severity="medium">
+-    <VMSinfo VKey="228563" SVKey="228563r5059" VRelease="r505924"/>
++    <VMSinfo VKey="228563" SVKey="228563r6064" VRelease="r606406"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1814" severity="medium">
+-    <VMSinfo VKey="204488" SVKey="204488r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="accounts_umask_interactive_users" ownerid="RHEL-07-021040" disa="1812" severity="medium">
++    <VMSinfo VKey="204488" SVKey="204488r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="rsyslog_cron_logging" ownerid="RHEL-07-021100" disa="366" severity="medium">
+-    <VMSinfo VKey="204489" SVKey="204489r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204489" SVKey="204489r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must have cron logging implemented."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_owner_cron_allow" ownerid="RHEL-07-021110" disa="366" severity="medium">
+-    <VMSinfo VKey="204490" SVKey="204490r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204490" SVKey="204490r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_groupowner_cron_allow" ownerid="RHEL-07-021120" disa="366" severity="medium">
+-    <VMSinfo VKey="204491" SVKey="204491r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204491" SVKey="204491r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="service_kdump_disabled" ownerid="RHEL-07-021300" disa="366" severity="medium">
+-    <VMSinfo VKey="204492" SVKey="204492r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204492" SVKey="204492r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="partition_for_home" ownerid="RHEL-07-021310" disa="366" severity="low">
+-    <VMSinfo VKey="204493" SVKey="204493r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204493" SVKey="204493r6038" VRelease="r603840"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent)."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="partition_for_var" ownerid="RHEL-07-021320" disa="366" severity="low">
+-    <VMSinfo VKey="204494" SVKey="204494r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204494" SVKey="204494r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /var."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="partition_for_var_log_audit" ownerid="RHEL-07-021330" disa="366" severity="low">
+-    <VMSinfo VKey="204495" SVKey="204495r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204495" SVKey="204495r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="partition_for_tmp" ownerid="RHEL-07-021340" disa="366" severity="low">
+-    <VMSinfo VKey="204496" SVKey="204496r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204496" SVKey="204496r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent)."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="grub2_enable_fips_mode" ownerid="RHEL-07-021350" disa="2476" severity="high">
+-    <VMSinfo VKey="204497" SVKey="204497r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204497" SVKey="204497r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="aide_verify_acls" ownerid="RHEL-07-021600" disa="366" severity="low">
+-    <VMSinfo VKey="204498" SVKey="204498r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204498" SVKey="204498r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs)."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="aide_verify_ext_attributes" ownerid="RHEL-07-021610" disa="366" severity="low">
+-    <VMSinfo VKey="204499" SVKey="204499r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204499" SVKey="204499r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="aide_use_fips_hashes" ownerid="RHEL-07-021620" disa="366" severity="medium">
+-    <VMSinfo VKey="204500" SVKey="204500r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204500" SVKey="204500r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="uefi_no_removeable_media" ownerid="RHEL-07-021700" disa="1812" severity="medium">
+-    <VMSinfo VKey="204501" SVKey="204501r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="grub2_no_removeable_media" ownerid="RHEL-07-021700" disa="318" severity="medium">
++    <VMSinfo VKey="204501" SVKey="204501r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="package_telnet-server_removed" ownerid="RHEL-07-021710" disa="381" severity="high">
+-    <VMSinfo VKey="204502" SVKey="204502r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204502" SVKey="204502r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have the telnet-server package installed."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="126" severity="medium">
+-    <VMSinfo VKey="204503" SVKey="204503r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="service_auditd_enabled" ownerid="RHEL-07-030000" disa="131" severity="medium">
++    <VMSinfo VKey="204503" SVKey="204503r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_system_shutdown" ownerid="RHEL-07-030010" disa="139" severity="medium">
+-    <VMSinfo VKey="204504" SVKey="204504r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204504" SVKey="204504r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030201" disa="1851" severity="medium">
+-    <VMSinfo VKey="204506" SVKey="204506r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030201" disa="1851" severity="medium">
++    <VMSinfo VKey="204506" SVKey="204506r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030210" disa="1851" severity="medium">
+-    <VMSinfo VKey="204507" SVKey="204507r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030210" disa="1851" severity="medium">
++    <VMSinfo VKey="204507" SVKey="204507r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030211" disa="1851" severity="medium">
+-    <VMSinfo VKey="204508" SVKey="204508r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030211" disa="1851" severity="medium">
++    <VMSinfo VKey="204508" SVKey="204508r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_audispd_configure_remote_server" ownerid="RHEL-07-030300" disa="1851" severity="medium">
+-    <VMSinfo VKey="204509" SVKey="204509r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204509" SVKey="204509r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_audispd_encrypt_sent_records" ownerid="RHEL-07-030310" disa="1851" severity="medium">
+-    <VMSinfo VKey="204510" SVKey="204510r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204510" SVKey="204510r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_audispd_disk_full_action" ownerid="RHEL-07-030320" disa="1851" severity="medium">
+-    <VMSinfo VKey="204511" SVKey="204511r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204511" SVKey="204511r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_audispd_network_failure_action" ownerid="RHEL-07-030321" disa="1851" severity="medium">
+-    <VMSinfo VKey="204512" SVKey="204512r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204512" SVKey="204512r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_data_retention_space_left" ownerid="RHEL-07-030330" disa="1855" severity="medium">
+-    <VMSinfo VKey="204513" SVKey="204513r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204513" SVKey="204513r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_data_retention_space_left_action" ownerid="RHEL-07-030340" disa="1855" severity="medium">
+-    <VMSinfo VKey="204514" SVKey="204514r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204514" SVKey="204514r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="auditd_data_retention_action_mail_acct" ownerid="RHEL-07-030350" disa="1855" severity="medium">
+-    <VMSinfo VKey="204515" SVKey="204515r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204515" SVKey="204515r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands" ownerid="RHEL-07-030360" disa="2234" severity="medium">
+-    <VMSinfo VKey="204516" SVKey="204516r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204516" SVKey="204516r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_chown" ownerid="RHEL-07-030370" disa="126" severity="medium">
+-    <VMSinfo VKey="204517" SVKey="204517r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204517" SVKey="204517r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchown" ownerid="RHEL-07-030380" disa="172" severity="medium">
+-    <VMSinfo VKey="204518" SVKey="204518r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204518" SVKey="204518r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="126" severity="medium">
+-    <VMSinfo VKey="204519" SVKey="204519r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="audit_rules_dac_modification_lchown" ownerid="RHEL-07-030390" disa="172" severity="medium">
++    <VMSinfo VKey="204519" SVKey="204519r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchownat" ownerid="RHEL-07-030400" disa="172" severity="medium">
+-    <VMSinfo VKey="204520" SVKey="204520r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204520" SVKey="204520r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_chmod" ownerid="RHEL-07-030410" disa="172" severity="medium">
+-    <VMSinfo VKey="204521" SVKey="204521r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204521" SVKey="204521r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmod" ownerid="RHEL-07-030420" disa="172" severity="medium">
+-    <VMSinfo VKey="204522" SVKey="204522r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204522" SVKey="204522r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fchmodat" ownerid="RHEL-07-030430" disa="172" severity="medium">
+-    <VMSinfo VKey="204523" SVKey="204523r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204523" SVKey="204523r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_setxattr" ownerid="RHEL-07-030440" disa="172" severity="medium">
+-    <VMSinfo VKey="204524" SVKey="204524r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204524" SVKey="204524r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fsetxattr" ownerid="RHEL-07-030450" disa="172" severity="medium">
+-    <VMSinfo VKey="204525" SVKey="204525r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204525" SVKey="204525r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_lsetxattr" ownerid="RHEL-07-030460" disa="172" severity="medium">
+-    <VMSinfo VKey="204526" SVKey="204526r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204526" SVKey="204526r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_removexattr" ownerid="RHEL-07-030470" disa="172" severity="medium">
+-    <VMSinfo VKey="204527" SVKey="204527r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204527" SVKey="204527r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_fremovexattr" ownerid="RHEL-07-030480" disa="172" severity="medium">
+-    <VMSinfo VKey="204528" SVKey="204528r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204528" SVKey="204528r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_dac_modification_lremovexattr" ownerid="RHEL-07-030490" disa="172" severity="medium">
+-    <VMSinfo VKey="204529" SVKey="204529r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204529" SVKey="204529r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_creat" ownerid="RHEL-07-030500" disa="2884" severity="medium">
+-    <VMSinfo VKey="204530" SVKey="204530r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204530" SVKey="204530r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open" ownerid="RHEL-07-030510" disa="2884" severity="medium">
+-    <VMSinfo VKey="204531" SVKey="204531r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204531" SVKey="204531r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_openat" ownerid="RHEL-07-030520" disa="2884" severity="medium">
+-    <VMSinfo VKey="204532" SVKey="204532r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204532" SVKey="204532r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_open_by_handle_at" ownerid="RHEL-07-030530" disa="2884" severity="medium">
+-    <VMSinfo VKey="204533" SVKey="204533r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204533" SVKey="204533r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_truncate" ownerid="RHEL-07-030540" disa="2884" severity="medium">
+-    <VMSinfo VKey="204534" SVKey="204534r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204534" SVKey="204534r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_unsuccessful_file_modification_ftruncate" ownerid="RHEL-07-030550" disa="2884" severity="medium">
+-    <VMSinfo VKey="204535" SVKey="204535r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204535" SVKey="204535r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_execution_semanage" ownerid="RHEL-07-030560" disa="2884" severity="medium">
+-    <VMSinfo VKey="204536" SVKey="204536r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204536" SVKey="204536r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_execution_setsebool" ownerid="RHEL-07-030570" disa="2884" severity="medium">
+-    <VMSinfo VKey="204537" SVKey="204537r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204537" SVKey="204537r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_execution_chcon" ownerid="RHEL-07-030580" disa="2884" severity="medium">
+-    <VMSinfo VKey="204538" SVKey="204538r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204538" SVKey="204538r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_execution_setfiles" ownerid="RHEL-07-030590" disa="2884" severity="medium">
+-    <VMSinfo VKey="204539" SVKey="204539r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204539" SVKey="204539r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_login_events_faillock" ownerid="RHEL-07-030610" disa="2884" severity="medium">
+-    <VMSinfo VKey="204540" SVKey="204540r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204540" SVKey="204540r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_login_events_lastlog" ownerid="RHEL-07-030620" disa="2884" severity="medium">
+-    <VMSinfo VKey="204541" SVKey="204541r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204541" SVKey="204541r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_passwd" ownerid="RHEL-07-030630" disa="2884" severity="medium">
+-    <VMSinfo VKey="204542" SVKey="204542r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204542" SVKey="204542r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_unix_chkpwd" ownerid="RHEL-07-030640" disa="2884" severity="medium">
+-    <VMSinfo VKey="204543" SVKey="204543r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204543" SVKey="204543r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_gpasswd" ownerid="RHEL-07-030650" disa="2884" severity="medium">
+-    <VMSinfo VKey="204544" SVKey="204544r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204544" SVKey="204544r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chage" ownerid="RHEL-07-030660" disa="2884" severity="medium">
+-    <VMSinfo VKey="204545" SVKey="204545r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204545" SVKey="204545r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chage command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_userhelper" ownerid="RHEL-07-030670" disa="2884" severity="medium">
+-    <VMSinfo VKey="204546" SVKey="204546r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204546" SVKey="204546r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_su" ownerid="RHEL-07-030680" disa="2884" severity="medium">
+-    <VMSinfo VKey="204547" SVKey="204547r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204547" SVKey="204547r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the su command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_sudo" ownerid="RHEL-07-030690" disa="2884" severity="medium">
+-    <VMSinfo VKey="204548" SVKey="204548r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204548" SVKey="204548r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_sysadmin_actions" ownerid="RHEL-07-030700" disa="2884" severity="medium">
+-    <VMSinfo VKey="204549" SVKey="204549r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204549" SVKey="204549r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_newgrp" ownerid="RHEL-07-030710" disa="2884" severity="medium">
+-    <VMSinfo VKey="204550" SVKey="204550r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204550" SVKey="204550r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_chsh" ownerid="RHEL-07-030720" disa="2884" severity="medium">
+-    <VMSinfo VKey="204551" SVKey="204551r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204551" SVKey="204551r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_mount" ownerid="RHEL-07-030740" disa="2884" severity="medium">
+-    <VMSinfo VKey="204552" SVKey="204552r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204552" SVKey="204552r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_umount" ownerid="RHEL-07-030750" disa="2884" severity="medium">
+-    <VMSinfo VKey="204553" SVKey="204553r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204553" SVKey="204553r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the umount command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postdrop" ownerid="RHEL-07-030760" disa="2884" severity="medium">
+-    <VMSinfo VKey="204554" SVKey="204554r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204554" SVKey="204554r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_postqueue" ownerid="RHEL-07-030770" disa="2884" severity="medium">
+-    <VMSinfo VKey="204555" SVKey="204555r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204555" SVKey="204555r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_ssh_keysign" ownerid="RHEL-07-030780" disa="2884" severity="medium">
+-    <VMSinfo VKey="204556" SVKey="204556r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204556" SVKey="204556r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_crontab" ownerid="RHEL-07-030800" disa="2884" severity="medium">
+-    <VMSinfo VKey="204557" SVKey="204557r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204557" SVKey="204557r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_privileged_commands_pam_timestamp_check" ownerid="RHEL-07-030810" disa="172" severity="medium">
+-    <VMSinfo VKey="204558" SVKey="204558r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204558" SVKey="204558r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030819" disa="172" severity="medium">
+-    <VMSinfo VKey="204559" SVKey="204559r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030819" disa="172" severity="medium">
++    <VMSinfo VKey="204559" SVKey="204559r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_init" ownerid="RHEL-07-030820" disa="172" severity="medium">
+-    <VMSinfo VKey="204560" SVKey="204560r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204560" SVKey="204560r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030821" disa="172" severity="medium">
+-    <VMSinfo VKey="204561" SVKey="204561r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204561" SVKey="204561r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030830" disa="172" severity="medium">
+-    <VMSinfo VKey="204562" SVKey="204562r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204562" SVKey="204562r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_delete" ownerid="RHEL-07-030840" disa="172" severity="medium">
+-    <VMSinfo VKey="204563" SVKey="204563r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="audit_rules_kernel_module_loading_finit" ownerid="RHEL-07-030840" disa="172" severity="medium">
++    <VMSinfo VKey="204563" SVKey="204563r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="1403" severity="medium">
+-    <VMSinfo VKey="204564" SVKey="204564r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_passwd" ownerid="RHEL-07-030870" disa="2130" severity="medium">
++    <VMSinfo VKey="204564" SVKey="204564r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_group" ownerid="RHEL-07-030871" disa="2130" severity="medium">
+-    <VMSinfo VKey="204565" SVKey="204565r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204565" SVKey="204565r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="1403" severity="medium">
+-    <VMSinfo VKey="204566" SVKey="204566r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_gshadow" ownerid="RHEL-07-030872" disa="2130" severity="medium">
++    <VMSinfo VKey="204566" SVKey="204566r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_shadow" ownerid="RHEL-07-030873" disa="2130" severity="medium">
+-    <VMSinfo VKey="204567" SVKey="204567r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204567" SVKey="204567r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="1403" severity="medium">
+-    <VMSinfo VKey="204568" SVKey="204568r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="audit_rules_usergroup_modification_opasswd" ownerid="RHEL-07-030874" disa="2130" severity="medium">
++    <VMSinfo VKey="204568" SVKey="204568r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rename" ownerid="RHEL-07-030880" disa="2884" severity="medium">
+-    <VMSinfo VKey="204569" SVKey="204569r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204569" SVKey="204569r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_renameat" ownerid="RHEL-07-030890" disa="2884" severity="medium">
+-    <VMSinfo VKey="204570" SVKey="204570r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204570" SVKey="204570r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_rmdir" ownerid="RHEL-07-030900" disa="2884" severity="medium">
+-    <VMSinfo VKey="204571" SVKey="204571r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204571" SVKey="204571r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlink" ownerid="RHEL-07-030910" disa="2884" severity="medium">
+-    <VMSinfo VKey="204572" SVKey="204572r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204572" SVKey="204572r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="audit_rules_file_deletion_events_unlinkat" ownerid="RHEL-07-030920" disa="2884" severity="medium">
+-    <VMSinfo VKey="204573" SVKey="204573r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204573" SVKey="204573r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="rsyslog_remote_loghost" ownerid="RHEL-07-031000" disa="366" severity="medium">
+-    <VMSinfo VKey="204574" SVKey="204574r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204574" SVKey="204574r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="rsyslog_nolisten" ownerid="RHEL-07-031010" disa="368" severity="medium">
+-    <VMSinfo VKey="204575" SVKey="204575r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204575" SVKey="204575r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="install_mcafee_antivirus" ownerid="RHEL-07-032000" disa="1668" severity="high">
+-    <VMSinfo VKey="214801" SVKey="214801r5059" VRelease="r505924"/>
++    <VMSinfo VKey="214801" SVKey="214801r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a virus scan program."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_max_concurrent_login_sessions" ownerid="RHEL-07-040000" disa="54" severity="low">
+-    <VMSinfo VKey="204576" SVKey="204576r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204576" SVKey="204576r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="configure_firewalld_ports" ownerid="RHEL-07-040100" disa="2314" severity="medium">
+-    <VMSinfo VKey="204577" SVKey="204577r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204577" SVKey="204577r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_use_approved_ciphers" ownerid="RHEL-07-040110" disa="68" severity="medium">
+-    <VMSinfo VKey="204578" SVKey="204578r5059" VRelease="r505924"/>
+-    <title text="The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications."/>
++  <overlay owner="disastig" ruleid="sshd_use_approved_ciphers_ordered_stig" ownerid="RHEL-07-040110" disa="68" severity="medium">
++    <VMSinfo VKey="204578" SVKey="204578r6038" VRelease="r603843"/>
++    <title text="The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="accounts_tmout" ownerid="RHEL-07-040160" disa="2361" severity="medium">
+-    <VMSinfo VKey="204579" SVKey="204579r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204579" SVKey="204579r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="1388" severity="medium">
+-    <VMSinfo VKey="204580" SVKey="204580r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sshd_enable_warning_banner" ownerid="RHEL-07-040170" disa="50" severity="medium">
++    <VMSinfo VKey="204580" SVKey="204580r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sssd_ldap_start_tls" ownerid="RHEL-07-040180" disa="1453" severity="medium">
+-    <VMSinfo VKey="204581" SVKey="204581r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204581" SVKey="204581r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_reqcert" ownerid="RHEL-07-040190" disa="1453" severity="medium">
+-    <VMSinfo VKey="204582" SVKey="204582r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204582" SVKey="204582r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sssd_ldap_configure_tls_ca_dir" ownerid="RHEL-07-040200" disa="1453" severity="medium">
+-    <VMSinfo VKey="204583" SVKey="204583r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204583" SVKey="204583r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_kernel_randomize_va_space" ownerid="RHEL-07-040201" disa="366" severity="medium">
+-    <VMSinfo VKey="204584" SVKey="204584r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204584" SVKey="204584r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement virtual address space randomization."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2422" severity="medium">
+-    <VMSinfo VKey="204585" SVKey="204585r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="package_openssh-server_installed" ownerid="RHEL-07-040300" disa="2421" severity="medium">
++    <VMSinfo VKey="204585" SVKey="204585r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="service_sshd_enabled" ownerid="RHEL-07-040310" disa="2420" severity="medium">
+-    <VMSinfo VKey="204586" SVKey="204586r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204586" SVKey="204586r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_set_idle_timeout" ownerid="RHEL-07-040320" disa="2361" severity="medium">
+-    <VMSinfo VKey="204587" SVKey="204587r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204587" SVKey="204587r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_disable_rhosts_rsa" ownerid="RHEL-07-040330" disa="366" severity="medium">
+-    <VMSinfo VKey="204588" SVKey="204588r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204588" SVKey="204588r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_set_keepalive" ownerid="RHEL-07-040340" disa="2361" severity="medium">
+-    <VMSinfo VKey="204589" SVKey="204589r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204589" SVKey="204589r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_disable_rhosts" ownerid="RHEL-07-040350" disa="366" severity="medium">
+-    <VMSinfo VKey="204590" SVKey="204590r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204590" SVKey="204590r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_print_last_log" ownerid="RHEL-07-040360" disa="366" severity="medium">
+-    <VMSinfo VKey="204591" SVKey="204591r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204591" SVKey="204591r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_disable_root_login" ownerid="RHEL-07-040370" disa="366" severity="medium">
+-    <VMSinfo VKey="204592" SVKey="204592r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204592" SVKey="204592r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_disable_user_known_hosts" ownerid="RHEL-07-040380" disa="366" severity="medium">
+-    <VMSinfo VKey="204593" SVKey="204593r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204593" SVKey="204593r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="366" severity="high">
+-    <VMSinfo VKey="204594" SVKey="204594r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040390" disa="197" severity="high">
++    <VMSinfo VKey="204594" SVKey="204594r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_use_approved_macs" ownerid="RHEL-07-040400" disa="1453" severity="medium">
+-    <VMSinfo VKey="204595" SVKey="204595r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sshd_use_approved_macs_ordered_stig" ownerid="RHEL-07-040400" disa="1453" severity="medium">
++    <VMSinfo VKey="204595" SVKey="204595r6038" VRelease="r603846"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_permissions_sshd_pub_key" ownerid="RHEL-07-040410" disa="366" severity="medium">
+-    <VMSinfo VKey="204596" SVKey="204596r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204596" SVKey="204596r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="file_permissions_sshd_private_key" ownerid="RHEL-07-040420" disa="366" severity="medium">
+-    <VMSinfo VKey="204597" SVKey="204597r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204597" SVKey="204597r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1813" severity="medium">
+-    <VMSinfo VKey="204598" SVKey="204598r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sshd_disable_gssapi_auth" ownerid="RHEL-07-040430" disa="1814" severity="medium">
++    <VMSinfo VKey="204598" SVKey="204598r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="1812" severity="medium">
+-    <VMSinfo VKey="204599" SVKey="204599r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sshd_disable_kerb_auth" ownerid="RHEL-07-040440" disa="318" severity="medium">
++    <VMSinfo VKey="204599" SVKey="204599r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_enable_strictmodes" ownerid="RHEL-07-040450" disa="366" severity="medium">
+-    <VMSinfo VKey="204600" SVKey="204600r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204600" SVKey="204600r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_use_priv_separation" ownerid="RHEL-07-040460" disa="366" severity="medium">
+-    <VMSinfo VKey="204601" SVKey="204601r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204601" SVKey="204601r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sshd_disable_compression" ownerid="RHEL-07-040470" disa="366" severity="medium">
+-    <VMSinfo VKey="204602" SVKey="204602r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204602" SVKey="204602r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="1891" severity="medium">
+-    <VMSinfo VKey="204603" SVKey="204603r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="chronyd_or_ntpd_set_maxpoll" ownerid="RHEL-07-040500" disa="2046" severity="medium">
++    <VMSinfo VKey="204603" SVKey="204603r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="service_firewalld_enabled" ownerid="RHEL-07-040520" disa="366" severity="medium">
+-    <VMSinfo VKey="204604" SVKey="204604r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204604" SVKey="204604r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must enable an application firewall, if available."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="display_login_attempts" ownerid="RHEL-07-040530" disa="366" severity="low">
+-    <VMSinfo VKey="204605" SVKey="204605r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204605" SVKey="204605r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="no_user_host_based_files" ownerid="RHEL-07-040540" disa="366" severity="high">
+-    <VMSinfo VKey="204606" SVKey="204606r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204606" SVKey="204606r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not contain .shosts files."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="no_host_based_files" ownerid="RHEL-07-040550" disa="366" severity="high">
+-    <VMSinfo VKey="204607" SVKey="204607r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204607" SVKey="204607r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not contain shosts.equiv files."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="network_configure_name_resolution" ownerid="RHEL-07-040600" disa="366" severity="low">
+-    <VMSinfo VKey="204608" SVKey="204608r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204608" SVKey="204608r6032" VRelease="r603261"/>
+     <title text="For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_source_route" ownerid="RHEL-07-040610" disa="366" severity="medium">
+-    <VMSinfo VKey="204609" SVKey="204609r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204609" SVKey="204609r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_rp_filter" ownerid="RHEL-07-040611" disa="366" severity="medium">
+-    <VMSinfo VKey="204610" SVKey="204610r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204610" SVKey="204610r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_rp_filter" ownerid="RHEL-07-040612" disa="366" severity="medium">
+-    <VMSinfo VKey="204611" SVKey="204611r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204611" SVKey="204611r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_source_route" ownerid="RHEL-07-040620" disa="366" severity="medium">
+-    <VMSinfo VKey="204612" SVKey="204612r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204612" SVKey="204612r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" ownerid="RHEL-07-040630" disa="366" severity="medium">
+-    <VMSinfo VKey="204613" SVKey="204613r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204613" SVKey="204613r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_accept_redirects" ownerid="RHEL-07-040640" disa="366" severity="medium">
+-    <VMSinfo VKey="204614" SVKey="204614r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204614" SVKey="204614r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_accept_redirects" ownerid="RHEL-07-040641" disa="366" severity="medium">
+-    <VMSinfo VKey="204615" SVKey="204615r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204615" SVKey="204615r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_default_send_redirects" ownerid="RHEL-07-040650" disa="366" severity="medium">
+-    <VMSinfo VKey="204616" SVKey="204616r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204616" SVKey="204616r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_conf_all_send_redirects" ownerid="RHEL-07-040660" disa="366" severity="medium">
+-    <VMSinfo VKey="204617" SVKey="204617r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204617" SVKey="204617r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="network_sniffer_disabled" ownerid="RHEL-07-040670" disa="366" severity="medium">
+-    <VMSinfo VKey="204618" SVKey="204618r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204618" SVKey="204618r6032" VRelease="r603261"/>
+     <title text="Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="postfix_prevent_unrestricted_relay" ownerid="RHEL-07-040680" disa="366" severity="medium">
+-    <VMSinfo VKey="204619" SVKey="204619r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204619" SVKey="204619r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="package_vsftpd_removed" ownerid="RHEL-07-040690" disa="366" severity="high">
+-    <VMSinfo VKey="204620" SVKey="204620r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204620" SVKey="204620r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="368" severity="high">
+-    <VMSinfo VKey="204621" SVKey="204621r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="package_tftp-server_removed" ownerid="RHEL-07-040700" disa="318" severity="high">
++    <VMSinfo VKey="204621" SVKey="204621r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sshd_enable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="high">
+-    <VMSinfo VKey="204622" SVKey="204622r5059" VRelease="r505924"/>
+-    <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted."/>
++  <overlay owner="disastig" ruleid="sshd_disable_x11_forwarding" ownerid="RHEL-07-040710" disa="366" severity="medium">
++    <VMSinfo VKey="204622" SVKey="204622r6038" VRelease="r603849"/>
++    <title text="The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements."/>
++  </overlay>
++  <overlay owner="disastig" ruleid="sshd_allow_only_protocol2" ownerid="RHEL-07-040711" disa="366" severity="medium">
++    <VMSinfo VKey="233307" SVKey="233307r6033" VRelease="r603301"/>
++    <title text="The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="tftpd_uses_secure_mode" ownerid="RHEL-07-040720" disa="366" severity="medium">
+-    <VMSinfo VKey="204623" SVKey="204623r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204623" SVKey="204623r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="package_xorg-x11-server-common_removed" ownerid="RHEL-07-040730" disa="366" severity="medium">
+-    <VMSinfo VKey="204624" SVKey="204624r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204624" SVKey="204624r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv4_ip_forward" ownerid="RHEL-07-040740" disa="366" severity="medium">
+-    <VMSinfo VKey="204625" SVKey="204625r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204625" SVKey="204625r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="mount_option_krb_sec_remote_filesystems" ownerid="RHEL-07-040750" disa="366" severity="medium">
+-    <VMSinfo VKey="204626" SVKey="204626r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204626" SVKey="204626r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="snmpd_not_default_password" ownerid="RHEL-07-040800" disa="366" severity="high">
+-    <VMSinfo VKey="204627" SVKey="204627r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204627" SVKey="204627r6032" VRelease="r603261"/>
+     <title text="SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="set_firewalld_default_zone" ownerid="RHEL-07-040810" disa="366" severity="medium">
+-    <VMSinfo VKey="204628" SVKey="204628r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204628" SVKey="204628r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="libreswan_approved_tunnels" ownerid="RHEL-07-040820" disa="366" severity="medium">
+-    <VMSinfo VKey="204629" SVKey="204629r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204629" SVKey="204629r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="sysctl_net_ipv6_conf_all_accept_source_route" ownerid="RHEL-07-040830" disa="366" severity="medium">
+-    <VMSinfo VKey="204630" SVKey="204630r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204630" SVKey="204630r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1954" severity="medium">
+-    <VMSinfo VKey="204631" SVKey="204631r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="install_smartcard_packages" ownerid="RHEL-07-041001" disa="1948" severity="medium">
++    <VMSinfo VKey="204631" SVKey="204631r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1954" severity="medium">
+-    <VMSinfo VKey="204632" SVKey="204632r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="sssd_enable_pam_services" ownerid="RHEL-07-041002" disa="1953" severity="medium">
++    <VMSinfo VKey="204632" SVKey="204632r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1953" severity="medium">
+-    <VMSinfo VKey="204633" SVKey="204633r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="smartcard_configure_cert_checking" ownerid="RHEL-07-041003" disa="1948" severity="medium">
++    <VMSinfo VKey="204633" SVKey="204633r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."/>
+   </overlay>
+   <overlay owner="disastig" ruleid="wireless_disable_interfaces" ownerid="RHEL-07-041010" disa="2418" severity="medium">
+-    <VMSinfo VKey="204634" SVKey="204634r5059" VRelease="r505924"/>
++    <VMSinfo VKey="204634" SVKey="204634r6032" VRelease="r603261"/>
+     <title text="The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."/>
+   </overlay>
+-  <overlay owner="disastig" ruleid="file_ownership_var_log_audit" ownerid="RHEL-07-910055" disa="1314" severity="medium">
+-    <VMSinfo VKey="228564" SVKey="228564r5059" VRelease="r505924"/>
++  <overlay owner="disastig" ruleid="file_permissions_var_log_audit" ownerid="RHEL-07-910055" disa="164" severity="medium">
++    <VMSinfo VKey="228564" SVKey="228564r6064" VRelease="r606407"/>
+     <title text="The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion."/>
+   </overlay>
+ </overlays>
+diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
+index 19669948bf..34ed264dea 100644
+--- a/rhel7/profiles/stig.profile
++++ b/rhel7/profiles/stig.profile
+@@ -11,7 +11,7 @@ title: 'DISA STIG for Red Hat Enterprise Linux 7'
+ 
+ description: |-
+     This profile contains configuration checks that align to the
+-    DISA STIG for Red Hat Enterprise Linux V3R1.
++    DISA STIG for Red Hat Enterprise Linux V3R2.
+ 
+     In addition to being applicable to Red Hat Enterprise Linux 7, DISA recognizes this
+     configuration baseline as applicable to the operating system tier of
+diff --git a/shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml b/shared/references/disa-stig-rhel7-v3r2-xccdf-manual.xml
+similarity index 84%
+rename from shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml
+rename to shared/references/disa-stig-rhel7-v3r2-xccdf-manual.xml
+index 560e081822..6c807d755d 100644
+--- a/shared/references/disa-stig-rhel7-v3r1-xccdf-manual.xml
++++ b/shared/references/disa-stig-rhel7-v3r2-xccdf-manual.xml
+@@ -1,6 +1,6 @@
+-<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_7_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-09-03">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 1 Benchmark Date: 23 Oct 2020</plain-text><plain-text id="generator">3.1.1.36225</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>3</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /></Profile><Group id="V-204392"><title>SRG-OS-000257-GPOS-00098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204392r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title><description>&lt;VulnDiscussion&gt;Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
++<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="RHEL_7_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2020-12-08">accepted</status><title>Red Hat Enterprise Linux 7 Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 2 Benchmark Date: 22 Jan 2021</plain-text><plain-text id="generator">3.2.1.41666</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>3</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-204392" selected="true" /><select idref="V-204393" selected="true" /><select idref="V-204394" selected="true" /><select idref="V-204395" selected="true" /><select idref="V-204396" selected="true" /><select idref="V-204397" selected="true" /><select idref="V-204398" selected="true" /><select idref="V-204399" selected="true" /><select idref="V-204400" selected="true" /><select idref="V-204402" selected="true" /><select idref="V-204403" selected="true" /><select idref="V-204404" selected="true" /><select idref="V-204405" selected="true" /><select idref="V-204406" selected="true" /><select idref="V-204407" selected="true" /><select idref="V-204408" selected="true" /><select idref="V-204409" selected="true" /><select idref="V-204410" selected="true" /><select idref="V-204411" selected="true" /><select idref="V-204412" selected="true" /><select idref="V-204413" selected="true" /><select idref="V-204414" selected="true" /><select idref="V-204415" selected="true" /><select idref="V-204416" selected="true" /><select idref="V-204417" selected="true" /><select idref="V-204418" selected="true" /><select idref="V-204419" selected="true" /><select idref="V-204420" selected="true" /><select idref="V-204421" selected="true" /><select idref="V-204422" selected="true" /><select idref="V-204423" selected="true" /><select idref="V-204424" selected="true" /><select idref="V-204425" selected="true" /><select idref="V-204426" selected="true" /><select idref="V-204427" selected="true" /><select idref="V-204428" selected="true" /><select idref="V-204429" selected="true" /><select idref="V-204430" selected="true" /><select idref="V-204431" selected="true" /><select idref="V-204432" selected="true" /><select idref="V-204433" selected="true" /><select idref="V-204434" selected="true" /><select idref="V-204435" selected="true" /><select idref="V-204436" selected="true" /><select idref="V-204437" selected="true" /><select idref="V-204438" selected="true" /><select idref="V-204439" selected="true" /><select idref="V-204440" selected="true" /><select idref="V-204441" selected="true" /><select idref="V-204442" selected="true" /><select idref="V-204443" selected="true" /><select idref="V-204444" selected="true" /><select idref="V-204445" selected="true" /><select idref="V-204446" selected="true" /><select idref="V-204447" selected="true" /><select idref="V-204448" selected="true" /><select idref="V-204449" selected="true" /><select idref="V-204450" selected="true" /><select idref="V-204451" selected="true" /><select idref="V-204452" selected="true" /><select idref="V-204453" selected="true" /><select idref="V-204454" selected="true" /><select idref="V-204455" selected="true" /><select idref="V-204456" selected="true" /><select idref="V-204457" selected="true" /><select idref="V-204458" selected="true" /><select idref="V-204459" selected="true" /><select idref="V-204460" selected="true" /><select idref="V-204461" selected="true" /><select idref="V-204462" selected="true" /><select idref="V-204463" selected="true" /><select idref="V-204464" selected="true" /><select idref="V-204466" selected="true" /><select idref="V-204467" selected="true" /><select idref="V-204468" selected="true" /><select idref="V-204469" selected="true" /><select idref="V-204470" selected="true" /><select idref="V-204471" selected="true" /><select idref="V-204472" selected="true" /><select idref="V-204473" selected="true" /><select idref="V-204474" selected="true" /><select idref="V-204475" selected="true" /><select idref="V-204476" selected="true" /><select idref="V-204477" selected="true" /><select idref="V-204478" selected="true" /><select idref="V-204479" selected="true" /><select idref="V-204480" selected="true" /><select idref="V-204481" selected="true" /><select idref="V-204482" selected="true" /><select idref="V-204483" selected="true" /><select idref="V-204486" selected="true" /><select idref="V-204487" selected="true" /><select idref="V-204488" selected="true" /><select idref="V-204489" selected="true" /><select idref="V-204490" selected="true" /><select idref="V-204491" selected="true" /><select idref="V-204492" selected="true" /><select idref="V-204493" selected="true" /><select idref="V-204494" selected="true" /><select idref="V-204495" selected="true" /><select idref="V-204496" selected="true" /><select idref="V-204497" selected="true" /><select idref="V-204498" selected="true" /><select idref="V-204499" selected="true" /><select idref="V-204500" selected="true" /><select idref="V-204501" selected="true" /><select idref="V-204502" selected="true" /><select idref="V-204503" selected="true" /><select idref="V-204504" selected="true" /><select idref="V-204506" selected="true" /><select idref="V-204507" selected="true" /><select idref="V-204508" selected="true" /><select idref="V-204509" selected="true" /><select idref="V-204510" selected="true" /><select idref="V-204511" selected="true" /><select idref="V-204512" selected="true" /><select idref="V-204513" selected="true" /><select idref="V-204514" selected="true" /><select idref="V-204515" selected="true" /><select idref="V-204516" selected="true" /><select idref="V-204517" selected="true" /><select idref="V-204518" selected="true" /><select idref="V-204519" selected="true" /><select idref="V-204520" selected="true" /><select idref="V-204521" selected="true" /><select idref="V-204522" selected="true" /><select idref="V-204523" selected="true" /><select idref="V-204524" selected="true" /><select idref="V-204525" selected="true" /><select idref="V-204526" selected="true" /><select idref="V-204527" selected="true" /><select idref="V-204528" selected="true" /><select idref="V-204529" selected="true" /><select idref="V-204530" selected="true" /><select idref="V-204531" selected="true" /><select idref="V-204532" selected="true" /><select idref="V-204533" selected="true" /><select idref="V-204534" selected="true" /><select idref="V-204535" selected="true" /><select idref="V-204536" selected="true" /><select idref="V-204537" selected="true" /><select idref="V-204538" selected="true" /><select idref="V-204539" selected="true" /><select idref="V-204540" selected="true" /><select idref="V-204541" selected="true" /><select idref="V-204542" selected="true" /><select idref="V-204543" selected="true" /><select idref="V-204544" selected="true" /><select idref="V-204545" selected="true" /><select idref="V-204546" selected="true" /><select idref="V-204547" selected="true" /><select idref="V-204548" selected="true" /><select idref="V-204549" selected="true" /><select idref="V-204550" selected="true" /><select idref="V-204551" selected="true" /><select idref="V-204552" selected="true" /><select idref="V-204553" selected="true" /><select idref="V-204554" selected="true" /><select idref="V-204555" selected="true" /><select idref="V-204556" selected="true" /><select idref="V-204557" selected="true" /><select idref="V-204558" selected="true" /><select idref="V-204559" selected="true" /><select idref="V-204560" selected="true" /><select idref="V-204561" selected="true" /><select idref="V-204562" selected="true" /><select idref="V-204563" selected="true" /><select idref="V-204564" selected="true" /><select idref="V-204565" selected="true" /><select idref="V-204566" selected="true" /><select idref="V-204567" selected="true" /><select idref="V-204568" selected="true" /><select idref="V-204569" selected="true" /><select idref="V-204570" selected="true" /><select idref="V-204571" selected="true" /><select idref="V-204572" selected="true" /><select idref="V-204573" selected="true" /><select idref="V-204574" selected="true" /><select idref="V-204575" selected="true" /><select idref="V-204576" selected="true" /><select idref="V-204577" selected="true" /><select idref="V-204578" selected="true" /><select idref="V-204579" selected="true" /><select idref="V-204580" selected="true" /><select idref="V-204581" selected="true" /><select idref="V-204582" selected="true" /><select idref="V-204583" selected="true" /><select idref="V-204584" selected="true" /><select idref="V-204585" selected="true" /><select idref="V-204586" selected="true" /><select idref="V-204587" selected="true" /><select idref="V-204588" selected="true" /><select idref="V-204589" selected="true" /><select idref="V-204590" selected="true" /><select idref="V-204591" selected="true" /><select idref="V-204592" selected="true" /><select idref="V-204593" selected="true" /><select idref="V-204594" selected="true" /><select idref="V-204595" selected="true" /><select idref="V-204596" selected="true" /><select idref="V-204597" selected="true" /><select idref="V-204598" selected="true" /><select idref="V-204599" selected="true" /><select idref="V-204600" selected="true" /><select idref="V-204601" selected="true" /><select idref="V-204602" selected="true" /><select idref="V-204603" selected="true" /><select idref="V-204604" selected="true" /><select idref="V-204605" selected="true" /><select idref="V-204606" selected="true" /><select idref="V-204607" selected="true" /><select idref="V-204608" selected="true" /><select idref="V-204609" selected="true" /><select idref="V-204610" selected="true" /><select idref="V-204611" selected="true" /><select idref="V-204612" selected="true" /><select idref="V-204613" selected="true" /><select idref="V-204614" selected="true" /><select idref="V-204615" selected="true" /><select idref="V-204616" selected="true" /><select idref="V-204617" selected="true" /><select idref="V-204618" selected="true" /><select idref="V-204619" selected="true" /><select idref="V-204620" selected="true" /><select idref="V-204621" selected="true" /><select idref="V-204622" selected="true" /><select idref="V-204623" selected="true" /><select idref="V-204624" selected="true" /><select idref="V-204625" selected="true" /><select idref="V-204626" selected="true" /><select idref="V-204627" selected="true" /><select idref="V-204628" selected="true" /><select idref="V-204629" selected="true" /><select idref="V-204630" selected="true" /><select idref="V-204631" selected="true" /><select idref="V-204632" selected="true" /><select idref="V-204633" selected="true" /><select idref="V-204634" selected="true" /><select idref="V-214799" selected="true" /><select idref="V-214800" selected="true" /><select idref="V-214801" selected="true" /><select idref="V-214937" selected="true" /><select idref="V-219059" selected="true" /><select idref="V-228563" selected="true" /><select idref="V-228564" selected="true" /><select idref="V-233307" selected="true" /></Profile><Group id="V-204392"><title>SRG-OS-000257-GPOS-00098</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204392r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title><description>&lt;VulnDiscussion&gt;Discretionary access control is weakened if a user or group has access permissions to system files and directories greater than the default.
+ 
+-Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71849</ident><ident system="http://cyber.mil/legacy">SV-86473</ident><ident system="http://cyber.mil/cci">CCI-001494</ident><ident system="http://cyber.mil/cci">CCI-001496</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-4516r499370_fix">Run the following command to determine which package owns the file:
++Satisfies: SRG-OS-000257-GPOS-00098, SRG-OS-000278-GPOS-00108&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71849</ident><ident system="http://cyber.mil/legacy">SV-86473</ident><ident system="http://cyber.mil/cci">CCI-001494</ident><ident system="http://cyber.mil/cci">CCI-001496</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-36302r602616_fix">Run the following command to determine which package owns the file:
+ 
+ # rpm -qf &lt;filename&gt;
+ 
+@@ -11,7 +11,7 @@ Reset the user and group ownership of files within a package with the following
+ 
+ Reset the permissions of files within a package with the following command:
+ 
+-#rpm --setperms &lt;packagename&gt;</fixtext><fix id="F-4516r499370_fix" /><check system="C-4516r499369_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.
++#rpm --setperms &lt;packagename&gt;</fixtext><fix id="F-36302r602616_fix" /><check system="C-36339r602615_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file permissions, ownership, and group membership of system files and commands match the vendor values.
+ 
+ Check the default file permissions, ownership, and group membership of system files and commands with the following command:
+ 
+@@ -30,7 +30,7 @@ If the file is more permissive than the default permissions, this is a finding.
+ 
+ If the file is not owned by the default owner and is not documented with the Information System Security Officer (ISSO), this is a finding.
+ 
+-If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-204393"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204393r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010030</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
++If the file is not a member of the default group and is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-204393"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204393r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010030</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+ 
+ System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+ 
+@@ -77,7 +77,7 @@ Check to see if the operating system displays a banner at the logon screen with
+ # grep banner-message-enable /etc/dconf/db/local.d/*
+ banner-message-enable=true
+ 
+-If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204394"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204394r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010040</version><title>The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
++If "banner-message-enable" is set to "false" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204394"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204394r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010040</version><title>The Red Hat Enterprise Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+ 
+ System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+ 
+@@ -128,7 +128,7 @@ banner-message-text=
+ 
+ Note: The "\n " characters are for formatting only. They will not be displayed on the Graphical User Interface.
+ 
+-If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204395"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204395r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010050</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
++If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204395"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204395r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010050</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+ 
+ System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+ 
+@@ -186,7 +186,7 @@ By using this IS (which includes any device attached to this IS), you consent to
+ 
+ If the operating system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
+ 
+-If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204396"><title>SRG-OS-000028-GPOS-00009</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204396r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010060</version><title>The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
++If the text in the "/etc/issue" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204396"><title>SRG-OS-000028-GPOS-00009</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204396r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010060</version><title>The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+ 
+ The session lock is implemented at the point where session activity can be determined.
+ 
+@@ -216,11 +216,11 @@ Check to see if the screen lock is enabled with the following command:
+ # grep -i lock-enabled /etc/dconf/db/local.d/*
+ lock-enabled=true
+ 
+-If the "lock-enabled" setting is missing or is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204397"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204397r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010061</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
++If the "lock-enabled" setting is missing or is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204397"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204397r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010061</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.
+ 
+ Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+ 
+-Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-77819</ident><ident system="http://cyber.mil/legacy">SV-92515</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4521r88384_fix">Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.
++Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92515</ident><ident system="http://cyber.mil/legacy">V-77819</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4521r88384_fix">Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.
+ 
+ Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+ 
+@@ -250,7 +250,7 @@ Note: The example is using the database local for the system, so the path is "/e
+ 
+ enable-smartcard-authentication=true
+ 
+-If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204398"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204398r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010070</version><title>The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
++If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204398"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204398r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010070</version><title>The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+ 
+ The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86517</ident><ident system="http://cyber.mil/legacy">V-71893</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4522r88387_fix">Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
+ 
+@@ -279,7 +279,7 @@ Check to see if GNOME is configured to display a screensaver after a 15 minute d
+ # grep -i idle-delay /etc/dconf/db/local.d/*
+ idle-delay=uint32 900
+ 
+-If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-204399"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204399r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010081</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
++If the "idle-delay" setting is missing or is not set to "900" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-204399"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204399r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010081</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+ 
+ The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87807</ident><ident system="http://cyber.mil/legacy">V-73155</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4523r88390_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
+ 
+@@ -308,7 +308,7 @@ Note: The example below is using the database "local" for the system, so the pat
+ 
+ /org/gnome/desktop/screensaver/lock-delay
+ 
+-If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204400"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204400r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010082</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
++If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204400"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204400r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010082</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+ 
+ The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87809</ident><ident system="http://cyber.mil/legacy">V-73157</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4524r88393_fix">Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces.
+ 
+@@ -337,9 +337,9 @@ Note: The example below is using the database "local" for the system, so the pat
+ 
+ /org/gnome/desktop/session/idle-delay
+ 
+-If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204402"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204402r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010100</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
++If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204402"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204402r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010100</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+ 
+-The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86523</ident><ident system="http://cyber.mil/legacy">V-71899</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4526r88399_fix">Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.
++The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71899</ident><ident system="http://cyber.mil/legacy">SV-86523</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4526r88399_fix">Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces.
+ 
+ Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
+ 
+@@ -365,11 +365,11 @@ Check for the session lock settings with the following commands:
+ 
+ idle-activation-enabled=true
+ 
+-If "idle-activation-enabled" is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204403"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204403r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010101</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
++If "idle-activation-enabled" is not set to "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204403"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204403r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010101</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+ 
+ The session lock is implemented at the point where session activity can be determined.
+ 
+-The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-78997</ident><ident system="http://cyber.mil/legacy">SV-93703</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4527r88402_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
++The ability to enable/disable a session lock is given to the user by default. Disabling the user's ability to disengage the graphical user interface session lock provides the assurance that all sessions will lock after the specified period of time.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-93703</ident><ident system="http://cyber.mil/legacy">V-78997</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4527r88402_fix">Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces.
+ 
+ Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: 
+ 
+@@ -396,7 +396,7 @@ Note: The example below is using the database "local" for the system, so the pat
+ 
+ /org/gnome/desktop/screensaver/idle-activation-enabled
+ 
+-If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204404"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204404r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010110</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
++If the command does not return a result, this is a finding.</check-content></check></Rule></Group><Group id="V-204404"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204404r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010110</version><title>The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.</title><description>&lt;VulnDiscussion&gt;A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.
+ 
+ The session lock is implemented at the point where session activity can be determined and/or controlled.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86525</ident><ident system="http://cyber.mil/legacy">V-71901</ident><ident system="http://cyber.mil/cci">CCI-000057</ident><fixtext fixref="F-4528r88405_fix">Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated.
+ 
+@@ -424,7 +424,7 @@ If GNOME is installed, check to see a session lock occurs when the screensaver i
+ # grep -i lock-delay /etc/dconf/db/local.d/*
+ lock-delay=uint32 5
+ 
+-If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-204405"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204405r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010118</version><title>The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.</title><description>&lt;VulnDiscussion&gt;Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95715</ident><ident system="http://cyber.mil/legacy">V-81003</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4529r88408_fix">Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.
++If the "lock-delay" setting is missing, or is not set to "5" or less, this is a finding.</check-content></check></Rule></Group><Group id="V-204405"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204405r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010118</version><title>The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.</title><description>&lt;VulnDiscussion&gt;Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95715</ident><ident system="http://cyber.mil/legacy">V-81003</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4529r88408_fix">Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.
+ 
+ Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value):
+ 
+@@ -433,7 +433,7 @@ password     substack    system-auth</fixtext><fix id="F-4529r88408_fix" /><chec
+ # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth
+ password     substack     system-auth
+ 
+-If no results are returned, the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204406"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204406r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010119</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87811</ident><ident system="http://cyber.mil/legacy">V-73159</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4530r88411_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
++If no results are returned, the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204406"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204406r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010119</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87811</ident><ident system="http://cyber.mil/legacy">V-73159</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4530r88411_fix">Configure the operating system to use "pwquality" to enforce password complexity rules.
+ 
+ Add the following line to "/etc/pam.d/system-auth" (or modify the line to have the required value):
+ 
+@@ -449,7 +449,7 @@ password required pam_pwquality.so retry=3
+ 
+ If the command does not return an uncommented line containing the value "pam_pwquality.so", this is a finding.
+ 
+-If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-204407"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204407r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010120</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "retry" is set to "0" or greater than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-204407"><title>SRG-OS-000069-GPOS-00037</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204407r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010120</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+ Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86527</ident><ident system="http://cyber.mil/legacy">V-71903</ident><ident system="http://cyber.mil/cci">CCI-000192</ident><fixtext fixref="F-4531r88414_fix">Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the "ucredit" option.
+ 
+@@ -462,9 +462,9 @@ Check the value for "ucredit" in "/etc/security/pwquality.conf" with the followi
+ # grep ucredit /etc/security/pwquality.conf 
+ ucredit = -1
+ 
+-If the value of "ucredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204408"><title>SRG-OS-000070-GPOS-00038</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204408r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010130</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "ucredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204408"><title>SRG-OS-000070-GPOS-00038</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204408r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010130</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71905</ident><ident system="http://cyber.mil/legacy">SV-86529</ident><ident system="http://cyber.mil/cci">CCI-000193</ident><fixtext fixref="F-4532r88417_fix">Configure the system to require at least one lower-case character when creating or changing a password.
++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86529</ident><ident system="http://cyber.mil/legacy">V-71905</ident><ident system="http://cyber.mil/cci">CCI-000193</ident><fixtext fixref="F-4532r88417_fix">Configure the system to require at least one lower-case character when creating or changing a password.
+ 
+ Add or modify the following line 
+ in "/etc/security/pwquality.conf":
+@@ -476,9 +476,9 @@ Check the value for "lcredit" in "/etc/security/pwquality.conf" with the followi
+ # grep lcredit /etc/security/pwquality.conf 
+ lcredit = -1 
+ 
+-If the value of "lcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204409"><title>SRG-OS-000071-GPOS-00039</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204409r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010140</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "lcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204409"><title>SRG-OS-000071-GPOS-00039</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204409r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010140</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71907</ident><ident system="http://cyber.mil/legacy">SV-86531</ident><ident system="http://cyber.mil/cci">CCI-000194</ident><fixtext fixref="F-4533r88420_fix">Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86531</ident><ident system="http://cyber.mil/legacy">V-71907</ident><ident system="http://cyber.mil/cci">CCI-000194</ident><fixtext fixref="F-4533r88420_fix">Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option.
+ 
+ Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value):
+ 
+@@ -489,7 +489,7 @@ Check the value for "dcredit" in "/etc/security/pwquality.conf" with the followi
+ # grep dcredit /etc/security/pwquality.conf 
+ dcredit = -1 
+ 
+-If the value of "dcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204410"><title>SRG-OS-000266-GPOS-00101</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204410r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010150</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "dcredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204410"><title>SRG-OS-000266-GPOS-00101</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204410r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010150</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+ Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86533</ident><ident system="http://cyber.mil/legacy">V-71909</ident><ident system="http://cyber.mil/cci">CCI-001619</ident><fixtext fixref="F-4534r88423_fix">Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option.
+ 
+@@ -504,9 +504,9 @@ Check the value for "ocredit" in "/etc/security/pwquality.conf" with the followi
+ # grep ocredit /etc/security/pwquality.conf 
+ ocredit=-1
+ 
+-If the value of "ocredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204411"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204411r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010160</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "ocredit" is not set to a negative value, this is a finding.</check-content></check></Rule></Group><Group id="V-204411"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204411r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010160</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71911</ident><ident system="http://cyber.mil/legacy">SV-86535</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4535r88426_fix">Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86535</ident><ident system="http://cyber.mil/legacy">V-71911</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4535r88426_fix">Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option.
+ 
+ Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ 
+@@ -517,9 +517,9 @@ Check for the value of the "difok" option in "/etc/security/pwquality.conf" with
+ # grep difok /etc/security/pwquality.conf 
+ difok = 8
+ 
+-If the value of "difok" is set to less than "8", this is a finding.</check-content></check></Rule></Group><Group id="V-204412"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204412r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010170</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "difok" is set to less than "8", this is a finding.</check-content></check></Rule></Group><Group id="V-204412"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204412r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010170</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71913</ident><ident system="http://cyber.mil/legacy">SV-86537</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4536r88429_fix">Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86537</ident><ident system="http://cyber.mil/legacy">V-71913</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4536r88429_fix">Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option.
+ 
+ Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
+ 
+@@ -530,9 +530,9 @@ Check for the value of the "minclass" option in "/etc/security/pwquality.conf" w
+ # grep minclass /etc/security/pwquality.conf 
+ minclass = 4
+ 
+-If the value of "minclass" is set to less than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-204413"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204413r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010180</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "minclass" is set to less than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-204413"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204413r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010180</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71915</ident><ident system="http://cyber.mil/legacy">SV-86539</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4537r88432_fix">Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86539</ident><ident system="http://cyber.mil/legacy">V-71915</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4537r88432_fix">Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option.
+ 
+ Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value):
+ 
+@@ -543,9 +543,9 @@ Check for the value of the "maxrepeat" option in "/etc/security/pwquality.conf"
+ # grep maxrepeat /etc/security/pwquality.conf 
+ maxrepeat = 3
+ 
+-If the value of "maxrepeat" is set to more than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-204414"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204414r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010190</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
++If the value of "maxrepeat" is set to more than "3", this is a finding.</check-content></check></Rule></Group><Group id="V-204414"><title>SRG-OS-000072-GPOS-00040</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204414r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010190</version><title>The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.</title><description>&lt;VulnDiscussion&gt;Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
+ 
+-Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71917</ident><ident system="http://cyber.mil/legacy">SV-86541</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4538r88435_fix">Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
++Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86541</ident><ident system="http://cyber.mil/legacy">V-71917</ident><ident system="http://cyber.mil/cci">CCI-000195</ident><fixtext fixref="F-4538r88435_fix">Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option.
+ 
+ Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value):
+ 
+@@ -556,7 +556,7 @@ Check for the value of the "maxclassrepeat" option in "/etc/security/pwquality.c
+ # grep maxclassrepeat /etc/security/pwquality.conf 
+ maxclassrepeat = 4
+ 
+-If the value of "maxclassrepeat" is set to more than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-204415"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204415r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010200</version><title>The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71919</ident><ident system="http://cyber.mil/legacy">SV-86543</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4539r88438_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
++If the value of "maxclassrepeat" is set to more than "4", this is a finding.</check-content></check></Rule></Group><Group id="V-204415"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204415r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010200</version><title>The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86543</ident><ident system="http://cyber.mil/legacy">V-71919</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4539r88438_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
+ 
+ Add the following line in "/etc/pam.d/system-auth":
+ pam_unix.so sha512 shadow try_first_pass use_authtok
+@@ -574,7 +574,7 @@ Outcome should look like following:
+ /etc/pam.d/system-auth-ac:password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+ /etc/pam.d/password-auth:password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
+ 
+-If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204416"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204416r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010210</version><title>The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71921</ident><ident system="http://cyber.mil/legacy">SV-86545</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4540r88441_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
++If the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" configuration files allow for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204416"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204416r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010210</version><title>The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86545</ident><ident system="http://cyber.mil/legacy">V-71921</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4540r88441_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
+ 
+ Add or update the following line in "/etc/login.defs":
+ 
+@@ -585,7 +585,7 @@ Check that the system is configured to create SHA512 hashed passwords with the f
+ # grep -i encrypt /etc/login.defs
+ ENCRYPT_METHOD SHA512
+ 
+-If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204417"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204417r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010220</version><title>The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71923</ident><ident system="http://cyber.mil/legacy">SV-86547</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4541r88444_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
++If the "/etc/login.defs" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204417"><title>SRG-OS-000073-GPOS-00041</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204417r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010220</version><title>The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.</title><description>&lt;VulnDiscussion&gt;Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords encrypted with a weak algorithm are no more protected than if they are kept in plain text.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86547</ident><ident system="http://cyber.mil/legacy">V-71923</ident><ident system="http://cyber.mil/cci">CCI-000196</ident><fixtext fixref="F-4541r88444_fix">Configure the operating system to store only SHA512 encrypted representations of passwords.
+ 
+ Add or update the following line in "/etc/libuser.conf" in the [defaults] section: 
+ 
+@@ -597,7 +597,7 @@ Check that the system is configured to create "SHA512" hashed passwords with the
+ 
+ crypt_style = sha512
+ 
+-If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204418"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204418r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010230</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71925</ident><ident system="http://cyber.mil/legacy">SV-86549</ident><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-4542r88447_fix">Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.
++If the "crypt_style" variable is not set to "sha512", is not in the defaults section, is commented out, or does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204418"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204418r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010230</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86549</ident><ident system="http://cyber.mil/legacy">V-71925</ident><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-4542r88447_fix">Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime.
+ 
+ Add the following line in "/etc/login.defs" (or modify the line to have the required value):
+ 
+@@ -608,13 +608,13 @@ Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following c
+ # grep -i pass_min_days /etc/login.defs
+ PASS_MIN_DAYS     1
+ 
+-If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204419"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204419r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010240</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71927</ident><ident system="http://cyber.mil/legacy">SV-86551</ident><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-4543r88450_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
++If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204419"><title>SRG-OS-000075-GPOS-00043</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204419r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010240</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.</title><description>&lt;VulnDiscussion&gt;Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86551</ident><ident system="http://cyber.mil/legacy">V-71927</ident><ident system="http://cyber.mil/cci">CCI-000198</ident><fixtext fixref="F-4543r88450_fix">Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime:
+ 
+ # chage -m 1 [user]</fixtext><fix id="F-4543r88450_fix" /><check system="C-4543r88449_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check whether the minimum time period between password changes for each user account is one day or greater.
+ 
+ # awk -F: '$4 &lt; 1 {print $1 " " $4}' /etc/shadow
+ 
+-If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group><Group id="V-204420"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204420r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010250</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86553</ident><ident system="http://cyber.mil/legacy">V-71929</ident><ident system="http://cyber.mil/cci">CCI-000199</ident><fixtext fixref="F-4544r88453_fix">Configure the operating system to enforce a 60-day maximum password lifetime restriction.
++If any results are returned that are not associated with a system account, this is a finding.</check-content></check></Rule></Group><Group id="V-204420"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204420r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010250</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86553</ident><ident system="http://cyber.mil/legacy">V-71929</ident><ident system="http://cyber.mil/cci">CCI-000199</ident><fixtext fixref="F-4544r88453_fix">Configure the operating system to enforce a 60-day maximum password lifetime restriction.
+ 
+ Add the following line in "/etc/login.defs" (or modify the line to have the required value):
+ 
+@@ -627,14 +627,14 @@ Check for the value of "PASS_MAX_DAYS" in "/etc/login.defs" with the following c
+ # grep -i pass_max_days /etc/login.defs
+ PASS_MAX_DAYS 60
+ 
+-If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204421"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204421r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010260</version><title>The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86555</ident><ident system="http://cyber.mil/legacy">V-71931</ident><ident system="http://cyber.mil/cci">CCI-000199</ident><fixtext fixref="F-4545r88456_fix">Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
++If the "PASS_MAX_DAYS" parameter value is not 60 or less, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204421"><title>SRG-OS-000076-GPOS-00044</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204421r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010260</version><title>The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.</title><description>&lt;VulnDiscussion&gt;Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71931</ident><ident system="http://cyber.mil/legacy">SV-86555</ident><ident system="http://cyber.mil/cci">CCI-000199</ident><fixtext fixref="F-4545r88456_fix">Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction.
+ 
+ # chage -M 60 [user]</fixtext><fix id="F-4545r88456_fix" /><check system="C-4545r88455_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check whether the maximum time period for existing passwords is restricted to 60 days.
+ 
+ # awk -F: '$5 &gt; 60 {print $1 " " $5}' /etc/shadow
+ 
+ If any results are returned that are not associated with a system account, this is a finding.
+-</check-content></check></Rule></Group><Group id="V-204422"><title>SRG-OS-000077-GPOS-00045</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204422r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010270</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86557</ident><ident system="http://cyber.mil/legacy">V-71933</ident><ident system="http://cyber.mil/cci">CCI-000200</ident><fixtext fixref="F-4546r88459_fix">Configure the operating system to prohibit password reuse for a minimum of five generations.
++</check-content></check></Rule></Group><Group id="V-204422"><title>SRG-OS-000077-GPOS-00045</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204422r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010270</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.</title><description>&lt;VulnDiscussion&gt;Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed per policy requirements.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71933</ident><ident system="http://cyber.mil/legacy">SV-86557</ident><ident system="http://cyber.mil/cci">CCI-000200</ident><fixtext fixref="F-4546r88459_fix">Configure the operating system to prohibit password reuse for a minimum of five generations.
+ 
+ Add the following line in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" (or modify the line to have the required value):
+ 
+@@ -648,9 +648,9 @@ Check for the value of the "remember" argument in "/etc/pam.d/system-auth" and "
+ 
+ password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
+ 
+-If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-204423"><title>SRG-OS-000078-GPOS-00046</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204423r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010280</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
++If the line containing the "pam_pwhistory.so" line does not have the "remember" module argument set, is commented out, or the value of the "remember" module argument is set to less than "5", this is a finding.</check-content></check></Rule></Group><Group id="V-204423"><title>SRG-OS-000078-GPOS-00046</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204423r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010280</version><title>The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.</title><description>&lt;VulnDiscussion&gt;The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
+ 
+-Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86559</ident><ident system="http://cyber.mil/legacy">V-71935</ident><ident system="http://cyber.mil/cci">CCI-000205</ident><fixtext fixref="F-4547r88462_fix">Configure operating system to enforce a minimum 15-character password length.
++Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71935</ident><ident system="http://cyber.mil/legacy">SV-86559</ident><ident system="http://cyber.mil/cci">CCI-000205</ident><fixtext fixref="F-4547r88462_fix">Configure operating system to enforce a minimum 15-character password length.
+ 
+ Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value):
+ 
+@@ -661,7 +661,7 @@ Check for the value of the "minlen" option in "/etc/security/pwquality.conf" wit
+ # grep minlen /etc/security/pwquality.conf
+ minlen = 15
+ 
+-If the command does not return a "minlen" value of 15 or greater, this is a finding.</check-content></check></Rule></Group><Group id="V-204424"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204424r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010290</version><title>The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.</title><description>&lt;VulnDiscussion&gt;If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71937</ident><ident system="http://cyber.mil/legacy">SV-86561</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4548r88465_fix">If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
++If the command does not return a "minlen" value of 15 or greater, this is a finding.</check-content></check></Rule></Group><Group id="V-204424"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204424r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010290</version><title>The Red Hat Enterprise Linux operating system must not have accounts configured with blank or null passwords.</title><description>&lt;VulnDiscussion&gt;If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86561</ident><ident system="http://cyber.mil/legacy">V-71937</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4548r88465_fix">If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
+ 
+ Remove any instances of the "nullok" option in "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" to prevent logons with empty passwords.
+ 
+@@ -671,7 +671,7 @@ Note: Manual changes to the listed files may be overwritten by the "authconfig"
+ 
+ If this produces any output, it may be possible to log on with accounts with empty passwords.
+ 
+-If null passwords can be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204425"><title>SRG-OS-000106-GPOS-00053</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204425r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010300</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86563</ident><ident system="http://cyber.mil/legacy">V-71939</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><fixtext fixref="F-4549r88468_fix">To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
++If null passwords can be used, this is a finding.</check-content></check></Rule></Group><Group id="V-204425"><title>SRG-OS-000106-GPOS-00053</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204425r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010300</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86563</ident><ident system="http://cyber.mil/legacy">V-71939</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><fixtext fixref="F-4549r88468_fix">To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in "/etc/ssh/sshd_config":
+ 
+ PermitEmptyPasswords no
+ 
+@@ -682,7 +682,7 @@ PermitEmptyPasswords no
+ 
+ If no line, a commented line, or a line indicating the value "no" is returned, the required value is set.
+ 
+-If the required value is not set, this is a finding.</check-content></check></Rule></Group><Group id="V-204426"><title>SRG-OS-000118-GPOS-00060</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204426r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010310</version><title>The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.</title><description>&lt;VulnDiscussion&gt;Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
++If the required value is not set, this is a finding.</check-content></check></Rule></Group><Group id="V-204426"><title>SRG-OS-000118-GPOS-00060</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204426r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010310</version><title>The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.</title><description>&lt;VulnDiscussion&gt;Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.
+ 
+ Operating systems need to track periods of inactivity and disable application identifiers after zero days of inactivity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86565</ident><ident system="http://cyber.mil/legacy">V-71941</ident><ident system="http://cyber.mil/cci">CCI-000795</ident><fixtext fixref="F-4550r88471_fix">Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires.
+ 
+@@ -695,18 +695,18 @@ Verify the operating system disables account identifiers (individuals, groups, r
+ # grep -i inactive /etc/default/useradd
+ INACTIVE=0
+ 
+-If the value is not set to "0", is commented out, or is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-204427"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204427r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010320</version><title>The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
++If the value is not set to "0", is commented out, or is not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-204427"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204427r603824_rule" weight="10.0" severity="medium"><version>RHEL-07-010320</version><title>The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
+ 
+-Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71943</ident><ident system="http://cyber.mil/legacy">SV-86567</ident><ident system="http://cyber.mil/cci">CCI-000044</ident><ident system="http://cyber.mil/cci">CCI-002236</ident><ident system="http://cyber.mil/cci">CCI-002237</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-4551r462529_fix">Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
++Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71943</ident><ident system="http://cyber.mil/legacy">SV-86567</ident><ident system="http://cyber.mil/cci">CCI-000044</ident><ident system="http://cyber.mil/cci">CCI-002236</ident><ident system="http://cyber.mil/cci">CCI-002237</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-4551r603823_fix">Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
+ 
+-Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
++Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
+ 
+ auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+ auth sufficient pam_unix.so try_first_pass
+ auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+ account required pam_faillock.so   
+ 
+-Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4551r462529_fix" /><check system="C-4551r462528_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
++Note: Manual changes to the listed files may be overwritten by the "authconfig" program. The "authconfig" program should not be used to update the configurations listed in this requirement.</fixtext><fix id="F-4551r603823_fix" /><check system="C-4551r462528_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check that the system locks an account for a minimum of 15 minutes after three unsuccessful logon attempts within a period of 15 minutes with the following command:
+ 
+ # grep pam_faillock.so /etc/pam.d/password-auth
+ 
+@@ -742,9 +742,9 @@ If the "unlock_time" parameter is not set to "0", "never", or is set to a value
+ 
+ Note: The maximum configurable value for "unlock_time" is "604800". 
+ 
+-If any line referencing the "pam_faillock.so" module is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204428"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204428r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010330</version><title>The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
++If any line referencing the "pam_faillock.so" module is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204428"><title>SRG-OS-000329-GPOS-00128</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204428r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010330</version><title>The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period.</title><description>&lt;VulnDiscussion&gt;By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.
+ 
+-Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71945</ident><ident system="http://cyber.mil/legacy">SV-86569</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-4552r88477_fix">Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
++Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86569</ident><ident system="http://cyber.mil/legacy">V-71945</ident><ident system="http://cyber.mil/cci">CCI-002238</ident><fixtext fixref="F-4552r88477_fix">Configure the operating system to lock automatically the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made.
+ 
+ Modify the first three lines of the auth section and the first line of the account section of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines:
+ 
+@@ -767,11 +767,11 @@ auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_in
+ auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
+ account required pam_faillock.so
+ 
+-If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.</check-content></check></Rule></Group><Group id="V-204429"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204429r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010340</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
++If the "even_deny_root" setting is not defined on both lines with the "pam_faillock.so" module, is commented out, or is missing from a line, this is a finding.</check-content></check></Rule></Group><Group id="V-204429"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204429r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010340</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
+ 
+ When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
+ 
+-Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71947</ident><ident system="http://cyber.mil/legacy">SV-86571</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-4553r499373_fix">Configure the operating system to require users to supply a password for privilege escalation.
++Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71947</ident><ident system="http://cyber.mil/legacy">SV-86571</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-36303r602619_fix">Configure the operating system to require users to supply a password for privilege escalation.
+ 
+ Check the configuration of the "/etc/sudoers" file with the following command:
+ # visudo
+@@ -781,17 +781,17 @@ Remove any occurrences of "NOPASSWD" tags in the file.
+ Check the configuration of the /etc/sudoers.d/* files with the following command:
+ # grep -i nopasswd /etc/sudoers.d/*
+ 
+-Remove any occurrences of "NOPASSWD" tags in the file.</fixtext><fix id="F-4553r499373_fix" /><check system="C-4553r499372_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system requires users to supply a password for privilege escalation.
++Remove any occurrences of "NOPASSWD" tags in the file.</fixtext><fix id="F-36303r602619_fix" /><check system="C-36340r602618_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system requires users to supply a password for privilege escalation.
+ 
+ Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with the following command:
+ 
+ # grep -i nopasswd /etc/sudoers /etc/sudoers.d/*
+ 
+-If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.</check-content></check></Rule></Group><Group id="V-204430"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204430r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010350</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
++If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the Information System Security Officer (ISSO) as an organizationally defined administrative group utilizing MFA, this is a finding.</check-content></check></Rule></Group><Group id="V-204430"><title>SRG-OS-000373-GPOS-00156</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204430r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010350</version><title>The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.</title><description>&lt;VulnDiscussion&gt;Without re-authentication, users may access resources or perform tasks for which they do not have authorization. 
+ 
+ When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.
+ 
+-Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71949</ident><ident system="http://cyber.mil/legacy">SV-86573</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-4554r88483_fix">Configure the operating system to require users to reauthenticate for privilege escalation.
++Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86573</ident><ident system="http://cyber.mil/legacy">V-71949</ident><ident system="http://cyber.mil/cci">CCI-002038</ident><fixtext fixref="F-4554r88483_fix">Configure the operating system to require users to reauthenticate for privilege escalation.
+ 
+ Check the configuration of the "/etc/sudoers" file with the following command:
+ 
+@@ -807,7 +807,7 @@ Check the configuration of the "/etc/sudoers" and "/etc/sudoers.d/*" files with
+ 
+ # grep -i authenticate /etc/sudoers /etc/sudoers.d/*
+ 
+-If any uncommented line is found with a "!authenticate" tag, this is a finding.</check-content></check></Rule></Group><Group id="V-204431"><title>SRG-OS-000480-GPOS-00226</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204431r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.</title><description>&lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
++If any uncommented line is found with a "!authenticate" tag, this is a finding.</check-content></check></Rule></Group><Group id="V-204431"><title>SRG-OS-000480-GPOS-00226</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204431r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.</title><description>&lt;VulnDiscussion&gt;Configuring the operating system to implement organization-wide security implementation guides and security checklists verifies compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements.
+ 
+ Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86575</ident><ident system="http://cyber.mil/legacy">V-71951</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4555r88486_fix">Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt.
+ 
+@@ -820,7 +820,7 @@ Check the value of the "fail_delay" parameter in the "/etc/login.defs" file with
+ # grep -i fail_delay /etc/login.defs
+ FAIL_DELAY 4
+ 
+-If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204432"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204432r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010440</version><title>The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71953</ident><ident system="http://cyber.mil/legacy">SV-86577</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4556r88489_fix">Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.
++If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204432"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204432r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010440</version><title>The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86577</ident><ident system="http://cyber.mil/legacy">V-71953</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4556r88489_fix">Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface.
+ 
+ Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+ 
+@@ -836,7 +836,7 @@ Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf"
+ # grep -i automaticloginenable /etc/gdm/custom.conf
+ AutomaticLoginEnable=false
+ 
+-If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-204433"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204433r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010450</version><title>The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71955</ident><ident system="http://cyber.mil/legacy">SV-86579</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4557r88492_fix">Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.
++If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-204433"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204433r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010450</version><title>The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86579</ident><ident system="http://cyber.mil/legacy">V-71955</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4557r88492_fix">Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface.
+ 
+ Note: If the system does not have GNOME installed, this requirement is Not Applicable.
+ 
+@@ -852,7 +852,7 @@ Check for the value of the "TimedLoginEnable" parameter in "/etc/gdm/custom.conf
+ # grep -i timedloginenable /etc/gdm/custom.conf
+ TimedLoginEnable=false
+ 
+-If the value of "TimedLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-204434"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204434r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010460</version><title>The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86581</ident><ident system="http://cyber.mil/legacy">V-71957</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4558r88495_fix">Configure the operating system to not allow users to override environment variables to the SSH daemon.
++If the value of "TimedLoginEnable" is not set to "false", this is a finding.</check-content></check></Rule></Group><Group id="V-204434"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204434r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010460</version><title>The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86581</ident><ident system="http://cyber.mil/legacy">V-71957</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4558r88495_fix">Configure the operating system to not allow users to override environment variables to the SSH daemon.
+ 
+ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "PermitUserEnvironment" keyword and set the value to "no":
+ 
+@@ -865,7 +865,7 @@ Check for the value of the "PermitUserEnvironment" keyword with the following co
+ # grep -i permituserenvironment /etc/ssh/sshd_config
+ PermitUserEnvironment no
+ 
+-If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204435"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204435r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010470</version><title>The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86583</ident><ident system="http://cyber.mil/legacy">V-71959</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4559r88498_fix">Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.
++If the "PermitUserEnvironment" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204435"><title>SRG-OS-000480-GPOS-00229</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204435r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010470</version><title>The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.</title><description>&lt;VulnDiscussion&gt;Failure to restrict system access to authenticated users negatively impacts operating system security.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86583</ident><ident system="http://cyber.mil/legacy">V-71959</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4559r88498_fix">Configure the operating system to not allow a non-certificate trusted host SSH logon to the system.
+ 
+ Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for "HostbasedAuthentication" keyword and set the value to "no":
+ 
+@@ -878,7 +878,7 @@ Check for the value of the "HostbasedAuthentication" keyword with the following
+ # grep -i hostbasedauthentication /etc/ssh/sshd_config
+ HostbasedAuthentication no
+ 
+-If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204436"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204436r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010480</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86585</ident><ident system="http://cyber.mil/legacy">V-71961</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4560r88501_fix">Configure the system to encrypt the boot password for root.
++If the "HostbasedAuthentication" keyword is not set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204436"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204436r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010480</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71961</ident><ident system="http://cyber.mil/legacy">SV-86585</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4560r88501_fix">Configure the system to encrypt the boot password for root.
+ 
+ Generate an encrypted grub2 password for root with the following command:
+ 
+@@ -912,7 +912,7 @@ password_pbkdf2 [superusers-account] [password-hash]
+ 
+ If the root password entry does not begin with "password_pbkdf2", this is a finding.
+ 
+-If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204437"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204437r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010481</version><title>The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92519</ident><ident system="http://cyber.mil/legacy">V-77823</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4561r88504_fix">Configure the operating system to require authentication upon booting into single-user and maintenance modes.
++If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204437"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204437r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010481</version><title>The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-77823</ident><ident system="http://cyber.mil/legacy">SV-92519</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4561r88504_fix">Configure the operating system to require authentication upon booting into single-user and maintenance modes.
+ 
+ Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":
+ 
+@@ -924,7 +924,7 @@ Check that the operating system requires authentication upon booting into single
+ 
+ ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ 
+-If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.</check-content></check></Rule></Group><Group id="V-204438"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204438r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010482</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81005</ident><ident system="http://cyber.mil/legacy">SV-95717</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4562r88507_fix">Configure the system to encrypt the boot password for root.
++If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.</check-content></check></Rule></Group><Group id="V-204438"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204438r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010482</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81005</ident><ident system="http://cyber.mil/legacy">SV-95717</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4562r88507_fix">Configure the system to encrypt the boot password for root.
+ 
+ Generate an encrypted grub2 password for root with the following command:
+ 
+@@ -954,7 +954,7 @@ Verify that the "root" account is set as the "superusers":
+     set superusers="root"
+     export superusers
+ 
+-If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204439"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204439r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010490</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86587</ident><ident system="http://cyber.mil/legacy">V-71963</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4563r88510_fix">Configure the system to encrypt the boot password for root.
++If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204439"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204439r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010490</version><title>Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71963</ident><ident system="http://cyber.mil/legacy">SV-86587</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4563r88510_fix">Configure the system to encrypt the boot password for root.
+ 
+ Generate an encrypted grub2 password for root with the following command:
+ 
+@@ -988,7 +988,7 @@ password_pbkdf2 [superusers-account] [password-hash]
+ 
+ If the root password entry does not begin with "password_pbkdf2", this is a finding.
+ 
+-If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204440"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204440r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010491</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95719</ident><ident system="http://cyber.mil/legacy">V-81007</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4564r88513_fix">Configure the system to encrypt the boot password for root.
++If the "superusers-account" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204440"><title>SRG-OS-000080-GPOS-00048</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204440r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010491</version><title>Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.</title><description>&lt;VulnDiscussion&gt;If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81007</ident><ident system="http://cyber.mil/legacy">SV-95719</ident><ident system="http://cyber.mil/cci">CCI-000213</ident><fixtext fixref="F-4564r88513_fix">Configure the system to encrypt the boot password for root.
+ 
+ Generate an encrypted grub2 password for root with the following command:
+ 
+@@ -1018,7 +1018,7 @@ Verify that the "root" account is set as the "superusers":
+     set superusers="root"
+     export superusers
+ 
+-If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204441"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204441r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010500</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
++If "superusers" is not set to "root", this is a finding.</check-content></check></Rule></Group><Group id="V-204441"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204441r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010500</version><title>The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.</title><description>&lt;VulnDiscussion&gt;To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
+ 
+ Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following:
+ 
+@@ -1028,7 +1028,7 @@ and
+ 
+ 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity.
+ 
+-Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86589</ident><ident system="http://cyber.mil/legacy">V-71965</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><fixtext fixref="F-4565r88516_fix">Configure the operating system to require individuals to be authenticated with a multifactor authenticator.
++Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000108-GPOS-00057, SRG-OS-000108-GPOS-00058&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71965</ident><ident system="http://cyber.mil/legacy">SV-86589</ident><ident system="http://cyber.mil/cci">CCI-000766</ident><fixtext fixref="F-4565r88516_fix">Configure the operating system to require individuals to be authenticated with a multifactor authenticator.
+ 
+ Enable smartcard logons with the following commands:
+ 
+@@ -1053,19 +1053,19 @@ If "smartcard removal action" is blank, this is a finding.
+ 
+ # authconfig --test | grep "smartcard module"
+ 
+-If "smartcard module" is blank, this is a finding.</check-content></check></Rule></Group><Group id="V-204442"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204442r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020000</version><title>The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
++If "smartcard module" is blank, this is a finding.</check-content></check></Rule></Group><Group id="V-204442"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204442r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020000</version><title>The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+ 
+ Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+ 
+ The rsh-server service provides an unencrypted remote access service that does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication.
+ 
+-If a privileged user were to log on using this service, the privileged user password could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86591</ident><ident system="http://cyber.mil/legacy">V-71967</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4566r88519_fix">Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:
++If a privileged user were to log on using this service, the privileged user password could be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71967</ident><ident system="http://cyber.mil/legacy">SV-86591</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4566r88519_fix">Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command:
+ 
+ # yum remove rsh-server</fixtext><fix id="F-4566r88519_fix" /><check system="C-4566r88518_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check to see if the rsh-server package is installed with the following command:
+ 
+ # yum list installed rsh-server
+ 
+-If the rsh-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204443"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204443r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020010</version><title>The Red Hat Enterprise Linux operating system must not have the ypserv package installed.</title><description>&lt;VulnDiscussion&gt;Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86593</ident><ident system="http://cyber.mil/legacy">V-71969</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4567r88522_fix">Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command:
++If the rsh-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204443"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204443r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020010</version><title>The Red Hat Enterprise Linux operating system must not have the ypserv package installed.</title><description>&lt;VulnDiscussion&gt;Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71969</ident><ident system="http://cyber.mil/legacy">SV-86593</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-4567r88522_fix">Configure the operating system to disable non-essential capabilities by removing the "ypserv" package from the system with the following command:
+ 
+ # yum remove ypserv</fixtext><fix id="F-4567r88522_fix" /><check system="C-4567r88521_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session.
+ 
+@@ -1073,9 +1073,9 @@ Check to see if the "ypserve" package is installed with the following command:
+ 
+ # yum list installed ypserv
+ 
+-If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204444"><title>SRG-OS-000324-GPOS-00125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204444r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
++If the "ypserv" package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204444"><title>SRG-OS-000324-GPOS-00125</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204444r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020020</version><title>The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.</title><description>&lt;VulnDiscussion&gt;Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
+ 
+-Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86595</ident><ident system="http://cyber.mil/legacy">V-71971</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><fixtext fixref="F-4568r462535_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
++Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86595</ident><ident system="http://cyber.mil/legacy">V-71971</ident><ident system="http://cyber.mil/cci">CCI-002235</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4568r462535_fix">Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
+ 
+ Use the following command to map a new user to the "sysadm_u" role: 
+ 
+@@ -1119,14 +1119,14 @@ All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriat
+ 
+ All authorized non-administrative users must be mapped to the "user_u" role. 
+ 
+-If they are not mapped in this way, this is a finding.</check-content></check></Rule></Group><Group id="V-204445"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204445r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020030</version><title>The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
++If they are not mapped in this way, this is a finding.</check-content></check></Rule></Group><Group id="V-204445"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204445r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020030</version><title>The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
+ 
+-Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86597</ident><ident system="http://cyber.mil/legacy">V-71973</ident><ident system="http://cyber.mil/cci">CCI-001744</ident><fixtext fixref="F-4569r499376_fix">Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:  
++Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71973</ident><ident system="http://cyber.mil/legacy">SV-86597</ident><ident system="http://cyber.mil/cci">CCI-001744</ident><fixtext fixref="F-36304r602622_fix">Configure the file integrity tool to run automatically on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used:  
+ 
+ # more /etc/cron.daily/aide
+ #!/bin/bash
+ 
+-/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-4569r499376_fix" /><check system="C-4569r499375_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system routinely checks the baseline configuration for unauthorized changes.
++/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-36304r602622_fix" /><check system="C-36341r602621_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system routinely checks the baseline configuration for unauthorized changes.
+ 
+ Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed at least once per week.
+ 
+@@ -1147,15 +1147,15 @@ Check the cron directories for a script file controlling the execution of the fi
+ /etc/crontab: 30 04 * * * root /usr/sbin/aide  --check
+ /var/spool/cron/root: 30 04 * * * /usr/sbin/aide  --check
+ 
+-If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204446"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204446r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020040</version><title>The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
++If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204446"><title>SRG-OS-000363-GPOS-00150</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204446r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020040</version><title>The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner.</title><description>&lt;VulnDiscussion&gt;Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.
+ 
+-Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71975</ident><ident system="http://cyber.mil/legacy">SV-86599</ident><ident system="http://cyber.mil/cci">CCI-001744</ident><fixtext fixref="F-4570r499379_fix">Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. 
++Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71975</ident><ident system="http://cyber.mil/legacy">SV-86599</ident><ident system="http://cyber.mil/cci">CCI-001744</ident><fixtext fixref="F-36305r602625_fix">Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. 
+ 
+ The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. 
+ 
+ # more /etc/cron.daily/aide
+ 
+-/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-4570r499379_fix" /><check system="C-4570r499378_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.
++/usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil</fixtext><fix id="F-36305r602625_fix" /><check system="C-36342r602624_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner.
+ 
+ Note: A file integrity tool other than Advanced Intrusion Detection Environment (AIDE) may be used, but the tool must be executed and notify specified individuals via email or an alert.
+ 
+@@ -1183,7 +1183,7 @@ AIDE does not have a configuration that will send a notification, so the cron jo
+ 
+ /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil
+ 
+-If the file integrity application does not notify designated personnel of changes, this is a finding.</check-content></check></Rule></Group><Group id="V-204447"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204447r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020050</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
++If the file integrity application does not notify designated personnel of changes, this is a finding.</check-content></check></Rule></Group><Group id="V-204447"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204447r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020050</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+ 
+ Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
+ 
+@@ -1198,7 +1198,7 @@ gpgcheck=1
+ 
+ If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. 
+ 
+-If there is no process to validate certificates that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204448"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204448r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020060</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
++If there is no process to validate certificates that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204448"><title>SRG-OS-000366-GPOS-00153</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204448r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020060</version><title>The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.</title><description>&lt;VulnDiscussion&gt;Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
+ 
+ Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
+ 
+@@ -1213,9 +1213,9 @@ localpkg_gpgcheck=1
+ 
+ If "localpkg_gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the signatures of local packages and other operating system components are verified. 
+ 
+-If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204449"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204449r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description>&lt;VulnDiscussion&gt;USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
++If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding.</check-content></check></Rule></Group><Group id="V-204449"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204449r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020100</version><title>The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.</title><description>&lt;VulnDiscussion&gt;USB mass storage permits easy introduction of unknown devices, thereby facilitating malicious activity.
+ 
+-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71983</ident><ident system="http://cyber.mil/legacy">SV-86607</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4573r462538_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71983</ident><ident system="http://cyber.mil/legacy">SV-86607</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4573r462538_fix">Configure the operating system to disable the ability to use the USB Storage kernel module.
+ 
+ Create a file under "/etc/modprobe.d" with the following command:
+ 
+@@ -1246,7 +1246,7 @@ Check to see if USB mass storage is disabled with the following command:
+ # grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" | grep -v "^#"
+ blacklist usb-storage
+ 
+-If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204450"><title>SRG-OS-000378-GPOS-00163</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204450r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020101</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.</title><description>&lt;VulnDiscussion&gt;Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-77821</ident><ident system="http://cyber.mil/legacy">SV-92517</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4574r88543_fix">Configure the operating system to disable the ability to use the DCCP kernel module.
++If the command does not return any output or the output is not "blacklist usb-storage", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204450"><title>SRG-OS-000378-GPOS-00163</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204450r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020101</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.</title><description>&lt;VulnDiscussion&gt;Disabling DCCP protects the system against exploitation of any flaws in the protocol implementation.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92517</ident><ident system="http://cyber.mil/legacy">V-77821</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4574r88543_fix">Configure the operating system to disable the ability to use the DCCP kernel module.
+ 
+ Create a file under "/etc/modprobe.d" with the following command:
+ 
+@@ -1278,9 +1278,9 @@ Check to see if the DCCP kernel module is disabled with the following command:
+ 
+ blacklist dccp
+ 
+-If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204451"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204451r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020110</version><title>The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
++If the command does not return any output or the output is not "blacklist dccp", and use of the dccp kernel module is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204451"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204451r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020110</version><title>The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+ 
+-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71985</ident><ident system="http://cyber.mil/legacy">SV-86609</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-4575r88546_fix">Configure the operating system to disable the ability to automount devices.
++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86609</ident><ident system="http://cyber.mil/legacy">V-71985</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><fixtext fixref="F-4575r88546_fix">Configure the operating system to disable the ability to automount devices.
+ 
+ Turn off the automount service with the following commands:
+ 
+@@ -1296,7 +1296,7 @@ autofs.service - Automounts filesystems on demand
+    Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled)
+    Active: inactive (dead)
+ 
+-If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204452"><title>SRG-OS-000437-GPOS-00194</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204452r505924_rule" weight="10.0" severity="low"><version>RHEL-07-020200</version><title>The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71987</ident><ident system="http://cyber.mil/legacy">SV-86611</ident><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-4576r88549_fix">Configure the operating system to remove all software components after updated versions have been installed.
++If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204452"><title>SRG-OS-000437-GPOS-00194</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204452r603261_rule" weight="10.0" severity="low"><version>RHEL-07-020200</version><title>The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.</title><description>&lt;VulnDiscussion&gt;Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86611</ident><ident system="http://cyber.mil/legacy">V-71987</ident><ident system="http://cyber.mil/cci">CCI-002617</ident><fixtext fixref="F-4576r88549_fix">Configure the operating system to remove all software components after updated versions have been installed.
+ 
+ Set the "clean_requirements_on_remove" option to "1" in the "/etc/yum.conf" file:
+ 
+@@ -1307,15 +1307,15 @@ Check if yum is configured to remove unneeded packages with the following comman
+ # grep -i clean_requirements_on_remove /etc/yum.conf
+ clean_requirements_on_remove=1
+ 
+-If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204453"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204453r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
++If "clean_requirements_on_remove" is not set to "1", "True", or "yes", or is not set in "/etc/yum.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204453"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204453r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020210</version><title>The Red Hat Enterprise Linux operating system must enable SELinux.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+ 
+-This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71989</ident><ident system="http://cyber.mil/legacy">SV-86613</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4577r499382_fix">Configure the operating system to verify correct operation of all security functions.
++This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71989</ident><ident system="http://cyber.mil/legacy">SV-86613</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-36306r602628_fix">Configure the operating system to verify correct operation of all security functions.
+ 
+ Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line:
+ 
+ SELINUX=enforcing
+ 
+-A reboot is required for the changes to take effect.</fixtext><fix id="F-4577r499382_fix" /><check system="C-4577r499381_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux.  McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
++A reboot is required for the changes to take effect.</fixtext><fix id="F-36306r602628_fix" /><check system="C-36343r602627_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux.  McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
+ 
+ Verify the operating system verifies correct operation of all security functions.
+ 
+@@ -1324,15 +1324,15 @@ Check if "SELinux" is active and in "Enforcing" mode with the following command:
+ # getenforce
+ Enforcing
+ 
+-If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-204454"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204454r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
++If "SELinux" is not active and not in "Enforcing" mode, this is a finding.</check-content></check></Rule></Group><Group id="V-204454"><title>SRG-OS-000445-GPOS-00199</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204454r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020220</version><title>The Red Hat Enterprise Linux operating system must enable the SELinux targeted policy.</title><description>&lt;VulnDiscussion&gt;Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters.
+ 
+-This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71991</ident><ident system="http://cyber.mil/legacy">SV-86615</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4578r499385_fix">Configure the operating system to verify correct operation of all security functions.
++This requirement applies to operating systems performing security function verification/testing and/or systems and environments that require this functionality.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86615</ident><ident system="http://cyber.mil/legacy">V-71991</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><ident system="http://cyber.mil/cci">CCI-002696</ident><fixtext fixref="F-36307r602631_fix">Configure the operating system to verify correct operation of all security functions.
+ 
+ Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line:
+ 
+ SELINUXTYPE=targeted
+ 
+-A reboot is required for the changes to take effect.</fixtext><fix id="F-4578r499385_fix" /><check system="C-4578r499384_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
++A reboot is required for the changes to take effect.</fixtext><fix id="F-36307r602631_fix" /><check system="C-36344r602630_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS. Regardless of whether or not McAfee HIPS or ENSL is installed, SELinux is interoperable with both McAfee products and SELinux is still required.
+ 
+ Verify the operating system verifies correct operation of all security functions.
+ 
+@@ -1366,7 +1366,7 @@ Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "
+ 
+ SELINUXTYPE = targeted
+ 
+-If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.</check-content></check></Rule></Group><Group id="V-204455"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204455r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020230</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86617</ident><ident system="http://cyber.mil/legacy">V-71993</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4579r88558_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
++If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.</check-content></check></Rule></Group><Group id="V-204455"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204455r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020230</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled on the command line.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the GNOME graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86617</ident><ident system="http://cyber.mil/legacy">V-71993</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4579r88558_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following command:
+ 
+ # systemctl mask ctrl-alt-del.target</fixtext><fix id="F-4579r88558_fix" /><check system="C-4579r88557_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
+ 
+@@ -1380,24 +1380,24 @@ Active: inactive (dead)
+ 
+ If the ctrl-alt-del.target is not masked, this is a finding.
+ 
+-If the ctrl-alt-del.target is active, this is a finding.</check-content></check></Rule></Group><Group id="V-204456"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204456r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020231</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-94843</ident><ident system="http://cyber.mil/legacy">SV-104673</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4580r297481_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:
+-
+-# touch /etc/dconf/db/local.d/00-disable-CAD 
+-
+-Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:
+-
+-[org/gnome/settings-daemon/plugins/media-keys]
+-logout=''</fixtext><fix id="F-4580r297481_fix" /><check system="C-4580r297488_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
+-
+-Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
+-
+-Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:
+-
+-# grep logout /etc/dconf/db/local.d/*
+-
+-logout=''
+-
+-If "logout" is not set to use two single quotations, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204457"><title>SRG-OS-000480-GPOS-00228</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204457r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020240</version><title>The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.</title><description>&lt;VulnDiscussion&gt;Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86619</ident><ident system="http://cyber.mil/legacy">V-71995</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4581r88564_fix">Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
++If the ctrl-alt-del.target is active, this is a finding.</check-content></check></Rule></Group><Group id="V-204456"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204456r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020231</version><title>The Red Hat Enterprise Linux operating system must be configured so that the x86 Ctrl-Alt-Delete key sequence is disabled in the Graphical User Interface.</title><description>&lt;VulnDiscussion&gt;A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-94843</ident><ident system="http://cyber.mil/legacy">SV-104673</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4580r590041_fix">Configure the system to disable the Ctrl-Alt-Delete sequence for the graphical user interface with the following command:
++
++# touch /etc/dconf/db/local.d/00-disable-CAD 
++
++Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface:
++
++[org/gnome/settings-daemon/plugins/media-keys]
++logout=''</fixtext><fix id="F-4580r590041_fix" /><check system="C-4580r590040_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
++
++Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed.
++
++Check that the ctrl-alt-del.target is masked and not active in the graphical user interface with the following command:
++
++# grep logout /etc/dconf/db/local.d/*
++
++logout=''
++
++If "logout" is not set to use two single quotations, or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204457"><title>SRG-OS-000480-GPOS-00228</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204457r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020240</version><title>The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.</title><description>&lt;VulnDiscussion&gt;Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86619</ident><ident system="http://cyber.mil/legacy">V-71995</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4581r88564_fix">Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
+ 
+ Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077":
+ 
+@@ -1410,9 +1410,9 @@ Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs"
+ # grep -i umask /etc/login.defs
+ UMASK  077
+ 
+-If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204458"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204458r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description>&lt;VulnDiscussion&gt;An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
++If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204458"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204458r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020250</version><title>The Red Hat Enterprise Linux operating system must be a vendor supported release.</title><description>&lt;VulnDiscussion&gt;An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software.
+ 
+-Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86621</ident><ident system="http://cyber.mil/legacy">V-71997</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4582r462547_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-4582r462547_fix" /><check system="C-4582r462546_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
++Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period. RHEL 7.7 marks the final minor release that EUS will be available.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71997</ident><ident system="http://cyber.mil/legacy">SV-86621</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4582r462547_fix">Upgrade to a supported version of the operating system.</fixtext><fix id="F-4582r462547_fix" /><check system="C-4582r462546_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the version of the operating system is vendor supported.
+ 
+ Check the version of the operating system with the following command:
+ 
+@@ -1428,7 +1428,7 @@ Current End of Maintenance Support for RHEL 7.8 is 31 October 2020.
+ 
+ Current End of Maintenance Support for RHEL 7.9 is 30 April 2021.
+ 
+-If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-204459"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204459r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020260</version><title>The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.</title><description>&lt;VulnDiscussion&gt;Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86623</ident><ident system="http://cyber.mil/legacy">V-71999</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4583r88570_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-4583r88570_fix" /><check system="C-4583r88569_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). 
++If the release is not supported by the vendor, this is a finding.</check-content></check></Rule></Group><Group id="V-204459"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204459r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020260</version><title>The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date.</title><description>&lt;VulnDiscussion&gt;Timely patching is critical for maintaining the operational availability, confidentiality, and integrity of information technology (IT) systems. However, failure to keep operating system and application software patched is a common mistake made by IT professionals. New patches are released daily, and it is often difficult for even experienced System Administrators to keep abreast of all the new patches. When new weaknesses in an operating system exist, patches are usually made available by the vendor to resolve the problems. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86623</ident><ident system="http://cyber.mil/legacy">V-71999</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4583r88570_fix">Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.</fixtext><fix id="F-4583r88570_fix" /><check system="C-4583r88569_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). 
+ 
+ Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed.
+ 
+@@ -1448,7 +1448,7 @@ If package updates have not been performed on the system within the timeframe th
+ 
+ Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.
+ 
+-If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.</check-content></check></Rule></Group><Group id="V-204460"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204460r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020270</version><title>The Red Hat Enterprise Linux operating system must not have unnecessary accounts.</title><description>&lt;VulnDiscussion&gt;Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86625</ident><ident system="http://cyber.mil/legacy">V-72001</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4584r88573_fix">Configure the system so all accounts on the system are assigned to an active system, application, or user account. 
++If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.</check-content></check></Rule></Group><Group id="V-204460"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204460r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020270</version><title>The Red Hat Enterprise Linux operating system must not have unnecessary accounts.</title><description>&lt;VulnDiscussion&gt;Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86625</ident><ident system="http://cyber.mil/legacy">V-72001</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4584r88573_fix">Configure the system so all accounts on the system are assigned to an active system, application, or user account. 
+ 
+ Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. 
+ 
+@@ -1470,19 +1470,19 @@ gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
+ 
+ Accounts such as "games" and "gopher" are not authorized accounts as they do not support authorized system functions. 
+ 
+-If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.</check-content></check></Rule></Group><Group id="V-204461"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204461r505924_rule" weight="10.0" severity="low"><version>RHEL-07-020300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.</title><description>&lt;VulnDiscussion&gt;If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86627</ident><ident system="http://cyber.mil/legacy">V-72003</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><fixtext fixref="F-4585r88576_fix">Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".</fixtext><fix id="F-4585r88576_fix" /><check system="C-4585r88575_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file.
++If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding.</check-content></check></Rule></Group><Group id="V-204461"><title>SRG-OS-000104-GPOS-00051</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204461r603261_rule" weight="10.0" severity="low"><version>RHEL-07-020300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.</title><description>&lt;VulnDiscussion&gt;If a user is assigned the GID of a group not existing on the system, and a group with the GID is subsequently created, the user may have unintended rights to any files associated with the group.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72003</ident><ident system="http://cyber.mil/legacy">SV-86627</ident><ident system="http://cyber.mil/cci">CCI-000764</ident><fixtext fixref="F-4585r88576_fix">Configure the system to define all GIDs found in the "/etc/passwd" file by modifying the "/etc/group" file to add any non-existent group referenced in the "/etc/passwd" file, or change the GIDs referenced in the "/etc/passwd" file to a group that exists in "/etc/group".</fixtext><fix id="F-4585r88576_fix" /><check system="C-4585r88575_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all GIDs referenced in the "/etc/passwd" file are defined in the "/etc/group" file.
+ 
+ Check that all referenced GIDs exist with the following command:
+ 
+ # pwck -r
+ 
+-If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.</check-content></check></Rule></Group><Group id="V-204462"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204462r505924_rule" weight="10.0" severity="high"><version>RHEL-07-020310</version><title>The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.</title><description>&lt;VulnDiscussion&gt;If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86629</ident><ident system="http://cyber.mil/legacy">V-72005</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4586r88579_fix">Change the UID of any account on the system, other than root, that has a UID of "0". 
++If GIDs referenced in "/etc/passwd" file are returned as not defined in "/etc/group" file, this is a finding.</check-content></check></Rule></Group><Group id="V-204462"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204462r603261_rule" weight="10.0" severity="high"><version>RHEL-07-020310</version><title>The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.</title><description>&lt;VulnDiscussion&gt;If an account other than root also has a User Identifier (UID) of "0", it has root authority, giving that account unrestricted access to the entire operating system. Multiple accounts with a UID of "0" afford an opportunity for potential intruders to guess a password for a privileged account.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86629</ident><ident system="http://cyber.mil/legacy">V-72005</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4586r88579_fix">Change the UID of any account on the system, other than root, that has a UID of "0". 
+ 
+ If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.</fixtext><fix id="F-4586r88579_fix" /><check system="C-4586r88578_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check the system for duplicate UID "0" assignments with the following command:
+ 
+ # awk -F: '$3 == 0 {print $1}' /etc/passwd
+ 
+-If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204463"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204463r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.</title><description>&lt;VulnDiscussion&gt;Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86631</ident><ident system="http://cyber.mil/legacy">V-72007</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4587r88582_fix">Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:
++If any accounts other than root have a UID of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204463"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204463r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner.</title><description>&lt;VulnDiscussion&gt;Unowned files and directories may be unintentionally inherited if a user is assigned the same User Identifier "UID" as the UID of the un-owned files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86631</ident><ident system="http://cyber.mil/legacy">V-72007</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4587r88582_fix">Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the "chown" command:
+ 
+ # chown &lt;user&gt; &lt;file&gt;</fixtext><fix id="F-4587r88582_fix" /><check system="C-4587r88581_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories on the system have a valid owner.
+ 
+@@ -1492,7 +1492,7 @@ Note: The value after -fstype must be replaced with the filesystem type. XFS is
+ 
+ # find / -fstype xfs -nouser
+ 
+-If any files on the system do not have an assigned owner, this is a finding.</check-content></check></Rule></Group><Group id="V-204464"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204464r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020330</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.</title><description>&lt;VulnDiscussion&gt;Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72009</ident><ident system="http://cyber.mil/legacy">SV-86633</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4588r88585_fix">Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
++If any files on the system do not have an assigned owner, this is a finding.</check-content></check></Rule></Group><Group id="V-204464"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204464r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020330</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner.</title><description>&lt;VulnDiscussion&gt;Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86633</ident><ident system="http://cyber.mil/legacy">V-72009</ident><ident system="http://cyber.mil/cci">CCI-002165</ident><fixtext fixref="F-4588r88585_fix">Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
+ 
+ # chgrp &lt;group&gt; &lt;file&gt;</fixtext><fix id="F-4588r88585_fix" /><check system="C-4588r88584_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all files and directories on the system have a valid group.
+ 
+@@ -1502,7 +1502,7 @@ Note: The value after -fstype must be replaced with the filesystem type. XFS is
+ 
+ # find / -fstype xfs -nogroup
+ 
+-If any files on the system do not have an assigned group, this is a finding.</check-content></check></Rule></Group><Group id="V-204466"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204466r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020610</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72013</ident><ident system="http://cyber.mil/legacy">SV-86637</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4590r88591_fix">Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
++If any files on the system do not have an assigned group, this is a finding.</check-content></check></Rule></Group><Group id="V-204466"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204466r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020610</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86637</ident><ident system="http://cyber.mil/legacy">V-72013</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4590r88591_fix">Configure the operating system to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows.
+ 
+ CREATE_HOME yes</fixtext><fix id="F-4590r88591_fix" /><check system="C-4590r88590_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify all local interactive users on the system are assigned a home directory upon creation.
+ 
+@@ -1511,7 +1511,7 @@ Check to see if the system is configured to create home directories for local in
+ # grep -i create_home /etc/login.defs
+ CREATE_HOME yes
+ 
+-If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204467"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204467r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020620</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
++If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204467"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204467r603826_rule" weight="10.0" severity="medium"><version>RHEL-07-020620</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.</title><description>&lt;VulnDiscussion&gt;If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own.
+ 
+ In addition, if a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72015</ident><ident system="http://cyber.mil/legacy">SV-86639</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4591r462550_fix">Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd":
+ 
+@@ -1520,13 +1520,13 @@ Note: The example will be for the user smithj, who has a home directory of "/hom
+ # mkdir /home/smithj 
+ # chown smithj /home/smithj
+ # chgrp users /home/smithj
+-# chmod 0750 /home/smithj</fixtext><fix id="F-4591r462550_fix" /><check system="C-4591r462549_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify local interactive users on the system have a home directory assigned and the directory exists.
++# chmod 0750 /home/smithj</fixtext><fix id="F-4591r462550_fix" /><check system="C-4591r603825_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify local interactive users on the system have a home directory assigned and the directory exists.
+ 
+ Check the home directory assignment for all local interactive non-privileged users on the system with the following command:
+ 
+-# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-9][0-9]{3}"
++# awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
+ 
+-smithj:1001:/home/smithj
++smithj 1001 /home/smithj
+ 
+ Note: This may miss interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information.
+ 
+@@ -1535,40 +1535,40 @@ Check that all referenced home directories exist with the following command:
+ # pwck -r
+ user 'smithj': directory '/home/smithj' does not exist
+ 
+-If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204468"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204468r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020630</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72017</ident><ident system="http://cyber.mil/legacy">SV-86641</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4592r88597_fix">Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
++If any home directories referenced in "/etc/passwd" are returned as not defined, or if any interactive users do not have a home directory assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204468"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204468r603828_rule" weight="10.0" severity="medium"><version>RHEL-07-020630</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86641</ident><ident system="http://cyber.mil/legacy">V-72017</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4592r88597_fix">Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command:
+ 
+ Note: The example will be for the user "smithj".
+ 
+-# chmod 0750 /home/smithj</fixtext><fix id="F-4592r88597_fix" /><check system="C-4592r88596_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.
++# chmod 0750 /home/smithj</fixtext><fix id="F-4592r88597_fix" /><check system="C-4592r603827_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive.
+ 
+ Check the home directory assignment for all non-privileged users on the system with the following command:
+ 
+ Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+ 
+-# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
++# ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)
+ -rwxr-x--- 1 smithj users  18 Mar  5 17:06 /home/smithj
+ 
+-If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content></check></Rule></Group><Group id="V-204469"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204469r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020640</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.</title><description>&lt;VulnDiscussion&gt;If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72019</ident><ident system="http://cyber.mil/legacy">SV-86643</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4593r88600_fix">Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:
++If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.</check-content></check></Rule></Group><Group id="V-204469"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204469r603830_rule" weight="10.0" severity="medium"><version>RHEL-07-020640</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users.</title><description>&lt;VulnDiscussion&gt;If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86643</ident><ident system="http://cyber.mil/legacy">V-72019</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4593r88600_fix">Change the owner of a local interactive user's home directories to that owner. To change the owner of a local interactive user's home directory, use the following command:
+ 
+ Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
+ 
+-# chown smithj /home/smithj</fixtext><fix id="F-4593r88600_fix" /><check system="C-4593r88599_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users on the system exists.
++# chown smithj /home/smithj</fixtext><fix id="F-4593r88600_fix" /><check system="C-4593r603829_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users on the system exists.
+ 
+ Check the home directory assignment for all local interactive users on the system with the following command:
+ 
+-# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
++# ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)
+ 
+ -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
+ 
+-If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.</check-content></check></Rule></Group><Group id="V-204470"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204470r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020650</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.</title><description>&lt;VulnDiscussion&gt;If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86645</ident><ident system="http://cyber.mil/legacy">V-72021</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4594r88603_fix">Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
++If any home directories referenced in "/etc/passwd" are not owned by the interactive user, this is a finding.</check-content></check></Rule></Group><Group id="V-204470"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204470r603832_rule" weight="10.0" severity="medium"><version>RHEL-07-020650</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group.</title><description>&lt;VulnDiscussion&gt;If the Group Identifier (GID) of a local interactive user's home directory is not the same as the primary GID of the user, this would allow unauthorized access to the user's files, and users that share the same group may not be able to access files that they legitimately should.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86645</ident><ident system="http://cyber.mil/legacy">V-72021</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4594r88603_fix">Change the group owner of a local interactive user's home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user's home directory, use the following command:
+ 
+ Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users.
+ 
+-# chgrp users /home/smithj</fixtext><fix id="F-4594r88603_fix" /><check system="C-4594r88602_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
++# chgrp users /home/smithj</fixtext><fix id="F-4594r88603_fix" /><check system="C-4594r603831_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the assigned home directory of all local interactive users is group-owned by that user's primary GID.
+ 
+ Check the home directory assignment for all local interactive users on the system with the following command:
+ 
+-# ls -ld $(egrep ':[0-9]{4}' /etc/passwd | cut -d: -f6)
++# ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd)
+ 
+ -rwxr-x--- 1 smithj users 18 Mar 5 17:06 /home/smithj
+ 
+@@ -1578,7 +1578,7 @@ Check the user's primary group with the following command:
+ 
+ users:x:250:smithj,jonesj,jacksons
+ 
+-If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204471"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204471r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020660</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86647</ident><ident system="http://cyber.mil/legacy">V-72023</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4595r88606_fix">Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:
++If the user home directory referenced in "/etc/passwd" is not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204471"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204471r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020660</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory.</title><description>&lt;VulnDiscussion&gt;If local interactive users do not own the files in their directories, unauthorized users may be able to access them. Additionally, if files are not owned by the user, this could be an indication of system compromise.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86647</ident><ident system="http://cyber.mil/legacy">V-72023</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4595r88606_fix">Change the owner of a local interactive user's files and directories to that owner. To change the owner of a local interactive user's files and directories, use the following command:
+ 
+ Note: The example will be for the user smithj, who has a home directory of "/home/smithj".
+ 
+@@ -1593,7 +1593,7 @@ Note: The example will be for the user "smithj", who has a home directory of "/h
+ -rw-r--r-- 1 smithj smithj 193 Mar  5 17:06 file2
+ -rw-r--r-- 1 smithj smithj 231 Mar  5 17:06 file3
+ 
+-If any files are found with an owner different than the home directory user, this is a finding.</check-content></check></Rule></Group><Group id="V-204472"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204472r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020670</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description>&lt;VulnDiscussion&gt;If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72025</ident><ident system="http://cyber.mil/legacy">SV-86649</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4596r88609_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
++If any files are found with an owner different than the home directory user, this is a finding.</check-content></check></Rule></Group><Group id="V-204472"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204472r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020670</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member.</title><description>&lt;VulnDiscussion&gt;If a local interactive user's files are group-owned by a group of which the user is not a member, unintended users may be able to access them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86649</ident><ident system="http://cyber.mil/legacy">V-72025</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4596r88609_fix">Change the group of a local interactive user's files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user's files and directories, use the following command:
+ 
+ Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
+ 
+@@ -1614,7 +1614,7 @@ If any files are found with an owner different than the group home directory use
+ sa:x:100:juan,shelley,bob,smithj 
+ smithj:x:521:smithj
+ 
+-If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-204473"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204473r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020680</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72027</ident><ident system="http://cyber.mil/legacy">SV-86651</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4597r88612_fix">Set the mode on files and directories in the local interactive user home directory with the following command:
++If the user is not a member of a group that group owns file(s) in a local interactive user's home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-204473"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204473r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020680</version><title>The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a local interactive user files have excessive permissions, unintended users may be able to access or modify them.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86651</ident><ident system="http://cyber.mil/legacy">V-72027</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4597r88612_fix">Set the mode on files and directories in the local interactive user home directory with the following command:
+ 
+ Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group.
+ 
+@@ -1631,18 +1631,18 @@ Note: The example will be for the user "smithj", who has a home directory of "/h
+ -rwxr----- 1 smithj smithj 193 Mar  5 17:06 file2
+ -rw-r-x--- 1 smithj smithj 231 Mar  5 17:06 file3
+ 
+-If any files are found with a mode more permissive than "0750", this is a finding.</check-content></check></Rule></Group><Group id="V-204474"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204474r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020690</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86653</ident><ident system="http://cyber.mil/legacy">V-72029</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4598r462464_fix">Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:
++If any files are found with a mode more permissive than "0750", this is a finding.</check-content></check></Rule></Group><Group id="V-204474"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204474r603834_rule" weight="10.0" severity="medium"><version>RHEL-07-020690</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72029</ident><ident system="http://cyber.mil/legacy">SV-86653</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4598r462464_fix">Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command:
+ 
+ Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+ 
+-# chown smithj /home/smithj/.[^.]*</fixtext><fix id="F-4598r462464_fix" /><check system="C-4598r462463_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the local initialization files of all local interactive users are owned by that user.
++# chown smithj /home/smithj/.[^.]*</fixtext><fix id="F-4598r462464_fix" /><check system="C-4598r603833_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the local initialization files of all local interactive users are owned by that user.
+ 
+ Check the home directory assignment for all non-privileged users on the system with the following command:
+ 
+ Note: The example will be for the smithj user, who has a home directory of "/home/smithj".
+ 
+-# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
+-smithj:1000:/home/smithj
++# awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
++smithj 1000 /home/smithj
+ 
+ Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information.
+ 
+@@ -1654,18 +1654,18 @@ Check the owner of all local interactive user's initialization files with the fo
+ -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
+ -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
+ 
+-If all local interactive user's initialization files are not owned by that user or root, this is a finding.</check-content></check></Rule></Group><Group id="V-204475"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204475r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020700</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86655</ident><ident system="http://cyber.mil/legacy">V-72031</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4599r88618_fix">Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command:
++If all local interactive user's initialization files are not owned by that user or root, this is a finding.</check-content></check></Rule></Group><Group id="V-204475"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204475r603836_rule" weight="10.0" severity="medium"><version>RHEL-07-020700</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root.</title><description>&lt;VulnDiscussion&gt;Local initialization files for interactive users are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72031</ident><ident system="http://cyber.mil/legacy">SV-86655</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4599r88618_fix">Change the group owner of a local interactive user's files to the group found in "/etc/passwd" for the user. To change the group owner of a local interactive user's home directory, use the following command:
+ 
+ Note: The example will be for the user smithj, who has a home directory of "/home/smithj", and has a primary group of users.
+ 
+-# chgrp users /home/smithj/.[^.]*</fixtext><fix id="F-4599r88618_fix" /><check system="C-4599r88617_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).
++# chgrp users /home/smithj/.[^.]*</fixtext><fix id="F-4599r88618_fix" /><check system="C-4599r603835_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the local initialization files of all local interactive users are group-owned by that user's primary Group Identifier (GID).
+ 
+ Check the home directory assignment for all non-privileged users on the system with the following command:
+ 
+ Note: The example will be for the smithj user, who has a home directory of "/home/smithj" and a primary group of "users".
+ 
+-# cut -d: -f 1,4,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
+-smithj:1000:/home/smithj
++# awk -F: '($4&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $1, $4, $6}' /etc/passwd
++smithj 1000 /home/smithj
+ 
+ # grep 1000 /etc/group
+ users:x:1000:smithj,jonesj,jacksons 
+@@ -1680,7 +1680,7 @@ Check the group owner of all local interactive user's initialization files with
+ -rwxr-xr-x 1 smithj users 497 Jan 6 2007 .login
+ -rwxr-xr-x 1 smithj users 886 Jan 6 2007 .something
+ 
+-If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204476"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204476r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020710</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86657</ident><ident system="http://cyber.mil/legacy">V-72033</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4600r88621_fix">Set the mode of the local initialization files to "0740" with the following command:
++If all local interactive user's initialization files are not group-owned by that user's primary GID, this is a finding.</check-content></check></Rule></Group><Group id="V-204476"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204476r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020710</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local initialization files have mode 0740 or less permissive.</title><description>&lt;VulnDiscussion&gt;Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86657</ident><ident system="http://cyber.mil/legacy">V-72033</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4600r88621_fix">Set the mode of the local initialization files to "0740" with the following command:
+ 
+ Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj".
+ 
+@@ -1696,7 +1696,7 @@ Note: The example will be for the "smithj" user, who has a home directory of "/h
+ -rwxr----- 1 smithj users 497 Jan 6 2007 .login
+ -rwxr----- 1 smithj users 886 Jan 6 2007 .something
+ 
+-If any local initialization files have a mode more permissive than "0740", this is a finding.</check-content></check></Rule></Group><Group id="V-204477"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204477r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020720</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.</title><description>&lt;VulnDiscussion&gt;The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72035</ident><ident system="http://cyber.mil/legacy">SV-86659</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4601r88624_fix">Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. 
++If any local initialization files have a mode more permissive than "0740", this is a finding.</check-content></check></Rule></Group><Group id="V-204477"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204477r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020720</version><title>The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory.</title><description>&lt;VulnDiscussion&gt;The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the user's home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86659</ident><ident system="http://cyber.mil/legacy">V-72035</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4601r88624_fix">Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. 
+ 
+ If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.</fixtext><fix id="F-4601r88624_fix" /><check system="C-4601r88623_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users' home directory.
+ 
+@@ -1708,7 +1708,7 @@ Note: The example will be for the smithj user, which has a home directory of "/h
+ /home/smithj/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin
+ /home/smithj/.bash_profile:export PATH
+ 
+-If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-204478"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204478r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020730</version><title>The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.</title><description>&lt;VulnDiscussion&gt;If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86661</ident><ident system="http://cyber.mil/legacy">V-72037</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4602r88627_fix">Set the mode on files being executed by the local initialization files with the following command:
++If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding.</check-content></check></Rule></Group><Group id="V-204478"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204478r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020730</version><title>The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs.</title><description>&lt;VulnDiscussion&gt;If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86661</ident><ident system="http://cyber.mil/legacy">V-72037</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4602r88627_fix">Set the mode on files being executed by the local initialization files with the following command:
+ 
+ # chmod 0755 &lt;file&gt;</fixtext><fix id="F-4602r88627_fix" /><check system="C-4602r88626_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that local initialization files do not execute world-writable programs.
+ 
+@@ -1722,7 +1722,7 @@ Note: The example will be for a system that is configured to create users' home
+ 
+ # grep &lt;file&gt; /home/*/.*
+ 
+-If any local initialization files are found to reference world-writable files, this is a finding.</check-content></check></Rule></Group><Group id="V-204479"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204479r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020900</version><title>The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.</title><description>&lt;VulnDiscussion&gt;If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86663</ident><ident system="http://cyber.mil/legacy">V-72039</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4603r88630_fix">Run the following command to determine which package owns the device file:
++If any local initialization files are found to reference world-writable files, this is a finding.</check-content></check></Rule></Group><Group id="V-204479"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204479r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020900</version><title>The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.</title><description>&lt;VulnDiscussion&gt;If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86663</ident><ident system="http://cyber.mil/legacy">V-72039</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4603r88630_fix">Run the following command to determine which package owns the device file:
+ 
+ # rpm -qf &lt;filename&gt;
+ 
+@@ -1744,15 +1744,15 @@ Note: Device files are normally found under "/dev", but applications may place d
+ 
+ Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding.
+ 
+-If there is output from either of these commands, other than already noted, this is a finding.</check-content></check></Rule></Group><Group id="V-204480"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204480r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021000</version><title>The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86665</ident><ident system="http://cyber.mil/legacy">V-72041</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4604r88633_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.</fixtext><fix id="F-4604r88633_fix" /><check system="C-4604r88632_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that contain user home directories are mounted with the "nosuid" option.
++If there is output from either of these commands, other than already noted, this is a finding.</check-content></check></Rule></Group><Group id="V-204480"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204480r603838_rule" weight="10.0" severity="medium"><version>RHEL-07-021000</version><title>The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute setuid and setgid files with owner privileges. This option must be used for mounting any file system not containing approved setuid and setguid files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86665</ident><ident system="http://cyber.mil/legacy">V-72041</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4604r88633_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories.</fixtext><fix id="F-4604r88633_fix" /><check system="C-4604r603837_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that contain user home directories are mounted with the "nosuid" option.
+ 
+ Find the file system(s) that contain the user home directories with the following command:
+ 
+ Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is not a finding as the "nosuid" option cannot be used on the "/" system.
+ 
+-# cut -d: -f 1,3,6 /etc/passwd | egrep ":[1-4][0-9]{3}"
+-smithj:1001:/home/smithj
+-thomasr:1002:/home/thomasr
++# awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd
++smithj 1001 /home/smithj
++thomasr 1002 /home/thomasr
+ 
+ Check the file systems that are mounted at boot time with the following command:
+ 
+@@ -1760,7 +1760,7 @@ Check the file systems that are mounted at boot time with the following command:
+ 
+ UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home   ext4   rw,relatime,discard,data=ordered,nosuid 0 2
+                                                             
+-If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-204481"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204481r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021010</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86667</ident><ident system="http://cyber.mil/legacy">V-72043</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4605r88636_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.</fixtext><fix id="F-4605r88636_fix" /><check system="C-4605r88635_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are used for removable media are mounted with the "nosuid" option.
++If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-204481"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204481r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021010</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86667</ident><ident system="http://cyber.mil/legacy">V-72043</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4605r88636_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.</fixtext><fix id="F-4605r88636_fix" /><check system="C-4605r88635_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are used for removable media are mounted with the "nosuid" option.
+ 
+ Check the file systems that are mounted at boot time with the following command:
+ 
+@@ -1768,7 +1768,7 @@ Check the file systems that are mounted at boot time with the following command:
+ 
+ UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid 0 0
+ 
+-If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-204482"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204482r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021020</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86669</ident><ident system="http://cyber.mil/legacy">V-72045</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4606r88639_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</fixtext><fix id="F-4606r88639_fix" /><check system="C-4606r88638_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are being NFS imported are configured with the "nosuid" option.
++If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.</check-content></check></Rule></Group><Group id="V-204482"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204482r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021020</version><title>The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86669</ident><ident system="http://cyber.mil/legacy">V-72045</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4606r88639_fix">Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.</fixtext><fix id="F-4606r88639_fix" /><check system="C-4606r88638_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are being NFS imported are configured with the "nosuid" option.
+ 
+ Find the file system(s) that contain the directories being exported with the following command:
+ 
+@@ -1781,7 +1781,7 @@ If a file system found in "/etc/fstab" refers to NFS and it does not have the "n
+ Verify the NFS is mounted with the "nosuid" option:
+ 
+ # mount | grep nfs | grep nosuid
+-If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204483"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204483r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021021</version><title>The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87813</ident><ident system="http://cyber.mil/legacy">V-73161</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4607r88642_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</fixtext><fix id="F-4607r88642_fix" /><check system="C-4607r88641_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are being NFS imported are configured with the "noexec" option.
++If no results are returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204483"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204483r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021021</version><title>The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87813</ident><ident system="http://cyber.mil/legacy">V-73161</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4607r88642_fix">Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.</fixtext><fix id="F-4607r88642_fix" /><check system="C-4607r88641_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify file systems that are being NFS imported are configured with the "noexec" option.
+ 
+ Find the file system(s) that contain the directories being imported with the following command:
+ 
+@@ -1794,11 +1794,11 @@ If a file system found in "/etc/fstab" refers to NFS and it does not have the "n
+ Verify the NFS is mounted with the "noexec"option:
+ 
+ # mount | grep nfs | grep noexec
+-If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204486"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204486r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021024</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
++If no results are returned and use of NFS imported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204486"><title>SRG-OS-000368-GPOS-00154</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204486r603261_rule" weight="10.0" severity="low"><version>RHEL-07-021024</version><title>The Red Hat Enterprise Linux operating system must mount /dev/shm with secure options.</title><description>&lt;VulnDiscussion&gt;The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
+ 
+ The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
+ 
+-The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95725</ident><ident system="http://cyber.mil/legacy">V-81013</ident><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-4610r462553_fix">Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
++The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81013</ident><ident system="http://cyber.mil/legacy">SV-95725</ident><ident system="http://cyber.mil/cci">CCI-001764</ident><fixtext fixref="F-4610r462553_fix">Configure the system so that /dev/shm is mounted with the "nodev", "nosuid", and "noexec" options by adding /modifying the /etc/fstab with the following line:
+ 
+ tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0</fixtext><fix id="F-4610r462553_fix" /><check system="C-4610r462552_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the "nodev","nosuid", and "noexec" options are configured for /dev/shm:
+ 
+@@ -1814,13 +1814,13 @@ Verify "/dev/shm" is mounted with the "nodev", "nosuid", and "noexec" options:
+ 
+ tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel)
+ 
+-If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.</check-content></check></Rule></Group><Group id="V-204487"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204487r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021030</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
++If /dev/shm is mounted without secure options "nodev", "nosuid", and "noexec", this is a finding.</check-content></check></Rule></Group><Group id="V-204487"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204487r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021030</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not group-owned by root, sys, bin, or an application Group Identifier (GID), unauthorized users may be able to modify files created by others.
+ 
+-The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72047</ident><ident system="http://cyber.mil/legacy">SV-86671</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4611r499388_fix">All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.</fixtext><fix id="F-4611r499388_fix" /><check system="C-4611r499387_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: 
++The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86671</ident><ident system="http://cyber.mil/legacy">V-72047</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36308r602634_fix">All directories in local partitions which are world-writable should be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this should be investigated. Following this, the directories should be deleted or assigned to an appropriate group.</fixtext><fix id="F-36308r602634_fix" /><check system="C-36345r602633_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not group-owned by a system account, assuming only system accounts have a GID lower than 1000. Run it once for each local partition [PART]: 
+ 
+ # find [PART] -xdev -type d -perm -0002 -gid +999 -print
+ 
+-If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-204488"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204488r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021040</version><title>The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.</title><description>&lt;VulnDiscussion&gt;The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72049</ident><ident system="http://cyber.mil/legacy">SV-86673</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4612r88657_fix">Remove the umask statement from all local interactive user's initialization files. 
++If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-204488"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204488r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021040</version><title>The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.</title><description>&lt;VulnDiscussion&gt;The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be "0". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86673</ident><ident system="http://cyber.mil/legacy">V-72049</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4612r88657_fix">Remove the umask statement from all local interactive user's initialization files. 
+ 
+ If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.</fixtext><fix id="F-4612r88657_fix" /><check system="C-4612r88656_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the default umask for all local interactive users is "077".
+ 
+@@ -1832,7 +1832,7 @@ Note: The example is for a system that is configured to create users home direct
+ 
+ # grep -i umask /home/*/.*
+ 
+-If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.</check-content></check></Rule></Group><Group id="V-204489"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204489r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021100</version><title>The Red Hat Enterprise Linux operating system must have cron logging implemented.</title><description>&lt;VulnDiscussion&gt;Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72051</ident><ident system="http://cyber.mil/legacy">SV-86675</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4613r88660_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
++If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.</check-content></check></Rule></Group><Group id="V-204489"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204489r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021100</version><title>The Red Hat Enterprise Linux operating system must have cron logging implemented.</title><description>&lt;VulnDiscussion&gt;Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86675</ident><ident system="http://cyber.mil/legacy">V-72051</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4613r88660_fix">Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:
+ 
+ cron.* /var/log/cron.log</fixtext><fix id="F-4613r88660_fix" /><check system="C-4613r88659_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that "rsyslog" is configured to log cron events.
+ 
+@@ -1849,7 +1849,7 @@ Look for the following entry:
+ 
+ *.* /var/log/messages
+ 
+-If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.</check-content></check></Rule></Group><Group id="V-204490"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204490r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021110</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.</title><description>&lt;VulnDiscussion&gt;If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72053</ident><ident system="http://cyber.mil/legacy">SV-86677</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4614r88663_fix">Set the owner on the "/etc/cron.allow" file to root with the following command:
++If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.</check-content></check></Rule></Group><Group id="V-204490"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204490r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021110</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.</title><description>&lt;VulnDiscussion&gt;If the owner of the "cron.allow" file is not set to root, the possibility exists for an unauthorized user to view or to edit sensitive information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86677</ident><ident system="http://cyber.mil/legacy">V-72053</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4614r88663_fix">Set the owner on the "/etc/cron.allow" file to root with the following command:
+ 
+ # chown root /etc/cron.allow</fixtext><fix id="F-4614r88663_fix" /><check system="C-4614r88662_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the "cron.allow" file is owned by root.
+ 
+@@ -1858,7 +1858,7 @@ Check the owner of the "cron.allow" file with the following command:
+ # ls -al /etc/cron.allow
+ -rw------- 1 root root 6 Mar  5  2011 /etc/cron.allow
+ 
+-If the "cron.allow" file exists and has an owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-204491"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204491r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021120</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.</title><description>&lt;VulnDiscussion&gt;If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86679</ident><ident system="http://cyber.mil/legacy">V-72055</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4615r88666_fix">Set the group owner on the "/etc/cron.allow" file to root with the following command:
++If the "cron.allow" file exists and has an owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-204491"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204491r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021120</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.</title><description>&lt;VulnDiscussion&gt;If the group owner of the "cron.allow" file is not set to root, sensitive information could be viewed or edited by unauthorized users.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86679</ident><ident system="http://cyber.mil/legacy">V-72055</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4615r88666_fix">Set the group owner on the "/etc/cron.allow" file to root with the following command:
+ 
+ # chgrp root /etc/cron.allow</fixtext><fix id="F-4615r88666_fix" /><check system="C-4615r88665_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the "cron.allow" file is group-owned by root.
+ 
+@@ -1867,7 +1867,7 @@ Check the group owner of the "cron.allow" file with the following command:
+ # ls -al /etc/cron.allow
+ -rw------- 1 root root 6 Mar  5  2011 /etc/cron.allow
+ 
+-If the "cron.allow" file exists and has a group owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-204492"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204492r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021300</version><title>The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.</title><description>&lt;VulnDiscussion&gt;Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86681</ident><ident system="http://cyber.mil/legacy">V-72057</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4616r88669_fix">If kernel core dumps are not required, disable the "kdump" service with the following command:
++If the "cron.allow" file exists and has a group owner other than root, this is a finding.</check-content></check></Rule></Group><Group id="V-204492"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204492r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021300</version><title>The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed.</title><description>&lt;VulnDiscussion&gt;Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86681</ident><ident system="http://cyber.mil/legacy">V-72057</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4616r88669_fix">If kernel core dumps are not required, disable the "kdump" service with the following command:
+ 
+ # systemctl disable kdump.service
+ 
+@@ -1884,15 +1884,15 @@ kernel arming.
+ 
+ If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO).
+ 
+-If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-204493"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204493r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021310</version><title>The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72059</ident><ident system="http://cyber.mil/legacy">SV-86683</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4617r88672_fix">Migrate the "/home" directory onto a separate file system/partition.</fixtext><fix id="F-4617r88672_fix" /><check system="C-4617r88671_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.
++If the service is active and is not documented, this is a finding.</check-content></check></Rule></Group><Group id="V-204493"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204493r603840_rule" weight="10.0" severity="low"><version>RHEL-07-021310</version><title>The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86683</ident><ident system="http://cyber.mil/legacy">V-72059</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4617r88672_fix">Migrate the "/home" directory onto a separate file system/partition.</fixtext><fix id="F-4617r88672_fix" /><check system="C-4617r603839_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for non-privileged local interactive user home directories.
+ 
+-Check the home directory assignment for all non-privileged users (those with a UID greater than 1000) on the system with the following command:
++Check the home directory assignment for all non-privileged users (those with a UID of 1000 or greater) on the system with the following command:
+ 
+-#cut -d: -f 1,3,6,7 /etc/passwd | egrep ":[1-4][0-9]{3}" | tr ":" "\t"
++# awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $1, $3, $6, $7}' /etc/passwd
+ 
+-adamsj /home/adamsj /bin/bash
+-jacksonm /home/jacksonm /bin/bash
+-smithj /home/smithj /bin/bash
++adamsj 1000 /home/adamsj /bin/bash
++jacksonm 1001 /home/jacksonm /bin/bash
++smithj 1002 /home/smithj /bin/bash
+ 
+ The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, /home) and users' shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users.
+ 
+@@ -1903,14 +1903,14 @@ Note: The partition of /home is used in the example.
+ # grep /home /etc/fstab
+ UUID=333ada18    /home                   ext4    noatime,nobarrier,nodev  1 2
+ 
+-If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204494"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204494r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021320</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /var.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72061</ident><ident system="http://cyber.mil/legacy">SV-86685</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4618r88675_fix">Migrate the "/var" path onto a separate file system.</fixtext><fix id="F-4618r88675_fix" /><check system="C-4618r88674_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/var".
++If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204494"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204494r603261_rule" weight="10.0" severity="low"><version>RHEL-07-021320</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /var.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86685</ident><ident system="http://cyber.mil/legacy">V-72061</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4618r88675_fix">Migrate the "/var" path onto a separate file system.</fixtext><fix id="F-4618r88675_fix" /><check system="C-4618r88674_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/var".
+ 
+ Check that a file system/partition has been created for "/var" with the following command:
+ 
+ # grep /var /etc/fstab
+ UUID=c274f65f    /var                    ext4    noatime,nobarrier        1 2
+ 
+-If a separate entry for "/var" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-204495"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204495r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021330</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86687</ident><ident system="http://cyber.mil/legacy">V-72063</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4619r88678_fix">Migrate the system audit data path onto a separate file system.</fixtext><fix id="F-4619r88678_fix" /><check system="C-4619r88677_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.
++If a separate entry for "/var" is not in use, this is a finding.</check-content></check></Rule></Group><Group id="V-204495"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204495r603261_rule" weight="10.0" severity="low"><version>RHEL-07-021330</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86687</ident><ident system="http://cyber.mil/legacy">V-72063</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4619r88678_fix">Migrate the system audit data path onto a separate file system.</fixtext><fix id="F-4619r88678_fix" /><check system="C-4619r88677_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Determine if the operating system is configured to have the "/var/log/audit" path is on a separate file system.
+ 
+ # grep /var/log/audit /etc/fstab
+ 
+@@ -1920,13 +1920,13 @@ Verify that "/var/log/audit" is mounted on a separate file system:
+ 
+ # mount | grep "/var/log/audit"
+ 
+-If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.</check-content></check></Rule></Group><Group id="V-204496"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204496r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021340</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86689</ident><ident system="http://cyber.mil/legacy">V-72065</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4620r499391_fix">Start the "tmp.mount" service with the following command:
++If no result is returned, or "/var/log/audit" is not on a separate file system, this is a finding.</check-content></check></Rule></Group><Group id="V-204496"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204496r603261_rule" weight="10.0" severity="low"><version>RHEL-07-021340</version><title>The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).</title><description>&lt;VulnDiscussion&gt;The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86689</ident><ident system="http://cyber.mil/legacy">V-72065</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36309r602637_fix">Start the "tmp.mount" service with the following command:
+ 
+ # systemctl enable tmp.mount
+    
+ OR
+ 
+-Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.</fixtext><fix id="F-4620r499391_fix" /><check system="C-4620r499390_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/tmp".
++Edit the "/etc/fstab" file and ensure the "/tmp" directory is defined in the fstab with a device and mount point.</fixtext><fix id="F-36309r602637_fix" /><check system="C-36346r602636_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a separate file system/partition has been created for "/tmp".
+ 
+ Check that a file system/partition has been created for "/tmp" with the following command:
+ 
+@@ -1938,9 +1938,9 @@ If the "tmp.mount" service is not enabled, check to see if "/tmp" is defined in
+ # grep -i /tmp /etc/fstab
+ UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /tmp   ext4   rw,relatime,discard,data=ordered,nosuid,noexec, 0 0
+ 
+-If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. </check-content></check></Rule></Group><Group id="V-204497"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204497r505924_rule" weight="10.0" severity="high"><version>RHEL-07-021350</version><title>The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</title><description>&lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
++If "tmp.mount" service is not enabled or the "/tmp" directory is not defined in the fstab with a device and mount point, this is a finding. </check-content></check></Rule></Group><Group id="V-204497"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204497r603261_rule" weight="10.0" severity="high"><version>RHEL-07-021350</version><title>The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.</title><description>&lt;VulnDiscussion&gt;Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.
+ 
+-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86691</ident><ident system="http://cyber.mil/legacy">V-72067</ident><ident system="http://cyber.mil/cci">CCI-001199</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><ident system="http://cyber.mil/cci">CCI-002450</ident><ident system="http://cyber.mil/cci">CCI-002476</ident><fixtext fixref="F-4621r499418_fix">Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
++Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000185-GPOS-00079, SRG-OS-000396-GPOS-00176, SRG-OS-000405-GPOS-00184, SRG-OS-000478-GPOS-00223&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86691</ident><ident system="http://cyber.mil/legacy">V-72067</ident><ident system="http://cyber.mil/cci">CCI-001199</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><ident system="http://cyber.mil/cci">CCI-002450</ident><ident system="http://cyber.mil/cci">CCI-002476</ident><fixtext fixref="F-36310r602640_fix">Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package.
+ 
+ To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel command line during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place.
+ 
+@@ -1991,7 +1991,7 @@ If the file /etc/system-fips does not exists, recreate it:
+ 
+ # touch /etc/ system-fips
+ 
+-Reboot the system for the changes to take effect.</fixtext><fix id="F-4621r499418_fix" /><check system="C-4621r499417_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.
++Reboot the system for the changes to take effect.</fixtext><fix id="F-36310r602640_fix" /><check system="C-36347r602639_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions.
+ 
+ Check to see if the "dracut-fips" package is installed with the following command:
+ 
+@@ -2017,7 +2017,7 @@ Verify the file /etc/system-fips exists.
+ 
+ # ls -l /etc/system-fips
+ 
+-If this file does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204498"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204498r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021600</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).</title><description>&lt;VulnDiscussion&gt;ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86693</ident><ident system="http://cyber.mil/legacy">V-72069</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4622r88687_fix">Configure the file integrity tool to check file and directory ACLs. 
++If this file does not exist, this is a finding.</check-content></check></Rule></Group><Group id="V-204498"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204498r603261_rule" weight="10.0" severity="low"><version>RHEL-07-021600</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify Access Control Lists (ACLs).</title><description>&lt;VulnDiscussion&gt;ACLs can provide permissions beyond those permitted through the file mode and must be verified by file integrity tools.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86693</ident><ident system="http://cyber.mil/legacy">V-72069</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4622r88687_fix">Configure the file integrity tool to check file and directory ACLs. 
+ 
+ If AIDE is installed, ensure the "acl" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-4622r88687_fix" /><check system="C-4622r88686_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file integrity tool is configured to verify ACLs.
+ 
+@@ -2043,7 +2043,7 @@ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All # apply the custom rule to the files in bin 
+ /sbin All # apply the same custom rule to the files in sbin 
+ 
+-If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-204499"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204499r505924_rule" weight="10.0" severity="low"><version>RHEL-07-021610</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.</title><description>&lt;VulnDiscussion&gt;Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86695</ident><ident system="http://cyber.mil/legacy">V-72071</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4623r88690_fix">Configure the file integrity tool to check file and directory extended attributes. 
++If the "acl" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or ACLs are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-204499"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204499r603261_rule" weight="10.0" severity="low"><version>RHEL-07-021610</version><title>The Red Hat Enterprise Linux operating system must be configured so that the file integrity tool is configured to verify extended attributes.</title><description>&lt;VulnDiscussion&gt;Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86695</ident><ident system="http://cyber.mil/legacy">V-72071</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4623r88690_fix">Configure the file integrity tool to check file and directory extended attributes. 
+ 
+ If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.</fixtext><fix id="F-4623r88690_fix" /><check system="C-4623r88689_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the file integrity tool is configured to verify extended attributes.
+ 
+@@ -2069,7 +2069,7 @@ All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All # apply the custom rule to the files in bin 
+ /sbin All # apply the same custom rule to the files in sbin 
+ 
+-If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-204500"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204500r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021620</version><title>The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.</title><description>&lt;VulnDiscussion&gt;File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
++If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.</check-content></check></Rule></Group><Group id="V-204500"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204500r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021620</version><title>The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories.</title><description>&lt;VulnDiscussion&gt;File integrity tools use cryptographic hashes for verifying file contents and directories have not been altered. These hashes must be FIPS 140-2 approved cryptographic hashes.
+ 
+ Red Hat Enterprise Linux operating system installation media ships with an optional file integrity tool called Advanced Intrusion Detection Environment (AIDE). AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86697</ident><ident system="http://cyber.mil/legacy">V-72073</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4624r462556_fix">Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. 
+ 
+@@ -2097,7 +2097,7 @@ All=p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux
+ /bin All # apply the custom rule to the files in bin 
+ /sbin All # apply the same custom rule to the files in sbin 
+ 
+-If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content></check></Rule></Group><Group id="V-204501"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204501r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021700</version><title>The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.</title><description>&lt;VulnDiscussion&gt;Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86699</ident><ident system="http://cyber.mil/legacy">V-72075</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4625r88696_fix">Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.</fixtext><fix id="F-4625r88696_fix" /><check system="C-4625r88695_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is not configured to use a boot loader on removable media.
++If the "sha512" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding.</check-content></check></Rule></Group><Group id="V-204501"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204501r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-021700</version><title>The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.</title><description>&lt;VulnDiscussion&gt;Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86699</ident><ident system="http://cyber.mil/legacy">V-72075</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4625r88696_fix">Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.</fixtext><fix id="F-4625r88696_fix" /><check system="C-4625r88695_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is not configured to use a boot loader on removable media.
+ 
+ Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
+ 
+@@ -2115,7 +2115,7 @@ Check that the grub configuration file has the set root command in each menu ent
+ # grep 'set root' /boot/grub2/grub.cfg
+ set root=(hd0,1)
+ 
+-If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.</check-content></check></Rule></Group><Group id="V-204502"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204502r505924_rule" weight="10.0" severity="high"><version>RHEL-07-021710</version><title>The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
++If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.</check-content></check></Rule></Group><Group id="V-204502"><title>SRG-OS-000095-GPOS-00049</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204502r603261_rule" weight="10.0" severity="high"><version>RHEL-07-021710</version><title>The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.</title><description>&lt;VulnDiscussion&gt;It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.
+ 
+ Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions).
+ 
+@@ -2131,30 +2131,30 @@ Check to see if the telnet-server package is installed with the following comman
+ 
+ # yum list installed telnet-server
+ 
+-If the telnet-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204503"><title>SRG-OS-000038-GPOS-00016</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204503r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030000</version><title>The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.</title><description>&lt;VulnDiscussion&gt;Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
++If the telnet-server package is installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204503"><title>SRG-OS-000038-GPOS-00016</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204503r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030000</version><title>The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.</title><description>&lt;VulnDiscussion&gt;Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack.
+ 
+ Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.
+ 
+ Associating event types with detected events in the operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system.
+ 
+-Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86703</ident><ident system="http://cyber.mil/legacy">V-72079</ident><ident system="http://cyber.mil/cci">CCI-000131</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4627r499421_fix">Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
++Satisfies: SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000042-GPOS-00021, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86703</ident><ident system="http://cyber.mil/legacy">V-72079</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000131</ident><fixtext fixref="F-36311r602643_fix">Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred.
+ 
+ Enable the auditd service with the following command:
+ 
+-# systemctl start auditd.service</fixtext><fix id="F-4627r499421_fix" /><check system="C-4627r499420_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.
++# systemctl start auditd.service</fixtext><fix id="F-36311r602643_fix" /><check system="C-36348r602642_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system produces audit records containing information to establish when (date and time) the events occurred.
+ 
+ Check to see if auditing is active by issuing the following command:
+ 
+ # systemctl is-active auditd.service
+ active
+ 
+-If the "auditd" status is not active, this is a finding.</check-content></check></Rule></Group><Group id="V-204504"><title>SRG-OS-000046-GPOS-00022</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204504r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030010</version><title>The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
++If the "auditd" status is not active, this is a finding.</check-content></check></Rule></Group><Group id="V-204504"><title>SRG-OS-000046-GPOS-00022</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204504r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030010</version><title>The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.</title><description>&lt;VulnDiscussion&gt;It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
+ 
+ Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
+ 
+ This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.
+ 
+-Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86705</ident><ident system="http://cyber.mil/legacy">V-72081</ident><ident system="http://cyber.mil/cci">CCI-000139</ident><fixtext fixref="F-4628r462467_fix">Configure the operating system to shut down in the event of an audit processing failure.
++Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72081</ident><ident system="http://cyber.mil/legacy">SV-86705</ident><ident system="http://cyber.mil/cci">CCI-000139</ident><fixtext fixref="F-4628r462467_fix">Configure the operating system to shut down in the event of an audit processing failure.
+ 
+ Add or correct the option to shut down the operating system with the following command:
+ 
+@@ -2188,7 +2188,7 @@ If the "failure" setting is set to any value other than "1" or "2", this is a fi
+ 
+ If the "failure" setting is not set, this should be upgraded to a CAT I finding.
+ 
+-If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.</check-content></check></Rule></Group><Group id="V-204506"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204506r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030201</version><title>The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
++If the "failure" setting is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this should be downgraded to a CAT III finding.</check-content></check></Rule></Group><Group id="V-204506"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204506r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030201</version><title>The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ 
+ Off-loading is a common process in information systems with limited audit storage capacity.
+ 
+@@ -2214,19 +2214,19 @@ format = string
+ 
+ If "active" is not set to "yes", "direction" is not set to "out", "path" is not set to "/sbin/audisp-remote", "type" is not set to "always", or any of the lines are commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media.
+ 
+-If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.</check-content></check></Rule></Group><Group id="V-204507"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204507r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030210</version><title>The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, this is a finding.</check-content></check></Rule></Group><Group id="V-204507"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204507r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030210</version><title>The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ 
+ Off-loading is a common process in information systems with limited audit storage capacity.
+ 
+ One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  When the remote buffer is full, audit logs will not be collected and sent to the central log server.
+ 
+-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81019</ident><ident system="http://cyber.mil/legacy">SV-95731</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4631r499400_fix">Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option:
++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-81019</ident><ident system="http://cyber.mil/legacy">SV-95731</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-36312r602646_fix">Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option:
+ 
+ overflow_action = syslog
+ 
+ The audit daemon must be restarted for changes to take effect:
+ 
+-# service auditd restart</fixtext><fix id="F-4631r499400_fix" /><check system="C-4631r499399_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:
++# service auditd restart</fixtext><fix id="F-36312r602646_fix" /><check system="C-36349r602645_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:
+ 
+ # grep "overflow_action" /etc/audisp/audispd.conf
+ 
+@@ -2234,19 +2234,19 @@ overflow_action = syslog
+ 
+ If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate what action that system takes when the internal queue is full.
+ 
+-If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.</check-content></check></Rule></Group><Group id="V-204508"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204508r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030211</version><title>The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
++If there is no evidence the system is configured to off-load audit logs to a different system or storage media or, if the configuration does not take appropriate action when the internal queue is full, this is a finding.</check-content></check></Rule></Group><Group id="V-204508"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204508r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030211</version><title>The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ 
+ Off-loading is a common process in information systems with limited audit storage capacity.
+ 
+ One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.  When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
+ 
+-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95733</ident><ident system="http://cyber.mil/legacy">V-81021</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4632r499403_fix">Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:
++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-95733</ident><ident system="http://cyber.mil/legacy">V-81021</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-36313r602649_fix">Edit the /etc/audisp/audispd.conf file and add or update the "name_format" option:
+ 
+ name_format = hostname
+ 
+ The audit daemon must be restarted for changes to take effect:
+ 
+-# service auditd restart</fixtext><fix id="F-4632r499403_fix" /><check system="C-4632r499402_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the audisp daemon is configured to label all off-loaded audit logs:
++# service auditd restart</fixtext><fix id="F-36313r602649_fix" /><check system="C-36350r602648_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the audisp daemon is configured to label all off-loaded audit logs:
+ 
+ # grep "name_format" /etc/audisp/audispd.conf
+ 
+@@ -2254,11 +2254,11 @@ name_format = hostname
+ 
+ If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate if the logs are labeled appropriately.
+ 
+-If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.</check-content></check></Rule></Group><Group id="V-204509"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204509r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030300</version><title>The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not appropriately label logs before they are off-loaded, this is a finding.</check-content></check></Rule></Group><Group id="V-204509"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204509r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030300</version><title>The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ 
+ Off-loading is a common process in information systems with limited audit storage capacity.
+ 
+-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72083</ident><ident system="http://cyber.mil/legacy">SV-86707</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4633r88720_fix">Configure the operating system to off-load audit records onto a different system or media from the system being audited.
++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86707</ident><ident system="http://cyber.mil/legacy">V-72083</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4633r88720_fix">Configure the operating system to off-load audit records onto a different system or media from the system being audited.
+ 
+ Set the remote server option in "/etc/audisp/audisp-remote.conf" with the IP address of the log aggregation server.</fixtext><fix id="F-4633r88720_fix" /><check system="C-4633r88719_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system off-loads audit records onto a different system or media from the system being audited.
+ 
+@@ -2269,11 +2269,11 @@ remote_server = 10.0.21.1
+ 
+ If a remote server is not configured, or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
+ 
+-If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.</check-content></check></Rule></Group><Group id="V-204510"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204510r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030310</version><title>The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
++If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding.</check-content></check></Rule></Group><Group id="V-204510"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204510r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030310</version><title>The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.</title><description>&lt;VulnDiscussion&gt;Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
+ 
+ Off-loading is a common process in information systems with limited audit storage capacity.
+ 
+-Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72085</ident><ident system="http://cyber.mil/legacy">SV-86709</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4634r88723_fix">Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.
++Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86709</ident><ident system="http://cyber.mil/legacy">V-72085</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4634r88723_fix">Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited.
+ 
+ Uncomment the "enable_krb5" option in "/etc/audisp/audisp-remote.conf" and set it with the following line:
+ 
+@@ -2286,12 +2286,12 @@ enable_krb5 = yes
+ 
+ If the value of the "enable_krb5" option is not set to "yes" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
+ 
+-If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-204511"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204511r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030320</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
+-One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72087</ident><ident system="http://cyber.mil/legacy">SV-86711</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4635r499406_fix">Configure the action the operating system takes if the disk the audit records are written to becomes full.
++If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.</check-content></check></Rule></Group><Group id="V-204511"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204511r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030320</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72087</ident><ident system="http://cyber.mil/legacy">SV-86711</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-36314r602652_fix">Configure the action the operating system takes if the disk the audit records are written to becomes full.
+ 
+ Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:
+ 
+-disk_full_action = single</fixtext><fix id="F-4635r499406_fix" /><check system="C-4635r499405_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the action the operating system takes if the disk the audit records are written to becomes full.
++disk_full_action = single</fixtext><fix id="F-36314r602652_fix" /><check system="C-36351r602651_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the action the operating system takes if the disk the audit records are written to becomes full.
+ 
+ To determine the action that takes place if the disk is full on the remote server, use the following command:
+ 
+@@ -2300,12 +2300,12 @@ disk_full_action = single
+ 
+ If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken when the disk is full on the remote server.
+ 
+-If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.</check-content></check></Rule></Group><Group id="V-204512"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204512r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030321</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
+-One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73163</ident><ident system="http://cyber.mil/legacy">SV-87815</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-4636r499409_fix">Configure the action the operating system takes if there is an error sending audit records to a remote system.
++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action when the disk is full on the remote server, this is a finding.</check-content></check></Rule></Group><Group id="V-204512"><title>SRG-OS-000342-GPOS-00133</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204512r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030321</version><title>The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.</title><description>&lt;VulnDiscussion&gt;Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
++One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87815</ident><ident system="http://cyber.mil/legacy">V-73163</ident><ident system="http://cyber.mil/cci">CCI-001851</ident><fixtext fixref="F-36315r602655_fix">Configure the action the operating system takes if there is an error sending audit records to a remote system.
+ 
+ Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".
+ 
+-network_failure_action = syslog</fixtext><fix id="F-4636r499409_fix" /><check system="C-4636r499408_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the action the operating system takes if there is an error sending audit records to a remote system.
++network_failure_action = syslog</fixtext><fix id="F-36315r602655_fix" /><check system="C-36352r602654_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the action the operating system takes if there is an error sending audit records to a remote system.
+ 
+ Check the action that takes place if there is an error sending audit records to a remote system with the following command:
+ 
+@@ -2314,7 +2314,7 @@ network_failure_action = syslog
+ 
+ If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or storage media, and to indicate the action taken if there is an error sending audit records to the remote system.
+ 
+-If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.</check-content></check></Rule></Group><Group id="V-204513"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204513r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030330</version><title>The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72089</ident><ident system="http://cyber.mil/legacy">SV-86713</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4637r88732_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
++If there is no evidence that the system is configured to off-load audit logs to a different system or storage media, or if the configuration does not take appropriate action if there is an error sending audit records to the remote system, this is a finding.</check-content></check></Rule></Group><Group id="V-204513"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204513r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030330</version><title>The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86713</ident><ident system="http://cyber.mil/legacy">V-72089</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4637r88732_fix">Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
+ 
+ Check the system configuration to determine the partition the audit records are being written to: 
+ 
+@@ -2346,7 +2346,7 @@ Determine what the threshold is for the system to take action when 75 percent of
+ # grep -iw space_left /etc/audit/auditd.conf
+ space_left = 225 
+ 
+-If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.</check-content></check></Rule></Group><Group id="V-204514"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204514r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030340</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72091</ident><ident system="http://cyber.mil/legacy">SV-86715</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4638r88735_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
++If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.</check-content></check></Rule></Group><Group id="V-204514"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204514r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030340</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86715</ident><ident system="http://cyber.mil/legacy">V-72091</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4638r88735_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
+ 
+ Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". 
+  
+@@ -2357,7 +2357,7 @@ Check what action the operating system takes when the threshold for the reposito
+ # grep -i space_left_action  /etc/audit/auditd.conf
+ space_left_action = email
+ 
+-If the value of the "space_left_action" keyword is not set to "email", this is a finding.</check-content></check></Rule></Group><Group id="V-204515"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204515r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030350</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72093</ident><ident system="http://cyber.mil/legacy">SV-86717</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4639r88738_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
++If the value of the "space_left_action" keyword is not set to "email", this is a finding.</check-content></check></Rule></Group><Group id="V-204515"><title>SRG-OS-000343-GPOS-00134</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204515r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030350</version><title>The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.</title><description>&lt;VulnDiscussion&gt;If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86717</ident><ident system="http://cyber.mil/legacy">V-72093</ident><ident system="http://cyber.mil/cci">CCI-001855</ident><fixtext fixref="F-4639r88738_fix">Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
+ 
+ Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel. 
+  
+@@ -2368,7 +2368,7 @@ Check what account the operating system emails when the threshold for the reposi
+ # grep -i action_mail_acct  /etc/audit/auditd.conf
+ action_mail_acct = root
+ 
+-If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.</check-content></check></Rule></Group><Group id="V-204516"><title>SRG-OS-000327-GPOS-00127</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204516r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030360</version><title>The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.</title><description>&lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72095</ident><ident system="http://cyber.mil/legacy">SV-86719</ident><ident system="http://cyber.mil/cci">CCI-002234</ident><fixtext fixref="F-4640r88741_fix">Configure the operating system to audit the execution of privileged functions.
++If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.</check-content></check></Rule></Group><Group id="V-204516"><title>SRG-OS-000327-GPOS-00127</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204516r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030360</version><title>The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.</title><description>&lt;VulnDiscussion&gt;Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86719</ident><ident system="http://cyber.mil/legacy">V-72095</ident><ident system="http://cyber.mil/cci">CCI-002234</ident><fixtext fixref="F-4640r88741_fix">Configure the operating system to audit the execution of privileged functions.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2389,13 +2389,13 @@ The audit daemon must be restarted for the changes to take effect.</fixtext><fix
+ 
+ If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.
+ 
+-If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-204517"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204517r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030370</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.</check-content></check></Rule></Group><Group id="V-204517"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204517r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030370</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72097</ident><ident system="http://cyber.mil/legacy">SV-86721</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4641r462559_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86721</ident><ident system="http://cyber.mil/legacy">V-72097</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4641r462559_fix">Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+ -a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+@@ -2411,13 +2411,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204518"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204518r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030380</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "chown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204518"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204518r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030380</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72099</ident><ident system="http://cyber.mil/legacy">SV-86723</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4642r462562_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86723</ident><ident system="http://cyber.mil/legacy">V-72099</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4642r462562_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+ -a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+@@ -2433,13 +2433,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204519"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204519r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030390</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "fchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204519"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204519r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030390</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lchown syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72101</ident><ident system="http://cyber.mil/legacy">SV-86725</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><fixtext fixref="F-4643r462565_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86725</ident><ident system="http://cyber.mil/legacy">V-72101</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4643r462565_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+ -a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+@@ -2455,13 +2455,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204520"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204520r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030400</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "lchown" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204520"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204520r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030400</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchownat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72103</ident><ident system="http://cyber.mil/legacy">SV-86727</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4644r462568_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86727</ident><ident system="http://cyber.mil/legacy">V-72103</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4644r462568_fix">Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+ -a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+@@ -2477,7 +2477,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204521"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204521r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030410</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "fchownat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204521"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204521r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030410</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2501,7 +2501,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204522"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204522r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030420</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "chmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204522"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204522r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030420</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmod syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2525,7 +2525,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204523"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204523r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030430</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "fchmod" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204523"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204523r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030430</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fchmodat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2549,7 +2549,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204524"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204524r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030440</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "fchmodat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204524"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204524r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030440</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2573,7 +2573,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204525"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204525r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030450</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "setxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204525"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204525r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030450</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2597,13 +2597,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204526"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204526r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030460</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "fsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204526"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204526r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030460</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lsetxattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72115</ident><ident system="http://cyber.mil/legacy">SV-86739</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4650r462583_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86739</ident><ident system="http://cyber.mil/legacy">V-72115</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4650r462583_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lsetxattr" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2621,13 +2621,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204527"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204527r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030470</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "lsetxattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204527"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204527r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030470</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the removexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72117</ident><ident system="http://cyber.mil/legacy">SV-86741</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4651r462586_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86741</ident><ident system="http://cyber.mil/legacy">V-72117</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4651r462586_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "removexattr" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2645,7 +2645,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204528"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204528r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030480</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "removexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204528"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204528r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030480</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the fremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2669,13 +2669,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204529"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204529r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030490</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "fremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204529"><title>SRG-OS-000458-GPOS-00203</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204529r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030490</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the lremovexattr syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72121</ident><ident system="http://cyber.mil/legacy">SV-86745</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4653r462592_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
++Satisfies: SRG-OS-000458-GPOS-00203, SRG-OS-000392-GPOS-00172, SRG-OS-000064-GPOS-00033&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86745</ident><ident system="http://cyber.mil/legacy">V-72121</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4653r462592_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "lremovexattr" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2693,7 +2693,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -k perm_mod
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204530"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204530r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030500</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If both the "b32" and "b64" audit rules are not defined for the "lremovexattr" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204530"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204530r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030500</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the creat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2729,7 +2729,7 @@ If both the "b32" and "b64" audit rules are not defined for the "creat" syscall,
+ 
+ If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+ 
+-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204531"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204531r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030510</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204531"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204531r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030510</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2765,13 +2765,13 @@ If both the "b32" and "b64" audit rules are not defined for the "open" syscall,
+ 
+ If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+ 
+-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204532"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204532r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030520</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204532"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204532r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030520</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the openat syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72127</ident><ident system="http://cyber.mil/legacy">SV-86751</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4656r462601_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86751</ident><ident system="http://cyber.mil/legacy">V-72127</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4656r462601_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "openat" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2801,13 +2801,13 @@ If both the "b32" and "b64" audit rules are not defined for the "openat" syscall
+ 
+ If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+ 
+-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204533"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204533r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030530</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204533"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204533r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030530</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the open_by_handle_at syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72129</ident><ident system="http://cyber.mil/legacy">SV-86753</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4657r462604_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86753</ident><ident system="http://cyber.mil/legacy">V-72129</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4657r462604_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "open_by_handle_at" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2837,13 +2837,13 @@ If both the "b32" and "b64" audit rules are not defined for the "open_by_handle_
+ 
+ If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+ 
+-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204534"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204534r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030540</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204534"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204534r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030540</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the truncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72131</ident><ident system="http://cyber.mil/legacy">SV-86755</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4658r462607_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86755</ident><ident system="http://cyber.mil/legacy">V-72131</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4658r462607_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "truncate" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2873,13 +2873,13 @@ If both the "b32" and "b64" audit rules are not defined for the "truncate" sysca
+ 
+ If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+ 
+-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204535"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204535r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030550</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204535"><title>SRG-OS-000064-GPOS-00033</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204535r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030550</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ftruncate syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72133</ident><ident system="http://cyber.mil/legacy">SV-86757</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4659r462610_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
++Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86757</ident><ident system="http://cyber.mil/legacy">V-72133</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4659r462610_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ftruncate" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2909,7 +2909,7 @@ If both the "b32" and "b64" audit rules are not defined for the "ftruncate" sysc
+ 
+ If the output does not produce rules containing "-F exit=-EPERM", this is a finding.
+ 
+-If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204536"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204536r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030560</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the output does not produce rules containing "-F exit=-EACCES", this is a finding.</check-content></check></Rule></Group><Group id="V-204536"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204536r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030560</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -2929,13 +2929,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204537"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204537r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030570</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204537"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204537r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030570</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72137</ident><ident system="http://cyber.mil/legacy">SV-86761</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4661r462616_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86761</ident><ident system="http://cyber.mil/legacy">V-72137</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4661r462616_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setsebool" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2949,13 +2949,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204538"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204538r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030580</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204538"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204538r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030580</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72139</ident><ident system="http://cyber.mil/legacy">SV-86763</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4662r462619_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86763</ident><ident system="http://cyber.mil/legacy">V-72139</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4662r462619_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chcon" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2969,13 +2969,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204539"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204539r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030590</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204539"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204539r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030590</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72141</ident><ident system="http://cyber.mil/legacy">SV-86765</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4663r462622_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86765</ident><ident system="http://cyber.mil/legacy">V-72141</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4663r462622_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "setfiles" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -2989,11 +2989,11 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204540"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204540r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030610</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204540"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204540r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030610</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72145</ident><ident system="http://cyber.mil/legacy">SV-86769</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4664r88813_fix">Configure the operating system to generate audit records when unsuccessful account access events occur. 
++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86769</ident><ident system="http://cyber.mil/legacy">V-72145</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4664r88813_fix">Configure the operating system to generate audit records when unsuccessful account access events occur. 
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3007,11 +3007,11 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -w /var/run/faillock -p wa -k logins
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204541"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204541r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030620</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204541"><title>SRG-OS-000392-GPOS-00172</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204541r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030620</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72147</ident><ident system="http://cyber.mil/legacy">SV-86771</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4665r88816_fix">Configure the operating system to generate audit records when successful account access events occur. 
++Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86771</ident><ident system="http://cyber.mil/legacy">V-72147</ident><ident system="http://cyber.mil/cci">CCI-000126</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4665r88816_fix">Configure the operating system to generate audit records when successful account access events occur. 
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3025,13 +3025,13 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -w /var/log/lastlog -p wa -k logins 
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204542"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204542r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030630</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204542"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204542r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030630</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated.  Daemons are not user sessions and have the loginuid set to -1.  The auid representation is an unsigned 32-bit integer, which equals 4294967295.  The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72149</ident><ident system="http://cyber.mil/legacy">SV-86773</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4666r462625_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86773</ident><ident system="http://cyber.mil/legacy">V-72149</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4666r462625_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3045,13 +3045,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204543"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204543r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030640</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204543"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204543r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030640</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72151</ident><ident system="http://cyber.mil/legacy">SV-86775</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4667r462628_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86775</ident><ident system="http://cyber.mil/legacy">V-72151</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4667r462628_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unix_chkpwd" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3065,13 +3065,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204544"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204544r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030650</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204544"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204544r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030650</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72153</ident><ident system="http://cyber.mil/legacy">SV-86777</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4668r462631_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86777</ident><ident system="http://cyber.mil/legacy">V-72153</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4668r462631_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "gpasswd" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3085,13 +3085,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204545"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204545r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030660</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chage command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204545"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204545r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030660</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chage command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86779</ident><ident system="http://cyber.mil/legacy">V-72155</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4669r462634_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86779</ident><ident system="http://cyber.mil/legacy">V-72155</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4669r462634_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chage" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3105,13 +3105,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204546"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204546r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030670</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204546"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204546r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030670</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86781</ident><ident system="http://cyber.mil/legacy">V-72157</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4670r462637_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86781</ident><ident system="http://cyber.mil/legacy">V-72157</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4670r462637_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "userhelper" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3125,13 +3125,13 @@ Check the file system rule in "/etc/audit/audit.rules" with the following comman
+ 
+ -a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204547"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204547r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030680</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the su command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204547"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204547r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030680</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the su command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72159</ident><ident system="http://cyber.mil/legacy">SV-86783</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4671r462640_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86783</ident><ident system="http://cyber.mil/legacy">V-72159</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4671r462640_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3145,7 +3145,7 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204548"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204548r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030690</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204548"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204548r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030690</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+@@ -3165,7 +3165,7 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204549"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204549r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030700</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204549"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204549r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030700</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+@@ -3189,7 +3189,7 @@ Check for modification of the following files being audited by performing the fo
+ 
+ -w /etc/sudoers.d/ -p wa -k privileged-actions
+ 
+-If the commands do not return output that match the examples, this is a finding.</check-content></check></Rule></Group><Group id="V-204550"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204550r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030710</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the commands do not return output that match the examples, this is a finding.</check-content></check></Rule></Group><Group id="V-204550"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204550r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030710</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+@@ -3209,13 +3209,13 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204551"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204551r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030720</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204551"><title>SRG-OS-000037-GPOS-00015</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204551r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030720</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86791</ident><ident system="http://cyber.mil/legacy">V-72167</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4675r462649_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
++Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86791</ident><ident system="http://cyber.mil/legacy">V-72167</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000130</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4675r462649_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "chsh" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3229,7 +3229,7 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -k privileged-priv_change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204552"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204552r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030740</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204552"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204552r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030740</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+@@ -3255,13 +3255,13 @@ Check that the following system call is being audited by performing the followin
+ 
+ If both the "b32" and "b64" audit rules are not defined for the "mount" syscall, this is a finding.
+ 
+-If all uses of the "mount" command are not being audited, this is a finding.</check-content></check></Rule></Group><Group id="V-204553"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204553r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030750</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the umount command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If all uses of the "mount" command are not being audited, this is a finding.</check-content></check></Rule></Group><Group id="V-204553"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204553r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030750</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the umount command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged mount commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72173</ident><ident system="http://cyber.mil/legacy">SV-86797</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4677r462655_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86797</ident><ident system="http://cyber.mil/legacy">V-72173</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4677r462655_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "umount" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3275,13 +3275,13 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -k privileged-mount 
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204554"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204554r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030760</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204554"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204554r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030760</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72175</ident><ident system="http://cyber.mil/legacy">SV-86799</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4678r462658_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86799</ident><ident system="http://cyber.mil/legacy">V-72175</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4678r462658_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postdrop" command occur.
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3295,13 +3295,13 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204555"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204555r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030770</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204555"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204555r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030770</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged postfix commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72177</ident><ident system="http://cyber.mil/legacy">SV-86801</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4679r462661_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86801</ident><ident system="http://cyber.mil/legacy">V-72177</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4679r462661_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "postqueue" command occur. 
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3315,13 +3315,13 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -k privileged-postfix
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204556"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204556r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030780</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204556"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204556r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030780</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged ssh commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72179</ident><ident system="http://cyber.mil/legacy">SV-86803</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4680r462664_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86803</ident><ident system="http://cyber.mil/legacy">V-72179</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4680r462664_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "ssh-keysign" command occur. 
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3335,13 +3335,13 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -k privileged-ssh
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204557"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204557r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030800</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204557"><title>SRG-OS-000042-GPOS-00020</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204557r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030800</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.</title><description>&lt;VulnDiscussion&gt;Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
+ 
+ At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72183</ident><ident system="http://cyber.mil/legacy">SV-86807</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4681r462667_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
++Satisfies: SRG-OS-000042-GPOS-00020, SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86807</ident><ident system="http://cyber.mil/legacy">V-72183</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000135</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4681r462667_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. 
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3355,9 +3355,9 @@ Check that the following system call is being audited by performing the followin
+ 
+ -a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -k privileged-cron
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204558"><title>SRG-OS-000471-GPOS-00215</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204558r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030810</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204558"><title>SRG-OS-000471-GPOS-00215</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204558r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030810</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+-When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72185</ident><ident system="http://cyber.mil/legacy">SV-86809</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4682r462670_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
++When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86809</ident><ident system="http://cyber.mil/legacy">V-72185</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4682r462670_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. 
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3371,11 +3371,11 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -a always,exit -F path=/usr/sbin/pam_timestamp_check -F auid&gt;=1000 -F auid!=unset -k privileged-pam 
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204559"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204559r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030819</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204559"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204559r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030819</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-78999</ident><ident system="http://cyber.mil/legacy">SV-93705</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4683r88870_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur.
++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-93705</ident><ident system="http://cyber.mil/legacy">V-78999</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4683r88870_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "create_module" syscall occur.
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3393,11 +3393,11 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -a always,exit -F arch=b64 -S create_module -k module-change
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204560"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204560r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030820</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
++If both the "b32" and "b64" audit rules are not defined for the "create_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204560"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204560r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030820</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the init_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72187</ident><ident system="http://cyber.mil/legacy">SV-86811</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4684r88873_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. 
++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86811</ident><ident system="http://cyber.mil/legacy">V-72187</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4684r88873_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "init_module" syscall occur. 
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3415,11 +3415,11 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -a always,exit -F arch=b64 -S init_module -k module-change
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204561"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204561r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030821</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
++If both the "b32" and "b64" audit rules are not defined for the "init_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204561"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204561r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030821</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the finit_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-79001</ident><ident system="http://cyber.mil/legacy">SV-93707</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4685r88876_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. 
++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-93707</ident><ident system="http://cyber.mil/legacy">V-79001</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4685r88876_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "finit_module" syscall occur. 
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3437,11 +3437,11 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -a always,exit -F arch=b64 -S finit_module -k module-change
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204562"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204562r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030830</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
++If both the "b32" and "b64" audit rules are not defined for the "finit_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204562"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204562r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030830</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72189</ident><ident system="http://cyber.mil/legacy">SV-86813</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4686r88879_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. 
++Satisfies: SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86813</ident><ident system="http://cyber.mil/legacy">V-72189</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><fixtext fixref="F-4686r88879_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "delete_module" syscall occur. 
+ 
+ Add or update the following rules in "/etc/audit/rules.d/audit.rules": 
+ 
+@@ -3459,7 +3459,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -a always,exit -F arch=b64 -S delete_module -k module-change
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204563"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204563r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030840</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
++If both the "b32" and "b64" audit rules are not defined for the "delete_module" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204563"><title>SRG-OS-000471-GPOS-00216</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204563r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030840</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. 
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+@@ -3479,11 +3479,11 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -w /usr/bin/kmod -p x -F auid!=unset -k module-change
+ 
+-If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204564"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204564r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030870</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204564"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204564r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030870</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+ Audit records can be generated from various components within the information system (e.g., module or policy filter).
+ 
+-Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86821</ident><ident system="http://cyber.mil/legacy">V-72197</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-4688r88885_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
++Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86821</ident><ident system="http://cyber.mil/legacy">V-72197</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4688r88885_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
+ 
+ Add or update the following rule "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3497,9 +3497,9 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -w /etc/passwd -p wa -k identity
+ 
+-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204565"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204565r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030871</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204565"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204565r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030871</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+-Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87817</ident><ident system="http://cyber.mil/legacy">V-73165</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4689r88888_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
++Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87817</ident><ident system="http://cyber.mil/legacy">V-73165</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4689r88888_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group".
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3513,9 +3513,9 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -w /etc/group -p wa -k identity
+ 
+-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204566"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204566r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030872</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204566"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204566r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030872</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+-Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87819</ident><ident system="http://cyber.mil/legacy">V-73167</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-4690r88891_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
++Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87819</ident><ident system="http://cyber.mil/legacy">V-73167</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4690r88891_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".
+ 
+ Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3529,9 +3529,9 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -w /etc/gshadow -p wa -k identity
+ 
+-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204567"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204567r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030873</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204567"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204567r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030873</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+-Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87823</ident><ident system="http://cyber.mil/legacy">V-73171</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4691r88894_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
++Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87823</ident><ident system="http://cyber.mil/legacy">V-73171</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4691r88894_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
+ 
+ Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3545,9 +3545,9 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -w /etc/shadow -p wa -k identity
+ 
+-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204568"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204568r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030874</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
++If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204568"><title>SRG-OS-000004-GPOS-00004</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204568r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030874</version><title>The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.</title><description>&lt;VulnDiscussion&gt;Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+ 
+-Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87825</ident><ident system="http://cyber.mil/legacy">V-73173</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><fixtext fixref="F-4692r88897_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
++Audit records can be generated from various components within the information system (e.g., module or policy filter).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87825</ident><ident system="http://cyber.mil/legacy">V-73173</ident><ident system="http://cyber.mil/cci">CCI-000018</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-001403</ident><ident system="http://cyber.mil/cci">CCI-002130</ident><fixtext fixref="F-4692r88897_fix">Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
+ 
+ Add or update the following file system rule in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3562,7 +3562,7 @@ Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+ 
+ -w /etc/security/opasswd -p wa -k identity
+ 
+-If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204569"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204569r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030880</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
++If the command does not return a line, or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204569"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204569r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030880</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rename syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+@@ -3584,7 +3584,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S rename -F auid&gt;=1000 -F auid!=unset -k delete
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204570"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204570r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030890</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
++If both the "b32" and "b64" audit rules are not defined for the "rename" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204570"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204570r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030890</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the renameat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+@@ -3606,11 +3606,11 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S renameat -F auid&gt;=1000 -F auid!=unset -k delete
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204571"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204571r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030900</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
++If both the "b32" and "b64" audit rules are not defined for the "renameat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204571"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204571r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030900</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the rmdir syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72203</ident><ident system="http://cyber.mil/legacy">SV-86827</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4695r462682_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86827</ident><ident system="http://cyber.mil/legacy">V-72203</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4695r462682_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "rmdir" syscall occur.
+ 
+ Add the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3628,11 +3628,11 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S rmdir -F auid&gt;=1000 -F auid!=unset -k delete
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204572"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204572r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030910</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
++If both the "b32" and "b64" audit rules are not defined for the "rmdir" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204572"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204572r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030910</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlink syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72205</ident><ident system="http://cyber.mil/legacy">SV-86829</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4696r462685_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86829</ident><ident system="http://cyber.mil/legacy">V-72205</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4696r462685_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlink" syscall occur.
+ 
+ Add the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3650,11 +3650,11 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S unlink -F auid&gt;=1000 -F auid!=unset -k delete
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204573"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204573r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-030920</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
++If both the "b32" and "b64" audit rules are not defined for the "unlink" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204573"><title>SRG-OS-000466-GPOS-00210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204573r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-030920</version><title>The Red Hat Enterprise Linux operating system must audit all uses of the unlinkat syscall.</title><description>&lt;VulnDiscussion&gt;If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.
+ 
+ When a user logs on, the auid is set to the uid of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and "unset" in the same way.
+ 
+-Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72207</ident><ident system="http://cyber.mil/legacy">SV-86831</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4697r462688_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
++Satisfies: SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000392-GPOS-00172&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86831</ident><ident system="http://cyber.mil/legacy">V-72207</ident><ident system="http://cyber.mil/cci">CCI-000172</ident><ident system="http://cyber.mil/cci">CCI-002884</ident><fixtext fixref="F-4697r462688_fix">Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "unlinkat" syscall occur.
+ 
+ Add the following rules in "/etc/audit/rules.d/audit.rules":
+ 
+@@ -3672,7 +3672,7 @@ Check the file system rules in "/etc/audit/audit.rules" with the following comma
+ 
+ -a always,exit -F arch=b64 -S unlinkat -F auid&gt;=1000 -F auid!=unset -k delete
+ 
+-If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204574"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204574r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-031000</version><title>The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.</title><description>&lt;VulnDiscussion&gt;Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86833</ident><ident system="http://cyber.mil/legacy">V-72209</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4698r88915_fix">Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system:
++If both the "b32" and "b64" audit rules are not defined for the "unlinkat" syscall, this is a finding.</check-content></check></Rule></Group><Group id="V-204574"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204574r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-031000</version><title>The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server.</title><description>&lt;VulnDiscussion&gt;Sending rsyslog output to another system ensures that the logs cannot be removed or modified in the event that the system is compromised or has a hardware failure.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86833</ident><ident system="http://cyber.mil/legacy">V-72209</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4698r88915_fix">Modify the "/etc/rsyslog.conf" or an "/etc/rsyslog.d/*.conf" file to contain a configuration line to send all "rsyslog" output to a log aggregation system:
+ *.* @@&lt;log aggregation system name&gt;</fixtext><fix id="F-4698r88915_fix" /><check system="C-4698r88914_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify "rsyslog" is configured to send all messages to a log aggregation server.
+ 
+ Check the configuration of "rsyslog" with the following command:
+@@ -3684,9 +3684,9 @@ Note: If another logging package is used, substitute the utility configuration f
+ 
+ If there are no lines in the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files that contain the "@" or "@@" symbol(s), and the lines with the correct symbol(s) to send output to another system do not cover all "rsyslog" output, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. 
+ 
+-If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.</check-content></check></Rule></Group><Group id="V-204575"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204575r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-031010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.</title><description>&lt;VulnDiscussion&gt;Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
++If the lines are commented out or there is no evidence that the audit logs are being sent to another system, this is a finding.</check-content></check></Rule></Group><Group id="V-204575"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204575r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-031010</version><title>The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.</title><description>&lt;VulnDiscussion&gt;Unintentionally running a rsyslog server accepting remote messages puts the system at increased risk. Malicious rsyslog messages sent to the server could exploit vulnerabilities in the server software itself, could introduce misleading information in to the system's logs, or could fill the system's storage leading to a Denial of Service.
+ 
+-If the system is intended to be a log aggregation server its use must be documented with the ISSO.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86835</ident><ident system="http://cyber.mil/legacy">V-72211</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><fixtext fixref="F-4699r88918_fix">Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.</fixtext><fix id="F-4699r88918_fix" /><check system="C-4699r88917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
++If the system is intended to be a log aggregation server its use must be documented with the ISSO.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86835</ident><ident system="http://cyber.mil/legacy">V-72211</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><fixtext fixref="F-4699r88918_fix">Modify the "/etc/rsyslog.conf" file to remove the "ModLoad imtcp", "ModLoad imudp", and "ModLoad imrelp" configuration lines, or document the system as being used for log aggregation.</fixtext><fix id="F-4699r88918_fix" /><check system="C-4699r88917_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that the system is not accepting "rsyslog" messages from other systems unless it is documented as a log aggregation server.
+ 
+ Check the configuration of "rsyslog" with the following command:
+ 
+@@ -3699,7 +3699,7 @@ $ModLoad imrelp
+ 
+ If any of the above modules are being loaded in the "/etc/rsyslog.conf" file, ask to see the documentation for the system being used for log aggregation.
+ 
+-If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.</check-content></check></Rule></Group><Group id="V-204576"><title>SRG-OS-000027-GPOS-00008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204576r505924_rule" weight="10.0" severity="low"><version>RHEL-07-040000</version><title>The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.</title><description>&lt;VulnDiscussion&gt;Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
++If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding.</check-content></check></Rule></Group><Group id="V-204576"><title>SRG-OS-000027-GPOS-00008</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204576r603261_rule" weight="10.0" severity="low"><version>RHEL-07-040000</version><title>The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.</title><description>&lt;VulnDiscussion&gt;Operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks.
+ 
+ This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based on mission needs and the operational environment for each system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72217</ident><ident system="http://cyber.mil/legacy">SV-86841</ident><ident system="http://cyber.mil/cci">CCI-000054</ident><fixtext fixref="F-4700r88921_fix">Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types.
+ 
+@@ -3713,13 +3713,13 @@ Add the following line to the top of the /etc/security/limits.conf or in a ".con
+ 
+ This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains.
+ 
+-If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204577"><title>SRG-OS-000096-GPOS-00050</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204577r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040100</version><title>The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.</title><description>&lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
++If the "maxlogins" item is missing, commented out, or the value is not set to "10" or less for all domains that have the "maxlogins" item assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204577"><title>SRG-OS-000096-GPOS-00050</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204577r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040100</version><title>The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.</title><description>&lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
+ 
+ Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
+ 
+ To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.
+ 
+-Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72219</ident><ident system="http://cyber.mil/legacy">SV-86843</ident><ident system="http://cyber.mil/cci">CCI-000382</ident><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-4701r88924_fix">Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.</fixtext><fix id="F-4701r88924_fix" /><check system="C-4701r88923_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.
++Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86843</ident><ident system="http://cyber.mil/legacy">V-72219</ident><ident system="http://cyber.mil/cci">CCI-000382</ident><ident system="http://cyber.mil/cci">CCI-002314</ident><fixtext fixref="F-4701r88924_fix">Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL.</fixtext><fix id="F-4701r88924_fix" /><check system="C-4701r88923_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited.
+ 
+ Check which services are currently active with the following command:
+ 
+@@ -3736,34 +3736,34 @@ public (default, active)
+ 
+ Ask the System Administrator for the site or program PPSM CLSA. Verify the services allowed by the firewall match the PPSM CLSA. 
+ 
+-If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.</check-content></check></Rule></Group><Group id="V-204578"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204578r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040110</version><title>The Red Hat Enterprise Linux operating system must use a FIPS 140-2 approved cryptographic algorithm for SSH communications.</title><description>&lt;VulnDiscussion&gt;Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
++If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.</check-content></check></Rule></Group><Group id="V-204578"><title>SRG-OS-000033-GPOS-00014</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204578r603843_rule" weight="10.0" severity="medium"><version>RHEL-07-040110</version><title>The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.</title><description>&lt;VulnDiscussion&gt;Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised.
+ 
+ Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules.
+ 
+ FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DoD requirements. This allows for Security Levels 1, 2, 3, or 4 for use on a general purpose computing system.
+ 
+-Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86845</ident><ident system="http://cyber.mil/legacy">V-72221</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000803</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><fixtext fixref="F-4702r88927_fix">Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
++By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections.
+ 
+-Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
++Satisfies: SRG-OS-000033-GPOS-00014, SRG-OS-000120-GPOS-00061, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72221</ident><ident system="http://cyber.mil/legacy">SV-86845</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000803</ident><ident system="http://cyber.mil/cci">CCI-000068</ident><fixtext fixref="F-4702r603842_fix">Configure SSH to use FIPS 140-2 approved cryptographic algorithms.
+ 
+-Ciphers aes128-ctr,aes192-ctr,aes256-ctr
++Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
+ 
+-The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4702r88927_fix" /><check system="C-4702r88926_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
++Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+ 
+-Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
++The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4702r603842_fix" /><check system="C-4702r603841_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
+ 
+ The location of the "sshd_config" file may vary if a different daemon is in use.
+ 
+ Inspect the "Ciphers" configuration with the following command:
+ 
+ # grep -i ciphers /etc/ssh/sshd_config
+-Ciphers aes128-ctr,aes192-ctr,aes256-ctr
++Ciphers aes256-ctr,aes192-ctr,aes128-ctr
+ 
+-If any ciphers other than "aes128-ctr", "aes192-ctr", or "aes256-ctr" are listed, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204579"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204579r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040160</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 
++If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204579"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204579r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040160</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. 
+ 
+ Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+ 
+-Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72223</ident><ident system="http://cyber.mil/legacy">SV-86847</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-4703r462735_fix">Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
++Satisfies: SRG-OS-000029-GPOS-00010, SRG-OS-000163-GPOS-00072&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86847</ident><ident system="http://cyber.mil/legacy">V-72223</ident><ident system="http://cyber.mil/cci">CCI-001133</ident><ident system="http://cyber.mil/cci">CCI-002361</ident><fixtext fixref="F-4703r462735_fix">Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity.
+ 
+ Create a script to enforce the inactivity timeout (for example /etc/profile.d/tmout.sh) such as:
+ 
+@@ -3783,7 +3783,7 @@ etc/profile.d/tmout.sh:TMOUT=900
+ 
+ /etc/profile.d/tmout.sh:export TMOUT
+ 
+-If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-204580"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204580r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040170</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
++If "TMOUT" is not set to "900" or less in a script located in the /etc/profile.d/ directory to enforce session termination after inactivity, this is a finding.</check-content></check></Rule></Group><Group id="V-204580"><title>SRG-OS-000023-GPOS-00006</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204580r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040170</version><title>The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts.</title><description>&lt;VulnDiscussion&gt;Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
+ 
+ System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist.
+ 
+@@ -3803,7 +3803,7 @@ By using this IS (which includes any device attached to this IS), you consent to
+ 
+ -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
+ 
+-Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86849</ident><ident system="http://cyber.mil/legacy">V-72225</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><ident system="http://cyber.mil/cci">CCI-000050</ident><ident system="http://cyber.mil/cci">CCI-001384</ident><ident system="http://cyber.mil/cci">CCI-001385</ident><ident system="http://cyber.mil/cci">CCI-001386</ident><ident system="http://cyber.mil/cci">CCI-001387</ident><ident system="http://cyber.mil/cci">CCI-001388</ident><fixtext fixref="F-4704r297486_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
++Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000024-GPOS-00007 , SRG-OS-000228-GPOS-00088&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86849</ident><ident system="http://cyber.mil/legacy">V-72225</ident><ident system="http://cyber.mil/cci">CCI-001384</ident><ident system="http://cyber.mil/cci">CCI-001385</ident><ident system="http://cyber.mil/cci">CCI-001386</ident><ident system="http://cyber.mil/cci">CCI-001387</ident><ident system="http://cyber.mil/cci">CCI-001388</ident><ident system="http://cyber.mil/cci">CCI-000048</ident><ident system="http://cyber.mil/cci">CCI-000050</ident><fixtext fixref="F-4704r297486_fix">Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh.
+ 
+ Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is:
+ 
+@@ -3855,9 +3855,9 @@ By using this IS (which includes any device attached to this IS), you consent to
+ 
+ If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.
+ 
+-If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204581"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204581r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040180</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
++If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding.</check-content></check></Rule></Group><Group id="V-204581"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204581r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040180</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+ 
+-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72227</ident><ident system="http://cyber.mil/legacy">SV-86851</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4705r88936_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.
++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86851</ident><ident system="http://cyber.mil/legacy">V-72227</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4705r88936_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions.
+ 
+ Add or modify the following line in "/etc/sssd/sssd.conf":
+ 
+@@ -3887,9 +3887,9 @@ Ensure that LDAP is configured to use TLS by using the following command:
+ # grep -i "start_tls" /etc/sssd/sssd.conf
+ ldap_id_use_start_tls = true
+ 
+-If the "ldap_id_use_start_tls" option is not "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204582"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204582r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040190</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
++If the "ldap_id_use_start_tls" option is not "true", this is a finding.</check-content></check></Rule></Group><Group id="V-204582"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204582r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040190</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+ 
+-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72229</ident><ident system="http://cyber.mil/legacy">SV-86853</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4706r88939_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86853</ident><ident system="http://cyber.mil/legacy">V-72229</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4706r88939_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
+ 
+ Add or modify the following line in "/etc/sssd/sssd.conf":
+ 
+@@ -3921,7 +3921,7 @@ ldap_tls_reqcert = demand
+ 
+ If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding.
+ 
+-If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.</check-content></check></Rule></Group><Group id="V-204583"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204583r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040200</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
++If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.</check-content></check></Rule></Group><Group id="V-204583"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204583r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040200</version><title>The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
+ 
+ Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86855</ident><ident system="http://cyber.mil/legacy">V-72231</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4707r88942_fix">Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.
+ 
+@@ -3956,7 +3956,7 @@ ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
+ 
+ Verify the "ldap_tls_cacert" option points to a file that contains the trusted CA certificate.
+ 
+-If this file does not exist, or the option is commented out or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204584"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204584r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040201</version><title>The Red Hat Enterprise Linux operating system must implement virtual address space randomization.</title><description>&lt;VulnDiscussion&gt;Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92521</ident><ident system="http://cyber.mil/legacy">V-77825</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4708r88945_fix">Configure the operating system implement virtual address space randomization.
++If this file does not exist, or the option is commented out or missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204584"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204584r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040201</version><title>The Red Hat Enterprise Linux operating system must implement virtual address space randomization.</title><description>&lt;VulnDiscussion&gt;Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, ASLR also makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return-oriented programming (ROP) techniques.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-92521</ident><ident system="http://cyber.mil/legacy">V-77825</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4708r88945_fix">Configure the operating system implement virtual address space randomization.
+ 
+ Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a config file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+@@ -3978,13 +3978,13 @@ Check that the operating system implements virtual address space randomization w
+ 
+ kernel.randomize_va_space = 2
+ 
+-If "kernel.randomize_va_space" does not have a value of "2", this is a finding.</check-content></check></Rule></Group><Group id="V-204585"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204585r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
++If "kernel.randomize_va_space" does not have a value of "2", this is a finding.</check-content></check></Rule></Group><Group id="V-204585"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204585r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040300</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+ 
+ This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+ 
+ Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.
+ 
+-Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86857</ident><ident system="http://cyber.mil/legacy">V-72233</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><fixtext fixref="F-4709r88948_fix">Install SSH packages onto the host with the following commands:
++Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86857</ident><ident system="http://cyber.mil/legacy">V-72233</ident><ident system="http://cyber.mil/cci">CCI-002422</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><ident system="http://cyber.mil/cci">CCI-002420</ident><ident system="http://cyber.mil/cci">CCI-002421</ident><fixtext fixref="F-4709r88948_fix">Install SSH packages onto the host with the following commands:
+ 
+ # yum install openssh-server.x86_64</fixtext><fix id="F-4709r88948_fix" /><check system="C-4709r88947_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Check to see if sshd is installed with the following command:
+ 
+@@ -3993,7 +3993,7 @@ libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1
+ openssh.x86_64 6.6.1p1-11.el7 @anaconda/7.1
+ openssh-server.x86_64 6.6.1p1-11.el7 @anaconda/7.1
+ 
+-If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204586"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204586r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040310</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
++If the "SSH server" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204586"><title>SRG-OS-000423-GPOS-00187</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204586r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040310</version><title>The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.</title><description>&lt;VulnDiscussion&gt;Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. 
+ 
+ This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. 
+ 
+@@ -4011,7 +4011,7 @@ Main PID: 1348 (sshd)
+ CGroup: /system.slice/sshd.service
+ 1053 /usr/sbin/sshd -D
+ 
+-If "sshd" does not show a status of "active" and "running", this is a finding.</check-content></check></Rule></Group><Group id="V-204587"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204587r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
++If "sshd" does not show a status of "active" and "running", this is a finding.</check-content></check></Rule></Group><Group id="V-204587"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204587r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040320</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+ 
+ Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+ 
+@@ -4031,7 +4031,7 @@ ClientAliveInterval 600
+ 
+ If "ClientAliveInterval" is not configured, commented out, or has a value of "0", this is a finding.
+ 
+-If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204588"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204588r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040330</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72239</ident><ident system="http://cyber.mil/legacy">SV-86863</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4712r88957_fix">Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
++If "ClientAliveInterval" has a value that is greater than "600" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204588"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204588r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040330</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86863</ident><ident system="http://cyber.mil/legacy">V-72239</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4712r88957_fix">Configure the SSH daemon to not allow authentication using RSA rhosts authentication.
+ 
+ Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no":
+ 
+@@ -4050,7 +4050,7 @@ To determine how the SSH daemon's "RhostsRSAAuthentication" option is set, run t
+ # grep RhostsRSAAuthentication /etc/ssh/sshd_config
+ RhostsRSAAuthentication no
+ 
+-If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204589"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204589r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040340</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
++If the value is returned as "yes", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204589"><title>SRG-OS-000163-GPOS-00072</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204589r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040340</version><title>The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.</title><description>&lt;VulnDiscussion&gt;Terminating an idle SSH session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle SSH session will also free up resources committed by the managed network element.
+ 
+ Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.
+ 
+@@ -4067,7 +4067,7 @@ Check for the value of the "ClientAliveCountMax" keyword with the following comm
+ # grep -i clientalivecount /etc/ssh/sshd_config
+ ClientAliveCountMax 0
+ 
+-If "ClientAliveCountMax" is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204590"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204590r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040350</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72243</ident><ident system="http://cyber.mil/legacy">SV-86867</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4714r88963_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
++If "ClientAliveCountMax" is not set to "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204590"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204590r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040350</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86867</ident><ident system="http://cyber.mil/legacy">V-72243</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4714r88963_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
+ 
+ Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
+ 
+@@ -4079,7 +4079,7 @@ To determine how the SSH daemon's "IgnoreRhosts" option is set, run the followin
+ 
+ IgnoreRhosts yes
+ 
+-If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204591"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204591r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040360</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72245</ident><ident system="http://cyber.mil/legacy">SV-86869</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4715r88966_fix">Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
++If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204591"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204591r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040360</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses via SSH last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86869</ident><ident system="http://cyber.mil/legacy">V-72245</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4715r88966_fix">Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor).
+ 
+ Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following:
+ 
+@@ -4092,7 +4092,7 @@ Check that "PrintLastLog" keyword in the sshd daemon configuration file is used
+ # grep -i printlastlog /etc/ssh/sshd_config
+ PrintLastLog yes
+ 
+-If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204592"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204592r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040370</version><title>The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.</title><description>&lt;VulnDiscussion&gt;Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72247</ident><ident system="http://cyber.mil/legacy">SV-86871</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4716r88969_fix">Configure SSH to stop users from logging on remotely as the root user.
++If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204592"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204592r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040370</version><title>The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.</title><description>&lt;VulnDiscussion&gt;Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging on directly as root. In addition, logging on with a user-specific account provides individual accountability of actions performed on the system.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86871</ident><ident system="http://cyber.mil/legacy">V-72247</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4716r88969_fix">Configure SSH to stop users from logging on remotely as the root user.
+ 
+ Edit the appropriate  "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+ 
+@@ -4105,7 +4105,7 @@ Check that SSH prevents users from logging on directly as root with the followin
+ # grep -i permitrootlogin /etc/ssh/sshd_config
+ PermitRootLogin no
+ 
+-If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204593"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204593r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040380</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72249</ident><ident system="http://cyber.mil/legacy">SV-86873</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4717r88972_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
++If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204593"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204593r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040380</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.</title><description>&lt;VulnDiscussion&gt;Configuring this setting for the SSH daemon provides additional assurance that remote logon via SSH will require a password, even in the event of misconfiguration elsewhere.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86873</ident><ident system="http://cyber.mil/legacy">V-72249</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4717r88972_fix">Configure the SSH daemon to not allow authentication using known hosts authentication.
+ 
+ Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes":
+ 
+@@ -4119,9 +4119,9 @@ To determine how the SSH daemon's "IgnoreUserKnownHosts" option is set, run the
+ 
+ IgnoreUserKnownHosts yes
+ 
+-If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204594"><title>SRG-OS-000074-GPOS-00042</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204594r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040390</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.</title><description>&lt;VulnDiscussion&gt;SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
++If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding.</check-content></check></Rule></Group><Group id="V-204594"><title>SRG-OS-000074-GPOS-00042</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204594r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040390</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.</title><description>&lt;VulnDiscussion&gt;SSHv1 is an insecure implementation of the SSH protocol and has many well-known vulnerability exploits. Exploits of the SSH daemon could provide immediate root access to the system.
+ 
+-Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72251</ident><ident system="http://cyber.mil/legacy">SV-86875</ident><ident system="http://cyber.mil/cci">CCI-000197</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4718r88975_fix">Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
++Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86875</ident><ident system="http://cyber.mil/legacy">V-72251</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-000197</ident><fixtext fixref="F-4718r88975_fix">Remove all Protocol lines that reference version "1" in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The "Protocol" line must be as follows:
+ 
+ Protocol 2
+ 
+@@ -4139,20 +4139,22 @@ Check that the SSH daemon is configured to only use the SSHv2 protocol with the
+ Protocol 2
+ #Protocol 1,2
+ 
+-If any protocol line other than "Protocol 2" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-204595"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204595r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040400</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.</title><description>&lt;VulnDiscussion&gt;DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86877</ident><ident system="http://cyber.mil/legacy">V-72253</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4719r88978_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-256" and/or "hmac-sha2-512" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
++If any protocol line other than "Protocol 2" is uncommented, this is a finding.</check-content></check></Rule></Group><Group id="V-204595"><title>SRG-OS-000250-GPOS-00093</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204595r603846_rule" weight="10.0" severity="medium"><version>RHEL-07-040400</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.</title><description>&lt;VulnDiscussion&gt;DoD information systems are required to use FIPS 140-2 approved cryptographic hash functions. The only SSHv2 hash algorithm meeting this requirement is SHA.
++
++By specifying a hash algorithm list with the order of hashes being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest hash for securing SSH connections.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86877</ident><ident system="http://cyber.mil/legacy">V-72253</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-4719r603845_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "MACs" keyword and set its value to "hmac-sha2-512" and/or "hmac-sha2-256" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+ 
+-MACs hmac-sha2-256,hmac-sha2-512
++MACs hmac-sha2-512,hmac-sha2-256
+ 
+-The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4719r88978_fix" /><check system="C-4719r88977_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers.
++The SSH service must be restarted for changes to take effect.</fixtext><fix id="F-4719r603845_fix" /><check system="C-4719r603844_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes.
+ 
+ Note: If RHEL-07-021350 is a finding, this is automatically a finding as the system cannot implement FIPS 140-2-approved cryptographic algorithms and hashes.
+ 
+-Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers with the following command:
++Check that the SSH daemon is configured to only use MACs employing FIPS 140-2-approved hashes with the following command:
+ 
+ # grep -i macs /etc/ssh/sshd_config
+-MACs hmac-sha2-256,hmac-sha2-512
++MACs hmac-sha2-512,hmac-sha2-256
+ 
+-If any ciphers other than "hmac-sha2-256" or "hmac-sha2-512" are listed or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204596"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204596r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040410</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a public host key file is modified by an unauthorized user, the SSH service may be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72255</ident><ident system="http://cyber.mil/legacy">SV-86879</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4720r88981_fix">Note: SSH public key files may be found in other directories on the system depending on the installation. 
++If any hashes other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, they are missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204596"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204596r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040410</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.</title><description>&lt;VulnDiscussion&gt;If a public host key file is modified by an unauthorized user, the SSH service may be compromised.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86879</ident><ident system="http://cyber.mil/legacy">V-72255</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4720r88981_fix">Note: SSH public key files may be found in other directories on the system depending on the installation. 
+ 
+ Change the mode of public host key files under "/etc/ssh" to "0644" with the following command:
+ 
+@@ -4168,7 +4170,7 @@ The following command will find all SSH public key files on the system:
+ -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub
+ -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub
+ 
+-If any file has a mode more permissive than "0644", this is a finding.</check-content></check></Rule></Group><Group id="V-204597"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204597r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040420</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.</title><description>&lt;VulnDiscussion&gt;If an unauthorized user obtains the private SSH host key file, the host could be impersonated.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72257</ident><ident system="http://cyber.mil/legacy">SV-86881</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4721r88984_fix">Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
++If any file has a mode more permissive than "0644", this is a finding.</check-content></check></Rule></Group><Group id="V-204597"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204597r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040420</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive.</title><description>&lt;VulnDiscussion&gt;If an unauthorized user obtains the private SSH host key file, the host could be impersonated.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86881</ident><ident system="http://cyber.mil/legacy">V-72257</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4721r88984_fix">Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command:
+ 
+ # chmod 0640 /path/to/file/ssh_host*key
+ </fixtext><fix id="F-4721r88984_fix" /><check system="C-4721r88983_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH private host key files have mode "0640" or less permissive.
+@@ -4181,7 +4183,7 @@ The following command will find all SSH private key files on the system and list
+ -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key
+ -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key
+ 
+-If any file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-204598"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204598r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.</title><description>&lt;VulnDiscussion&gt;GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72259</ident><ident system="http://cyber.mil/legacy">SV-86883</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><fixtext fixref="F-4722r88987_fix">Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": 
++If any file has a mode more permissive than "0640", this is a finding.</check-content></check></Rule></Group><Group id="V-204598"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204598r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040430</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.</title><description>&lt;VulnDiscussion&gt;GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. GSSAPI authentication must be disabled unless needed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86883</ident><ident system="http://cyber.mil/legacy">V-72259</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><fixtext fixref="F-4722r88987_fix">Uncomment the "GSSAPIAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no": 
+ 
+ GSSAPIAuthentication no
+ 
+@@ -4194,7 +4196,7 @@ Check that the SSH daemon does not permit GSSAPI authentication with the followi
+ # grep -i gssapiauth /etc/ssh/sshd_config
+ GSSAPIAuthentication no
+ 
+-If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204599"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204599r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040440</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.</title><description>&lt;VulnDiscussion&gt;Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72261</ident><ident system="http://cyber.mil/legacy">SV-86885</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><fixtext fixref="F-4723r88990_fix">Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
++If the "GSSAPIAuthentication" keyword is missing, is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204599"><title>SRG-OS-000364-GPOS-00151</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204599r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040440</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.</title><description>&lt;VulnDiscussion&gt;Kerberos authentication for SSH is often implemented using Generic Security Service Application Program Interface (GSSAPI). If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementation may then be subject to exploitation. To reduce the attack surface of the system, the Kerberos authentication mechanism within SSH must be disabled for systems not using this capability.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86885</ident><ident system="http://cyber.mil/legacy">V-72261</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4723r88990_fix">Uncomment the "KerberosAuthentication" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "no":
+ 
+ KerberosAuthentication no
+ 
+@@ -4207,7 +4209,7 @@ Check that the SSH daemon does not permit Kerberos to authenticate passwords wit
+ # grep -i kerberosauth /etc/ssh/sshd_config
+ KerberosAuthentication no
+ 
+-If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204600"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204600r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040450</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.</title><description>&lt;VulnDiscussion&gt;If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86887</ident><ident system="http://cyber.mil/legacy">V-72263</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4724r88993_fix">Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":
++If the "KerberosAuthentication" keyword is missing, or is set to "yes" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204600"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204600r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040450</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.</title><description>&lt;VulnDiscussion&gt;If other users have access to modify user-specific SSH configuration files, they may be able to log on to the system as another user.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86887</ident><ident system="http://cyber.mil/legacy">V-72263</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4724r88993_fix">Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "yes":
+ 
+ StrictModes yes
+ 
+@@ -4221,7 +4223,7 @@ Inspect the "sshd_config" file with the following command:
+ 
+ StrictModes yes
+ 
+-If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204601"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204601r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040460</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.</title><description>&lt;VulnDiscussion&gt;SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86889</ident><ident system="http://cyber.mil/legacy">V-72265</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4725r88996_fix">Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":
++If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204601"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204601r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040460</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.</title><description>&lt;VulnDiscussion&gt;SSH daemon privilege separation causes the SSH process to drop root privileges when not needed, which would decrease the impact of software vulnerabilities in the unprivileged section.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86889</ident><ident system="http://cyber.mil/legacy">V-72265</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4725r88996_fix">Uncomment the "UsePrivilegeSeparation" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to "sandbox" or "yes":
+ 
+ UsePrivilegeSeparation sandbox
+ 
+@@ -4233,7 +4235,7 @@ Check that the SSH daemon performs privilege separation with the following comma
+ 
+ UsePrivilegeSeparation sandbox
+ 
+-If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204602"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204602r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040470</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.</title><description>&lt;VulnDiscussion&gt;If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86891</ident><ident system="http://cyber.mil/legacy">V-72267</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4726r88999_fix">Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":
++If the "UsePrivilegeSeparation" keyword is set to "no", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204602"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204602r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040470</version><title>The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.</title><description>&lt;VulnDiscussion&gt;If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86891</ident><ident system="http://cyber.mil/legacy">V-72267</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4726r88999_fix">Uncomment the "Compression" keyword in "/etc/ssh/sshd_config" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to "delayed" or "no":
+ 
+ Compression no
+ 
+@@ -4244,13 +4246,13 @@ Check that the SSH daemon performs compression after a user successfully authent
+ # grep -i compression /etc/ssh/sshd_config
+ Compression delayed
+ 
+-If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204603"><title>SRG-OS-000355-GPOS-00143</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204603r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040500</version><title>The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).</title><description>&lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
++If the "Compression" keyword is set to "yes", is missing, or the returned line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204603"><title>SRG-OS-000355-GPOS-00143</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204603r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040500</version><title>The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).</title><description>&lt;VulnDiscussion&gt;Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
+ 
+ Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
+ 
+ Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).
+ 
+-Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72269</ident><ident system="http://cyber.mil/legacy">SV-86893</ident><ident system="http://cyber.mil/cci">CCI-002046</ident><ident system="http://cyber.mil/cci">CCI-001891</ident><fixtext fixref="F-4727r89002_fix">Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows:
++Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86893</ident><ident system="http://cyber.mil/legacy">V-72269</ident><ident system="http://cyber.mil/cci">CCI-001891</ident><ident system="http://cyber.mil/cci">CCI-002046</ident><fixtext fixref="F-4727r89002_fix">Edit the "/etc/ntp.conf" or "/etc/chrony.conf" file and add or update an entry to define "maxpoll" to "10" as follows:
+ 
+ server 0.rhel.pool.ntp.org iburst maxpoll 10
+ 
+@@ -4301,7 +4303,7 @@ If the "chronyd" process is found, then check the "chrony.conf" file for the "ma
+ 
+ server 0.rhel.pool.ntp.org iburst maxpoll 10
+ 
+-If the option is not set or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204604"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204604r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040520</version><title>The Red Hat Enterprise Linux operating system must enable an application firewall, if available.</title><description>&lt;VulnDiscussion&gt;Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
++If the option is not set or the line is commented out, this is a finding.</check-content></check></Rule></Group><Group id="V-204604"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204604r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040520</version><title>The Red Hat Enterprise Linux operating system must enable an application firewall, if available.</title><description>&lt;VulnDiscussion&gt;Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.
+ 
+ Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86897</ident><ident system="http://cyber.mil/legacy">V-72273</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4728r89005_fix">Ensure the operating system's application firewall is enabled.
+ 
+@@ -4337,7 +4339,7 @@ Check the state of the firewall:
+ # firewall-cmd --state 
+ running
+ 
+-If "firewalld" does not show a state of "running", this is a finding.</check-content></check></Rule></Group><Group id="V-204605"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204605r505924_rule" weight="10.0" severity="low"><version>RHEL-07-040530</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86899</ident><ident system="http://cyber.mil/legacy">V-72275</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4729r89008_fix">Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". 
++If "firewalld" does not show a state of "running", this is a finding.</check-content></check></Rule></Group><Group id="V-204605"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204605r603261_rule" weight="10.0" severity="low"><version>RHEL-07-040530</version><title>The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.</title><description>&lt;VulnDiscussion&gt;Providing users with feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86899</ident><ident system="http://cyber.mil/legacy">V-72275</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4729r89008_fix">Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". 
+ 
+ Add the following line to the top of "/etc/pam.d/postlogin":
+ 
+@@ -4348,7 +4350,7 @@ Check that "pam_lastlog" is used and not silent with the following command:
+ # grep pam_lastlog /etc/pam.d/postlogin
+ session required pam_lastlog.so showfailed
+ 
+-If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.</check-content></check></Rule></Group><Group id="V-204606"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204606r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040540</version><title>The Red Hat Enterprise Linux operating system must not contain .shosts files.</title><description>&lt;VulnDiscussion&gt;The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86901</ident><ident system="http://cyber.mil/legacy">V-72277</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4730r89011_fix">Remove any found ".shosts" files from the system.
++If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.</check-content></check></Rule></Group><Group id="V-204606"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204606r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040540</version><title>The Red Hat Enterprise Linux operating system must not contain .shosts files.</title><description>&lt;VulnDiscussion&gt;The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86901</ident><ident system="http://cyber.mil/legacy">V-72277</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4730r89011_fix">Remove any found ".shosts" files from the system.
+ 
+ # rm /[path]/[to]/[file]/.shosts</fixtext><fix id="F-4730r89011_fix" /><check system="C-4730r89010_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify there are no ".shosts" files on the system.
+ 
+@@ -4356,7 +4358,7 @@ Check the system for the existence of these files with the following command:
+ 
+ # find / -name '*.shosts'
+ 
+-If any ".shosts" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-204607"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204607r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040550</version><title>The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.</title><description>&lt;VulnDiscussion&gt;The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86903</ident><ident system="http://cyber.mil/legacy">V-72279</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4731r89014_fix">Remove any found "shosts.equiv" files from the system.
++If any ".shosts" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-204607"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204607r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040550</version><title>The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.</title><description>&lt;VulnDiscussion&gt;The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86903</ident><ident system="http://cyber.mil/legacy">V-72279</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4731r89014_fix">Remove any found "shosts.equiv" files from the system.
+ 
+ # rm /[path]/[to]/[file]/shosts.equiv</fixtext><fix id="F-4731r89014_fix" /><check system="C-4731r89013_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify there are no "shosts.equiv" files on the system.
+ 
+@@ -4364,7 +4366,7 @@ Check the system for the existence of these files with the following command:
+ 
+ # find / -name shosts.equiv
+ 
+-If any "shosts.equiv" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-204608"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204608r505924_rule" weight="10.0" severity="low"><version>RHEL-07-040600</version><title>For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.</title><description>&lt;VulnDiscussion&gt;To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86905</ident><ident system="http://cyber.mil/legacy">V-72281</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4732r89017_fix">Configure the operating system to use two or more name servers for DNS resolution.
++If any "shosts.equiv" files are found on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-204608"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204608r603261_rule" weight="10.0" severity="low"><version>RHEL-07-040600</version><title>For Red Hat Enterprise Linux operating systems using DNS resolution, at least two name servers must be configured.</title><description>&lt;VulnDiscussion&gt;To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86905</ident><ident system="http://cyber.mil/legacy">V-72281</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4732r89017_fix">Configure the operating system to use two or more name servers for DNS resolution.
+ 
+ Edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows:
+ 
+@@ -4404,7 +4406,7 @@ Verify that the "/etc/resolv.conf" file is immutable with the following command:
+ 
+ ----i----------- /etc/resolv.conf
+ 
+-If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-204609"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204609r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040610</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72283</ident><ident system="http://cyber.mil/legacy">SV-86907</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4733r89020_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the file is mutable and has not been documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-204609"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204609r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040610</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86907</ident><ident system="http://cyber.mil/legacy">V-72283</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4733r89020_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.conf.all.accept_source_route = 0   
+ 
+@@ -4423,7 +4425,7 @@ Check that the operating system implements the accept source route variable with
+ # /sbin/sysctl -a | grep net.ipv4.conf.all.accept_source_route
+ net.ipv4.conf.all.accept_source_route = 0
+ 
+-If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204610"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204610r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040611</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92251</ident><ident system="http://cyber.mil/legacy">SV-102353</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4734r89023_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204610"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204610r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040611</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-102353</ident><ident system="http://cyber.mil/legacy">V-92251</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4734r89023_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.conf.all.rp_filter = 1 
+ 
+@@ -4441,7 +4443,7 @@ Check that the operating system implements the accept source route variable with
+ # /sbin/sysctl -a | grep net.ipv4.conf.all.rp_filter
+ net.ipv4.conf.all.rp_filter = 1
+ 
+-If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204611"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204611r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040612</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92253</ident><ident system="http://cyber.mil/legacy">SV-102355</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4735r89026_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204611"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204611r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040612</version><title>The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default.</title><description>&lt;VulnDiscussion&gt;Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-102355</ident><ident system="http://cyber.mil/legacy">V-92253</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4735r89026_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.conf.default.rp_filter = 1 
+ 
+@@ -4459,7 +4461,7 @@ Check that the operating system implements the accept source route variable with
+ # /sbin/sysctl -a | grep net.ipv4.conf.default.rp_filter
+ net.ipv4.conf.default.rp_filter = 1
+ 
+-If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204612"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204612r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040620</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72285</ident><ident system="http://cyber.mil/legacy">SV-86909</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4736r89029_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204612"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204612r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040620</version><title>The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86909</ident><ident system="http://cyber.mil/legacy">V-72285</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4736r89029_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.conf.default.accept_source_route = 0   
+ 
+@@ -4477,7 +4479,7 @@ Check that the operating system implements the accept source route variable with
+ # /sbin/sysctl -a | grep net.ipv4.conf.default.accept_source_route
+ net.ipv4.conf.default.accept_source_route = 0
+ 
+-If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204613"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204613r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040630</version><title>The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description>&lt;VulnDiscussion&gt;Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72287</ident><ident system="http://cyber.mil/legacy">SV-86911</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4737r89032_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204613"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204613r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040630</version><title>The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.</title><description>&lt;VulnDiscussion&gt;Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86911</ident><ident system="http://cyber.mil/legacy">V-72287</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4737r89032_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.icmp_echo_ignore_broadcasts = 1
+ 
+@@ -4494,7 +4496,7 @@ Check that the operating system implements the "icmp_echo_ignore_broadcasts" var
+ # /sbin/sysctl -a | grep net.ipv4.icmp_echo_ignore_broadcasts
+ net.ipv4.icmp_echo_ignore_broadcasts = 1
+ 
+-If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204614"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204614r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040640</version><title>The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86913</ident><ident system="http://cyber.mil/legacy">V-72289</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4738r89035_fix">Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the returned line does not have a value of "1", this is a finding.</check-content></check></Rule></Group><Group id="V-204614"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204614r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040640</version><title>The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86913</ident><ident system="http://cyber.mil/legacy">V-72289</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4738r89035_fix">Set the system to not accept IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.conf.default.accept_redirects = 0   
+ 
+@@ -4511,7 +4513,7 @@ Check that the operating system implements the value of the "accept_redirects" v
+ # /sbin/sysctl -a | grep 'net.ipv4.conf.default.accept_redirects'
+ net.ipv4.conf.default.accept_redirects = 0
+ 
+-If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204615"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204615r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040641</version><title>The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87827</ident><ident system="http://cyber.mil/legacy">V-73175</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4739r89038_fix">Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204615"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204615r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040641</version><title>The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87827</ident><ident system="http://cyber.mil/legacy">V-73175</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4739r89038_fix">Set the system to ignore IPv4 ICMP redirect messages by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.conf.all.accept_redirects = 0   
+ 
+@@ -4529,7 +4531,7 @@ Check that the operating system implements the "accept_redirects" variables with
+ 
+ net.ipv4.conf.all.accept_redirects = 0
+ 
+-If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204616"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204616r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040650</version><title>The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72291</ident><ident system="http://cyber.mil/legacy">SV-86915</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4740r89041_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. 
++If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204616"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204616r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040650</version><title>The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86915</ident><ident system="http://cyber.mil/legacy">V-72291</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4740r89041_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. 
+ 
+ Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+@@ -4549,7 +4551,7 @@ Check that the operating system implements the "default send_redirects" variable
+ 
+ net.ipv4.conf.default.send_redirects = 0 
+ 
+-If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204617"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204617r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040660</version><title>The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72293</ident><ident system="http://cyber.mil/legacy">SV-86917</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4741r89044_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects. 
++If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204617"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204617r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040660</version><title>The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.</title><description>&lt;VulnDiscussion&gt;ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table, possibly revealing portions of the network topology.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86917</ident><ident system="http://cyber.mil/legacy">V-72293</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4741r89044_fix">Configure the system to not allow interfaces to perform IPv4 ICMP redirects. 
+ 
+ Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+@@ -4569,9 +4571,9 @@ Check that the operating system implements the "all send_redirects" variables wi
+ 
+ net.ipv4.conf.all.send_redirects = 0
+ 
+-If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204618"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204618r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040670</version><title>Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.</title><description>&lt;VulnDiscussion&gt;Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.
++If the returned line does not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204618"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204618r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040670</version><title>Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode.</title><description>&lt;VulnDiscussion&gt;Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow then to collect information such as logon IDs, passwords, and key exchanges between systems.
+ 
+-If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72295</ident><ident system="http://cyber.mil/legacy">SV-86919</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4742r89047_fix">Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
++If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information System Security Officer (ISSO) and restricted to only authorized personnel.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86919</ident><ident system="http://cyber.mil/legacy">V-72295</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4742r89047_fix">Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented.
+ 
+ Set the promiscuous mode of an interface to off with the following command:
+ 
+@@ -4581,7 +4583,7 @@ Check for the status with the following command:
+ 
+ # ip link | grep -i promisc
+ 
+-If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.</check-content></check></Rule></Group><Group id="V-204619"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204619r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040680</version><title>The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.</title><description>&lt;VulnDiscussion&gt;If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86921</ident><ident system="http://cyber.mil/legacy">V-72297</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4743r89050_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
++If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.</check-content></check></Rule></Group><Group id="V-204619"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204619r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040680</version><title>The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying.</title><description>&lt;VulnDiscussion&gt;If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86921</ident><ident system="http://cyber.mil/legacy">V-72297</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4743r89050_fix">If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command:
+ 
+ # postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'</fixtext><fix id="F-4743r89050_fix" /><check system="C-4743r89049_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is configured to prevent unrestricted mail relaying.
+ 
+@@ -4597,7 +4599,7 @@ If postfix is installed, determine if it is configured to reject connections fro
+ # postconf -n smtpd_client_restrictions
+ smtpd_client_restrictions = permit_mynetworks, reject
+ 
+-If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.</check-content></check></Rule></Group><Group id="V-204620"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204620r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040690</version><title>The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.</title><description>&lt;VulnDiscussion&gt;The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86923</ident><ident system="http://cyber.mil/legacy">V-72299</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4744r89053_fix">Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:
++If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.</check-content></check></Rule></Group><Group id="V-204620"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204620r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040690</version><title>The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.</title><description>&lt;VulnDiscussion&gt;The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86923</ident><ident system="http://cyber.mil/legacy">V-72299</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4744r89053_fix">Document the "vsftpd" package with the ISSO as an operational requirement or remove it from the system with the following command:
+ 
+ # yum remove vsftpd</fixtext><fix id="F-4744r89053_fix" /><check system="C-4744r89052_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify an FTP server has not been installed on the system.
+ 
+@@ -4607,7 +4609,7 @@ Check to see if an FTP server has been installed with the following commands:
+ 
+  vsftpd-3.0.2.el7.x86_64.rpm
+ 
+-If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204621"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204621r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040700</version><title>The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.</title><description>&lt;VulnDiscussion&gt;If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86925</ident><ident system="http://cyber.mil/legacy">V-72301</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><fixtext fixref="F-4745r89056_fix">Remove the TFTP package from the system with the following command:
++If "vsftpd" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.</check-content></check></Rule></Group><Group id="V-204621"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204621r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040700</version><title>The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.</title><description>&lt;VulnDiscussion&gt;If TFTP is required for operational support (such as the transmission of router configurations) its use must be documented with the Information System Security Officer (ISSO), restricted to only authorized personnel, and have access control rules established.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86925</ident><ident system="http://cyber.mil/legacy">V-72301</ident><ident system="http://cyber.mil/cci">CCI-000368</ident><ident system="http://cyber.mil/cci">CCI-001813</ident><ident system="http://cyber.mil/cci">CCI-001814</ident><ident system="http://cyber.mil/cci">CCI-001812</ident><ident system="http://cyber.mil/cci">CCI-000318</ident><fixtext fixref="F-4745r89056_fix">Remove the TFTP package from the system with the following command:
+ 
+ # yum remove tftp-server</fixtext><fix id="F-4745r89056_fix" /><check system="C-4745r89055_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify a TFTP server has not been installed on the system.
+ 
+@@ -4616,23 +4618,21 @@ Check to see if a TFTP server has been installed with the following command:
+ # yum list installed tftp-server
+ tftp-server-0.49-9.el7.x86_64.rpm
+ 
+-If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-204622"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204622r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040710</version><title>The Red Hat Enterprise Linux operating system must be configured so that remote X connections for interactive users are encrypted.</title><description>&lt;VulnDiscussion&gt;Open X displays allow an attacker to capture keystrokes and execute commands remotely.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86927</ident><ident system="http://cyber.mil/legacy">V-72303</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4746r89059_fix">Configure SSH to encrypt connections for interactive users.
++If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.</check-content></check></Rule></Group><Group id="V-204622"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204622r603849_rule" weight="10.0" severity="medium"><version>RHEL-07-040710</version><title>The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.</title><description>&lt;VulnDiscussion&gt;The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A system administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting.
++X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled.
++If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86927</ident><ident system="http://cyber.mil/legacy">V-72303</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4746r603848_fix">Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+ 
+-Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
+-
+-X11Forwarding yes
++X11Forwarding no
+ 
+ The SSH service must be restarted for changes to take effect:
+ 
+-# systemctl restart sshd</fixtext><fix id="F-4746r89059_fix" /><check system="C-4746r89058_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify remote X connections for interactive users are encrypted.
+-
+-Check that remote X connections are encrypted with the following command:
++# systemctl restart sshd</fixtext><fix id="F-4746r603848_fix" /><check system="C-4746r603847_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Determine if X11Forwarding is disabled with the following command:
+ 
+ # grep -i x11forwarding /etc/ssh/sshd_config | grep -v "^#"
+ 
+-X11Forwarding yes
++X11Forwarding no
+ 
+-If the "X11Forwarding" keyword is set to "no" or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204623"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204623r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040720</version><title>The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.</title><description>&lt;VulnDiscussion&gt;Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86929</ident><ident system="http://cyber.mil/legacy">V-72305</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4747r89062_fix">Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):
++If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204623"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204623r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040720</version><title>The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode.</title><description>&lt;VulnDiscussion&gt;Restricting TFTP to a specific directory prevents remote users from copying, transferring, or overwriting system files.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86929</ident><ident system="http://cyber.mil/legacy">V-72305</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4747r89062_fix">Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value):
+ 
+ server_args = -s /var/lib/tftpboot</fixtext><fix id="F-4747r89062_fix" /><check system="C-4747r89061_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the TFTP daemon is configured to operate in secure mode.
+ 
+@@ -4648,11 +4648,11 @@ If a TFTP server is installed, check for the server arguments with the following
+ # grep server_args /etc/xinetd.d/tftp
+ server_args = -s /var/lib/tftpboot
+ 
+-If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204624"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204624r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040730</version><title>The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.</title><description>&lt;VulnDiscussion&gt;Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86931</ident><ident system="http://cyber.mil/legacy">V-72307</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4748r499412_fix">Document the requirement for a graphical user interface with the ISSO or remove the related packages with the following commands:
++If the "server_args" line does not have a "-s" option and a subdirectory is not assigned, this is a finding.</check-content></check></Rule></Group><Group id="V-204624"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204624r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040730</version><title>The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.</title><description>&lt;VulnDiscussion&gt;Internet services that are not required for system or application processes must not be active to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used unless approved and documented.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86931</ident><ident system="http://cyber.mil/legacy">V-72307</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36316r602658_fix">Document the requirement for a graphical user interface with the ISSO or remove the related packages with the following commands:
+ 
+ # rpm -e xorg-x11-server-common
+ 
+-# systemctl set-default multi-user.target</fixtext><fix id="F-4748r499412_fix" /><check system="C-4748r499411_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is configured to boot to the command line:
++# systemctl set-default multi-user.target</fixtext><fix id="F-36316r602658_fix" /><check system="C-36353r602657_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system is configured to boot to the command line:
+ 
+ # systemctl get-default
+ multi-user.target
+@@ -4666,7 +4666,7 @@ Verify a graphical user interface is not installed:
+ Ask the System Administrator if use of a graphical user interface is an operational requirement.
+ 
+ If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.
+-</check-content></check></Rule></Group><Group id="V-204625"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204625r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040740</version><title>The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.</title><description>&lt;VulnDiscussion&gt;Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86933</ident><ident system="http://cyber.mil/legacy">V-72309</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4749r89068_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++</check-content></check></Rule></Group><Group id="V-204625"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204625r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040740</version><title>The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.</title><description>&lt;VulnDiscussion&gt;Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this software is used when not required, system network information may be unnecessarily transmitted across the network.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86933</ident><ident system="http://cyber.mil/legacy">V-72309</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4749r89068_fix">Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv4.ip_forward = 0
+ 
+@@ -4685,7 +4685,7 @@ Check that the operating system does not implement IP forwarding using the follo
+ # /sbin/sysctl -a | grep net.ipv4.ip_forward
+ net.ipv4.ip_forward = 0
+ 
+-If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.</check-content></check></Rule></Group><Group id="V-204626"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204626r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040750</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.</title><description>&lt;VulnDiscussion&gt;When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86935</ident><ident system="http://cyber.mil/legacy">V-72311</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4750r89071_fix">Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. 
++If IP forwarding value is "1" and the system is hosting any application, database, or web servers, this is a finding.</check-content></check></Rule></Group><Group id="V-204626"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204626r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040750</version><title>The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.</title><description>&lt;VulnDiscussion&gt;When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86935</ident><ident system="http://cyber.mil/legacy">V-72311</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4750r89071_fix">Update the "/etc/fstab" file so the option "sec" is defined for each NFS mounted file system and the "sec" option does not have the "sys" setting. 
+ 
+ Ensure the "sec" option is defined as "krb5:krb5i:krb5p".</fixtext><fix id="F-4750r89071_fix" /><check system="C-4750r89070_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify "AUTH_GSS" is being used to authenticate NFS mounts.
+ 
+@@ -4694,7 +4694,7 @@ To check if the system is importing an NFS file system, look for any entries in
+ # cat /etc/fstab | grep nfs
+ 192.168.21.5:/mnt/export /data1 nfs4 rw,sync ,soft,sec=krb5:krb5i:krb5p
+ 
+-If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204627"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204627r505924_rule" weight="10.0" severity="high"><version>RHEL-07-040800</version><title>SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.</title><description>&lt;VulnDiscussion&gt;Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86937</ident><ident system="http://cyber.mil/legacy">V-72313</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4751r89074_fix">If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.</fixtext><fix id="F-4751r89074_fix" /><check system="C-4751r89073_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a system using SNMP is not using default community strings.
++If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.</check-content></check></Rule></Group><Group id="V-204627"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204627r603261_rule" weight="10.0" severity="high"><version>RHEL-07-040800</version><title>SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.</title><description>&lt;VulnDiscussion&gt;Whether active or not, default Simple Network Management Protocol (SNMP) community strings must be changed to maintain security. If the service is running with the default authenticators, anyone can gather data about the system and the network and use the information to potentially compromise the integrity of the system or network(s). It is highly recommended that SNMP version 3 user authentication and message encryption be used in place of the version 2 community strings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86937</ident><ident system="http://cyber.mil/legacy">V-72313</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4751r89074_fix">If the "/etc/snmp/snmpd.conf" file exists, modify any lines that contain a community string value of "public" or "private" to another string value.</fixtext><fix id="F-4751r89074_fix" /><check system="C-4751r89073_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that a system using SNMP is not using default community strings.
+ 
+ Check to see if the "/etc/snmp/snmpd.conf" file exists with the following command:
+ 
+@@ -4708,7 +4708,7 @@ If the file does exist, check for the default community strings with the followi
+ # grep public /etc/snmp/snmpd.conf
+ # grep private /etc/snmp/snmpd.conf
+ 
+-If either of these commands returns any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204628"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204628r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040810</version><title>The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.</title><description>&lt;VulnDiscussion&gt;If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86939</ident><ident system="http://cyber.mil/legacy">V-72315</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4752r89077_fix">If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. 
++If either of these commands returns any output, this is a finding.</check-content></check></Rule></Group><Group id="V-204628"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204628r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040810</version><title>The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services.</title><description>&lt;VulnDiscussion&gt;If the systems access control program is not configured with appropriate rules for allowing and denying access to system network resources, services may be accessible to unauthorized hosts.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86939</ident><ident system="http://cyber.mil/legacy">V-72315</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4752r89077_fix">If "firewalld" is installed and active on the system, configure rules for allowing specific services and hosts. 
+ 
+ If "firewalld" is not "active", enable "tcpwrappers" by configuring "/etc/hosts.allow" and "/etc/hosts.deny" to allow or deny access to specific hosts.</fixtext><fix id="F-4752r89077_fix" /><check system="C-4752r89076_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>If the "firewalld" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. 
+ 
+@@ -4749,7 +4749,7 @@ rw-r----- 1 root root 9 Aug 2 23:13 /etc/hosts.allow
+ 
+ If "firewalld" and "tcpwrappers" are not installed, configured, and active, ask the SA if another access control program (such as iptables) is installed and active. Ask the SA to show that the running configuration grants or denies access to specific hosts or services.
+ 
+-If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.</check-content></check></Rule></Group><Group id="V-204629"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204629r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040820</version><title>The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.</title><description>&lt;VulnDiscussion&gt;IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72317</ident><ident system="http://cyber.mil/legacy">SV-86941</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4753r89080_fix">Remove all unapproved tunnels from the system, or document them with the ISSO.</fixtext><fix id="F-4753r89080_fix" /><check system="C-4753r89079_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not have unauthorized IP tunnels configured.
++If "firewalld" is active and is not configured to grant access to specific hosts or "tcpwrappers" is not configured to grant or deny access to specific hosts, this is a finding.</check-content></check></Rule></Group><Group id="V-204629"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204629r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040820</version><title>The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured.</title><description>&lt;VulnDiscussion&gt;IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the Information System Security Officer (ISSO).&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86941</ident><ident system="http://cyber.mil/legacy">V-72317</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4753r89080_fix">Remove all unapproved tunnels from the system, or document them with the ISSO.</fixtext><fix id="F-4753r89080_fix" /><check system="C-4753r89079_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the system does not have unauthorized IP tunnels configured.
+ 
+ Check to see if "libreswan" is installed with the following command:
+ 
+@@ -4769,7 +4769,7 @@ If the "IPsec" service is active, check to see if any tunnels are configured in
+ 
+ If there are indications that a "conn" parameter is configured for a tunnel, ask the System Administrator if the tunnel is documented with the ISSO. 
+ 
+-If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.</check-content></check></Rule></Group><Group id="V-204630"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204630r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-040830</version><title>The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72319</ident><ident system="http://cyber.mil/legacy">SV-86943</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4754r89083_fix">Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
++If "libreswan" is installed, "IPsec" is active, and an undocumented tunnel is active, this is a finding.</check-content></check></Rule></Group><Group id="V-204630"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204630r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-040830</version><title>The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.</title><description>&lt;VulnDiscussion&gt;Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86943</ident><ident system="http://cyber.mil/legacy">V-72319</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-4754r89083_fix">Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to "/etc/sysctl.conf" or a configuration file in the /etc/sysctl.d/ directory (or modify the line to have the required value):
+ 
+ net.ipv6.conf.all.accept_source_route = 0
+ 
+@@ -4790,7 +4790,7 @@ Check that the operating system implements the accept source route variable with
+ # /sbin/sysctl -a | grep net.ipv6.conf.all.accept_source_route
+ net.ipv6.conf.all.accept_source_route = 0
+ 
+-If the returned lines do not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204631"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204631r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041001</version><title>The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
++If the returned lines do not have a value of "0", this is a finding.</check-content></check></Rule></Group><Group id="V-204631"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204631r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-041001</version><title>The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+ 
+ Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+ 
+@@ -4800,7 +4800,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us
+ 
+ This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+ 
+-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87041</ident><ident system="http://cyber.mil/legacy">V-72417</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4755r462473_fix">Configure the operating system to implement multifactor authentication by installing the required packages.
++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87041</ident><ident system="http://cyber.mil/legacy">V-72417</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-4755r462473_fix">Configure the operating system to implement multifactor authentication by installing the required packages.
+ 
+ Install the pam_pkcs11 package with the following command:
+ 
+@@ -4811,7 +4811,7 @@ Check for the presence of the packages required to support multifactor authentic
+ # yum list installed pam_pkcs11
+ pam_pkcs11-0.6.2-14.el7.noarch.rpm
+ 
+-If the "pam_pkcs11" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204632"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204632r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041002</version><title>The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
++If the "pam_pkcs11" package is not installed, this is a finding.</check-content></check></Rule></Group><Group id="V-204632"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204632r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-041002</version><title>The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+ 
+ Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+ 
+@@ -4821,7 +4821,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us
+ 
+ This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+ 
+-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72427</ident><ident system="http://cyber.mil/legacy">SV-87051</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><fixtext fixref="F-4756r89089_fix">Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87051</ident><ident system="http://cyber.mil/legacy">V-72427</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><fixtext fixref="F-4756r89089_fix">Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
+ 
+ Modify all of the services lines in "/etc/sssd/sssd.conf" or in configuration files found under "/etc/sssd/conf.d" to include pam.</fixtext><fix id="F-4756r89089_fix" /><check system="C-4756r89088_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM).
+ 
+@@ -4831,7 +4831,7 @@ Check the "/etc/sssd/sssd.conf" file for the authentication services that are be
+ 
+ services = nss, pam
+ 
+-If the "pam" service is not present on all "services" lines, this is a finding.</check-content></check></Rule></Group><Group id="V-204633"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204633r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041003</version><title>The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
++If the "pam" service is not present on all "services" lines, this is a finding.</check-content></check></Rule></Group><Group id="V-204633"><title>SRG-OS-000375-GPOS-00160</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204633r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-041003</version><title>The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.</title><description>&lt;VulnDiscussion&gt;Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.
+ 
+ Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
+ 
+@@ -4841,7 +4841,7 @@ Remote access is access to DoD nonpublic information systems by an authorized us
+ 
+ This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).
+ 
+-Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72433</ident><ident system="http://cyber.mil/legacy">SV-87057</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><fixtext fixref="F-4757r89092_fix">Configure the operating system to do certificate status checking for PKI authentication.
++Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000375-GPOS-00162&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87057</ident><ident system="http://cyber.mil/legacy">V-72433</ident><ident system="http://cyber.mil/cci">CCI-001954</ident><ident system="http://cyber.mil/cci">CCI-001953</ident><ident system="http://cyber.mil/cci">CCI-001948</ident><fixtext fixref="F-4757r89092_fix">Configure the operating system to do certificate status checking for PKI authentication.
+ 
+ Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".</fixtext><fix id="F-4757r89092_fix" /><check system="C-4757r89091_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the operating system implements certificate status checking for PKI authentication.
+ 
+@@ -4855,7 +4855,7 @@ cert_policy = ca, ocsp_on, signature;
+ 
+ There should be at least three lines returned. 
+ 
+-If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204634"><title>SRG-OS-000424-GPOS-00188</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204634r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-041010</version><title>The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.</title><description>&lt;VulnDiscussion&gt;The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-73177</ident><ident system="http://cyber.mil/legacy">SV-87829</ident><ident system="http://cyber.mil/cci">CCI-001443</ident><ident system="http://cyber.mil/cci">CCI-001444</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-4758r89095_fix">Configure the system to disable all wireless network interfaces with the following command:
++If "ocsp_on" is not present in all uncommented "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf", this is a finding.</check-content></check></Rule></Group><Group id="V-204634"><title>SRG-OS-000424-GPOS-00188</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-204634r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-041010</version><title>The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled.</title><description>&lt;VulnDiscussion&gt;The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-87829</ident><ident system="http://cyber.mil/legacy">V-73177</ident><ident system="http://cyber.mil/cci">CCI-001443</ident><ident system="http://cyber.mil/cci">CCI-001444</ident><ident system="http://cyber.mil/cci">CCI-002418</ident><fixtext fixref="F-4758r89095_fix">Configure the system to disable all wireless network interfaces with the following command:
+ 
+ #nmcli radio wifi off</fixtext><fix id="F-4758r89095_fix" /><check system="C-4758r89094_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify that there are no wireless interfaces configured on the system.
+ 
+@@ -4869,9 +4869,9 @@ eth0 ethernet connected
+ wlp3s0 wifi disconnected
+ lo loopback unmanaged
+ 
+-If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-214799"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214799r505924_rule" weight="10.0" severity="high"><version>RHEL-07-010020</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.
++If a wireless interface is configured and its use on the system is not documented with the Information System Security Officer (ISSO), this is a finding.</check-content></check></Rule></Group><Group id="V-214799"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214799r603261_rule" weight="10.0" severity="high"><version>RHEL-07-010020</version><title>The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.</title><description>&lt;VulnDiscussion&gt;Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection.
+ 
+-Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-86479</ident><ident system="http://cyber.mil/legacy">V-71855</ident><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-15997r192363_fix">Run the following command to determine which package owns the file:
++Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-71855</ident><ident system="http://cyber.mil/legacy">SV-86479</ident><ident system="http://cyber.mil/cci">CCI-001749</ident><fixtext fixref="F-15997r192363_fix">Run the following command to determine which package owns the file:
+ 
+ # rpm -qf &lt;filename&gt;
+ 
+@@ -4889,7 +4889,7 @@ Note: System configuration files (indicated by a "c" in the second column) are e
+ 
+ # rpm -Va --noconfig | grep '^..5'
+ 
+-If there is any output from the command for system files or binaries, this is a finding.</check-content></check></Rule></Group><Group id="V-214800"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214800r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description>&lt;VulnDiscussion&gt;Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-92255</ident><ident system="http://cyber.mil/legacy">SV-102357</ident><ident system="http://cyber.mil/cci">CCI-001263</ident><fixtext fixref="F-15998r462532_fix">Install and enable the latest McAfee HIPS package or McAfee ENSL.</fixtext><fix id="F-15998r462532_fix" /><check system="C-16000r462531_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.
++If there is any output from the command for system files or binaries, this is a finding.</check-content></check></Rule></Group><Group id="V-214800"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214800r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020019</version><title>The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed.</title><description>&lt;VulnDiscussion&gt;Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of the system, which may not otherwise exist in an organization's systems management regime.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-102357</ident><ident system="http://cyber.mil/legacy">V-92255</ident><ident system="http://cyber.mil/cci">CCI-001263</ident><fixtext fixref="F-36317r602660_fix">Install and enable the latest McAfee HIPS package or McAfee ENSL.</fixtext><fix id="F-36317r602660_fix" /><check system="C-16000r462531_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Per OPORD 16-0080, the preferred intrusion detection system is McAfee Host Intrusion Prevention System (HIPS) in conjunction with SELinux. McAfee Endpoint Security for Linux (ENSL) is an approved alternative to McAfee Virus Scan Enterprise (VSE) and HIPS. For RHEL 7 systems, SELinux is an approved alternative to McAfee HIPS.
+ 
+ Procedure:
+ Examine the system to determine if the Host Intrusion Prevention System (HIPS) is installed:
+@@ -4912,13 +4912,13 @@ Determine if the application is active on the system:
+ 
+ If the MFEhiplsm package is not installed and an alternate host-based intrusion detection application has not been documented for use, this is a finding.
+ 
+-If no host-based intrusion detection system is installed and running on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214801"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214801r505924_rule" weight="10.0" severity="high"><version>RHEL-07-032000</version><title>The Red Hat Enterprise Linux operating system must use a virus scan program.</title><description>&lt;VulnDiscussion&gt;Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.  
++If no host-based intrusion detection system is installed and running on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214801"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214801r603261_rule" weight="10.0" severity="high"><version>RHEL-07-032000</version><title>The Red Hat Enterprise Linux operating system must use a virus scan program.</title><description>&lt;VulnDiscussion&gt;Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems.  
+ 
+ The virus scanning software should be configured to perform scans dynamically on accessed files. If this capability is not available, the system must be configured to scan, at a minimum, all altered files on the system on a daily basis.
+ 
+ If the system processes inbound SMTP mail, the virus scanner must be configured to scan all received mail.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-72213</ident><ident system="http://cyber.mil/legacy">SV-86837</ident><ident system="http://cyber.mil/cci">CCI-001668</ident><fixtext fixref="F-15999r192369_fix">Install an antivirus solution on the system.</fixtext><fix id="F-15999r192369_fix" /><check system="C-16001r192368_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify an anti-virus solution is installed on the system. The anti-virus solution may be bundled with an approved host-based security solution.
+ 
+-If there is no anti-virus solution installed on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214937"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214937r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-010062</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
++If there is no anti-virus solution installed on the system, this is a finding.</check-content></check></Rule></Group><Group id="V-214937"><title>SRG-OS-000029-GPOS-00010</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-214937r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-010062</version><title>The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.</title><description>&lt;VulnDiscussion&gt;A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
+ 
+ The session lock is implemented at the point where session activity can be determined.
+ 
+@@ -4951,9 +4951,9 @@ Note: The example below is using the database "local" for the system, so the pat
+ /org/gnome/desktop/screensaver/lock-enabled
+ 
+ If the command does not return a result, this is a finding.
+-</check-content></check></Rule></Group><Group id="V-219059"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-219059r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-020111</version><title>The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
++</check-content></check></Rule></Group><Group id="V-219059"><title>SRG-OS-000114-GPOS-00059</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-219059r603261_rule" weight="10.0" severity="medium"><version>RHEL-07-020111</version><title>The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.</title><description>&lt;VulnDiscussion&gt;Automatically mounting file systems permits easy introduction of unknown devices, thereby facilitating malicious activity.
+ 
+-Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">V-100023</ident><ident system="http://cyber.mil/legacy">SV-109127</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><fixtext fixref="F-17871r499415_fix">Configure the graphical user interface to disable the ability to automount devices.
++Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-109127</ident><ident system="http://cyber.mil/legacy">V-100023</ident><ident system="http://cyber.mil/cci">CCI-001958</ident><ident system="http://cyber.mil/cci">CCI-000778</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36318r602663_fix">Configure the graphical user interface to disable the ability to automount devices.
+ 
+ Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used.
+ 
+@@ -4976,7 +4976,7 @@ Create or edit the /etc/dconf/db/local.d/locks/00-No-Automount file and add the
+ 
+ Run the following command to update the database:
+ 
+-# dconf update</fixtext><fix id="F-17871r499415_fix" /><check system="C-17785r499414_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
++# dconf update</fixtext><fix id="F-36318r602663_fix" /><check system="C-36354r602662_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Note: If the operating system does not have a graphical user interface installed, this requirement is Not Applicable.
+ 
+ Verify the operating system disables the ability to automount devices in a graphical user interface.
+ 
+@@ -5003,19 +5003,19 @@ If the output does not match the example above, this is a finding.
+ 
+ /org/gnome/desktop/media-handling/autorun-never
+ 
+-If the output does not match the example, this is a finding.</check-content></check></Rule></Group><Group id="V-228563"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-228563r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-021031</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
++If the output does not match the example, this is a finding.</check-content></check></Rule></Group><Group id="V-228563"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-228563r606406_rule" weight="10.0" severity="medium"><version>RHEL-07-021031</version><title>The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user.</title><description>&lt;VulnDiscussion&gt;If a world-writable directory has the sticky bit set and is not owned by root, sys, bin, or an application User Identifier (UID), unauthorized users may be able to modify files created by others.
+ 
+-The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-19547r377220_fix">All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</fixtext><fix id="F-19547r377220_fix" /><check system="C-30796r499670_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]: 
++The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-19547r377220_fix">All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.</fixtext><fix id="F-19547r377220_fix" /><check system="C-36355r606405_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>The following command will discover and print world-writable directories that are not owned by a system account, assuming only system accounts have a UID lower than 1000. Run it once for each local partition [PART]:
+ 
+ # find [PART] -xdev -type d -perm -0002 -uid +999 -print
+ 
+-If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-228564"><title>SRG-OS-000057-GPOS-00027</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-228564r505924_rule" weight="10.0" severity="medium"><version>RHEL-07-910055</version><title>The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.</title><description>&lt;VulnDiscussion&gt;If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
++If there is output, this is a finding.</check-content></check></Rule></Group><Group id="V-228564"><title>SRG-OS-000057-GPOS-00027</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-228564r606407_rule" weight="10.0" severity="medium"><version>RHEL-07-910055</version><title>The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion.</title><description>&lt;VulnDiscussion&gt;If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve.
+ 
+ To ensure the veracity of audit information, the operating system must protect audit information from unauthorized modification.
+ 
+ Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.
+ 
+-Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000162</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><ident system="http://cyber.mil/cci">CCI-001314</ident><fixtext fixref="F-23603r419770_fix">Change the mode of the audit log files with the following command: 
++Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-001314</ident><ident system="http://cyber.mil/cci">CCI-000162</ident><ident system="http://cyber.mil/cci">CCI-000163</ident><ident system="http://cyber.mil/cci">CCI-000164</ident><fixtext fixref="F-23603r419770_fix">Change the mode of the audit log files with the following command: 
+ 
+ # chmod 0600 [audit_file]
+ 
+@@ -5034,4 +5034,15 @@ drwxr-xr-x. 17 root root 4096 Aug 9 13:09 ..
+ Audit logs must be mode 0600 or less permissive. 
+ If any are more permissive, this is a finding.
+ 
+-The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.</check-content></check></Rule></Group></Benchmark>
+\ No newline at end of file
++The owner and group owner of all audit log files must both be "root". If any other owner or group owner is listed, this is a finding.</check-content></check></Rule></Group><Group id="V-233307"><title>SRG-OS-000480-GPOS-00227</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-233307r603301_rule" weight="10.0" severity="medium"><version>RHEL-07-040711</version><title>The Red Hat Enterprise Linux operating system SSH daemon must prevent remote hosts from connecting to the proxy display.</title><description>&lt;VulnDiscussion&gt;When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DIPSLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Red Hat Enterprise Linux 7</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Red Hat Enterprise Linux 7</dc:subject><dc:identifier>2899</dc:identifier></reference><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-36466r603300_fix">Configure the SSH daemon to prevent remote hosts from connecting to the proxy display.
++
++Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor):
++
++X11UseLocalhost yes</fixtext><fix id="F-36466r603300_fix" /><check system="C-36502r603299_chk"><check-content-ref href="Red_Hat_Enterprise_Linux_7_STIG.xml" name="M" /><check-content>Verify the SSH daemon prevents remote hosts from connecting to the proxy display.
++
++Check the SSH X11UseLocalhost setting with the following command:
++
++# sudo grep -i x11uselocalhost /etc/ssh/sshd_config
++X11UseLocalhost yes
++
++If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding.</check-content></check></Rule></Group></Benchmark>
+\ No newline at end of file
diff --git a/SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch b/SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
new file mode 100644
index 0000000..622cfd7
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
@@ -0,0 +1,57 @@
+From 01b1ade0e5713bf3f11f78cc0ca7e43f74eb8a46 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Feb 2021 01:02:48 +0100
+Subject: [PATCH 1/2] Drop remediation for sysctl_kernel_modules_disabled
+
+Remediating this during kickstart install time renders the machine
+unbootable.
+---
+ .../restrictions/sysctl_kernel_modules_disabled/rule.yml       | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+index 1811c43815..34e8290f74 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+@@ -32,3 +32,6 @@ template:
+         sysctlvar: kernel.modules_disabled
+         sysctlval: '1'
+         datatype: int
++    backends:
++        # Automated remediation of this rule disrupts installs via kickstart
++        bash: 'off'
+
+From 77eeafd1af1445a185651c77b143bce0004badda Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Tue, 2 Feb 2021 09:23:17 +0100
+Subject: [PATCH 2/2] Add warning why rule has no remediation
+
+Rule sysctl_kernel_modules_disabled disrupts the install and boot
+process if remediated during installation.
+---
+ .../restrictions/sysctl_kernel_modules_disabled/rule.yml   | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+index 34e8290f74..438cd2759e 100644
+--- a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
++++ b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_modules_disabled/rule.yml
+@@ -26,6 +26,11 @@ references:
+ 
+ platform: machine
+ 
++warnings:
++  - general:
++      This rule doesn't come with Bash remediation.
++      Remediating this rule during the installation process disrupts the install and boot process.
++
+ template:
+     name: sysctl
+     vars:
+@@ -33,5 +38,5 @@ template:
+         sysctlval: '1'
+         datatype: int
+     backends:
+-        # Automated remediation of this rule disrupts installs via kickstart
++        # Automated remediation of this rule during installations disrupts the first boot
+         bash: 'off'
diff --git a/SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch b/SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
new file mode 100644
index 0000000..2c4debe
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
@@ -0,0 +1,36 @@
+From 67f33ad17c234106bb3243af9f63ae478daa11ec Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Mon, 25 Jan 2021 18:28:26 +0100
+Subject: [PATCH] Reassign a new unique CCE identifier to approved macs STIG
+ rule.
+
+---
+ .../ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml | 2 +-
+ shared/references/cce-redhat-avail.txt                          | 1 -
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+index dc9f7dca7c..88d2d77e14 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+@@ -19,7 +19,7 @@ rationale: |-
+ severity: medium
+ 
+ identifiers:
+-    cce@rhel7: CCE-83398-8
++    cce@rhel7: CCE-83636-1
+ 
+ references:
+     disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
+diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
+index 66196f1fa7..ed14c14be7 100644
+--- a/shared/references/cce-redhat-avail.txt
++++ b/shared/references/cce-redhat-avail.txt
+@@ -139,7 +139,6 @@ CCE-83629-6
+ CCE-83633-8
+ CCE-83634-6
+ CCE-83635-3
+-CCE-83636-1
+ CCE-83637-9
+ CCE-83638-7
+ CCE-83639-5
diff --git a/SOURCES/scap-security-guide-0.1.55-fix_stigid_reference-PR_6628.patch b/SOURCES/scap-security-guide-0.1.55-fix_stigid_reference-PR_6628.patch
new file mode 100644
index 0000000..b16a3b9
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-fix_stigid_reference-PR_6628.patch
@@ -0,0 +1,19 @@
+commit 3ce8d3a6cb988b29c2193212750e1159d572ad7a
+Author: Gabriel Becker <ggasparb@redhat.com>
+Date:   Mon Feb 22 16:27:16 2021 +0100
+
+    Fix STIG id reference for sshd_x11_use_localhost.
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+index 7267d24..368d200 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_x11_use_localhost/rule.yml
+@@ -25,7 +25,7 @@ identifiers:
+ 
+ references:
+     srg: SRG-OS-000480-GPOS-00227
+-    stig@rhel7: RHEL-07-040711
++    stigid@rhel7: RHEL-07-040711
+     disa: CCI-000366
+     nist: CM-6(b)
+ 
diff --git a/SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.diff b/SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.diff
new file mode 100644
index 0000000..8ff4cc0
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.diff
@@ -0,0 +1,259 @@
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+index abcebf60c..50c7d689a 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers/rule.yml
+@@ -61,7 +61,6 @@ references:
+     nist-csf: PR.AC-1,PR.AC-3,PR.AC-4,PR.AC-6,PR.AC-7,PR.IP-1,PR.PT-1,PR.PT-3,PR.PT-4
+     srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
+     vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000396-VMM-001590
+-    stigid@rhel7: RHEL-07-040110
+     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.10,SR 2.11,SR 2.12,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 2.8,SR 2.9,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
+     isa-62443-2009: 4.3.3.2.2,4.3.3.3.9,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3,4.3.4.4.7,4.4.2.1,4.4.2.2,4.4.2.4
+     cobit5: APO11.04,APO13.01,BAI03.05,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.06,DSS06.10,MEA02.01
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
+new file mode 100644
+index 000000000..4796a2eab
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/ansible/shared.yml
+@@ -0,0 +1,13 @@
++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++- name: "Configure sshd to use approved ciphers"
++  lineinfile:
++    path: /etc/ssh/sshd_config
++    line: 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
++    state: present
++    regexp: '^[\s]*[Cc]iphers[\s]+(aes256-ctr(?=[\w,-@]+|$),?)?(aes192-ctr(?=[\w,-@]+|$),?)?(aes128-ctr(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
++    create: True
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
+new file mode 100644
+index 000000000..8f751ed51
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/bash/shared.sh
+@@ -0,0 +1,7 @@
++# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
++
++if grep -q -P '^\s*[Cc]iphers\s+' /etc/ssh/sshd_config; then
++  sed -i 's/^\s*[Cc]iphers.*/Ciphers aes256-ctr,aes192-ctr,aes128-ctr/' /etc/ssh/sshd_config
++else
++  echo "Ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
+new file mode 100644
+index 000000000..53ff0a2a9
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/oval/shared.xml
+@@ -0,0 +1,38 @@
++<def-group>
++  <definition class="compliance" id="sshd_use_approved_ciphers_ordered_stig" version="1">
++    {{{ oval_metadata("Limit the ciphers to those which are FIPS-approved.") }}}
++    <criteria operator="AND">
++      <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
++      <criteria comment="SSH is configured correctly or is not installed"
++      operator="OR">
++        <criteria comment="sshd is not installed" operator="AND">
++          <extend_definition comment="sshd is not required or requirement is unset"
++          definition_ref="sshd_not_required_or_unset" />
++          <extend_definition comment="rpm package openssh-server removed"
++          definition_ref="package_openssh-server_removed" />
++        </criteria>
++        <criteria comment="sshd is installed and configured" operator="AND">
++          <extend_definition comment="sshd is required or requirement is unset"
++          definition_ref="sshd_required_or_unset" />
++          <extend_definition comment="rpm package openssh-server installed"
++          definition_ref="package_openssh-server_installed" />
++          <criterion comment="Check the Cipers list in /etc/ssh/sshd_config"
++          test_ref="test_sshd_use_approved_ciphers_ordered_stig" />
++        </criteria>
++      </criteria>
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++  comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file"
++  id="test_sshd_use_approved_ciphers_ordered_stig" version="1">
++    <ind:object object_ref="obj_sshd_use_approved_ciphers_ordered_stig" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_sshd_use_approved_ciphers_ordered_stig" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^[\s]*(?i)Ciphers(?-i)[\s]+(?=[\w]+)(aes256-ctr(?=[\w,]+|$),?)?(aes192-ctr(?=[\w,]+|$),?)?(aes128-ctr)?[\s]*(?:#.*)?$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
+new file mode 100644
+index 000000000..075106417
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/rule.yml
+@@ -0,0 +1,64 @@
++documentation_complete: true
++
++prodtype: rhel7
++
++title: 'Use Only FIPS 140-2 Validated Ciphers'
++
++description: |-
++    Limit the ciphers to those algorithms which are FIPS-approved.
++    The following line in <tt>/etc/ssh/sshd_config</tt>
++    demonstrates use of FIPS-approved ciphers:
++    <pre>Ciphers aes256-ctr,aes192-ctr,aes128-ctr</pre>
++    This rule ensures that there are configured ciphers mentioned
++    above (or their subset), keeping the given order of algorithms.
++
++rationale: |-
++    Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore
++    cannot be relied upon to provide confidentiality or integrity, and system data may be compromised.
++    <br />
++    Operating systems utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to
++    cryptographic modules.
++    <br />
++    FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
++    utilize authentication that meets industry and government requirements. For government systems, this allows
++    Security Levels 1, 2, 3, or 4 for use on {{{ full_name }}}.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-83398-8
++
++references:
++    disa: CCI-000068,CCI-000366,CCI-000803,CCI-000877,CCI-002890,CCI-003123
++    srg: SRG-OS-000033-GPOS-00014,SRG-OS-000120-GPOS-00061,SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000393-GPOS-00173,SRG-OS-000394-GPOS-00174
++    stigid@rhel7: RHEL-07-040110
++
++ocil_clause: 'FIPS ciphers are not configured or the enabled ciphers are not FIPS-approved'
++
++ocil: |-
++    Only FIPS ciphers should be used. To verify that only FIPS-approved
++    ciphers are in use, run the following command:
++    <pre>$ sudo grep Ciphers /etc/ssh/sshd_config</pre>
++    The output should contain only following ciphers (or a subset) in the exact order:
++    <pre>aes256-ctr,aes192-ctr,aes128-ctr</pre>
++
++warnings:
++    - general: |-
++        The system needs to be rebooted for these changes to take effect.
++    - regulatory: |-
++        System Crypto Modules must be provided by a vendor that undergoes
++        FIPS-140 certifications.
++        FIPS-140 is applicable to all Federal agencies that use
++        cryptographic-based security systems to protect sensitive information
++        in computer and telecommunication systems (including voice systems) as
++        defined in Section 5131 of the Information Technology Management Reform
++        Act of 1996, Public Law 104-106. This standard shall be used in
++        designing and implementing cryptographic modules that Federal
++        departments and agencies operate or are operated for them under
++        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
++        To meet this, the system has to have cryptographic software provided by
++        a vendor that has undergone this certification. This means providing
++        documentation, test results, design information, and independent third
++        party review by an accredited lab. While open source software is
++        capable of meeting this, it does not meet FIPS-140 unless the vendor
++        submits to this process.
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
+new file mode 100644
+index 000000000..daff7d7c5
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/comment.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^Ciphers" /etc/ssh/sshd_config; then
++	sed -i "s/^Ciphers.*/# ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
++else
++	echo "# ciphers aes256-ctr,aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
+new file mode 100644
+index 000000000..b9d22262a
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_reduced_list.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^Ciphers" /etc/ssh/sshd_config; then
++	sed -i "s/^Ciphers.*/Ciphers aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
++else
++	echo "Ciphers aes192-ctr,aes128-ctr" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
+new file mode 100644
+index 000000000..b99d3832c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_scrambled.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^Ciphers" /etc/ssh/sshd_config; then
++	sed -i "s/^Ciphers.*/Ciphers aes128-ctr,aes192-ctr,aes256-ctr/" /etc/ssh/sshd_config
++else
++	echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
+new file mode 100644
+index 000000000..6dfd54631
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/correct_value.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^Ciphers" /etc/ssh/sshd_config; then
++	sed -i "s/^Ciphers.*/ciphers aes256-ctr,aes192-ctr,aes128-ctr/" /etc/ssh/sshd_config
++else
++	echo 'ciphers aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
+new file mode 100644
+index 000000000..7b38914a1
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/line_not_there.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++sed -i "/^Ciphers.*/d" /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
+new file mode 100644
+index 000000000..6fdb47093
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/no_parameters.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^Ciphers" /etc/ssh/sshd_config; then
++	sed -i "s/^Ciphers.*/Ciphers /" /etc/ssh/sshd_config
++else
++	echo 'Ciphers ' >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
+new file mode 100644
+index 000000000..24fdf0f30
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_ciphers_ordered_stig/tests/wrong_value.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^Ciphers" /etc/ssh/sshd_config; then
++	sed -i "s/^Ciphers.*/ Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se/" /etc/ssh/sshd_config
++else
++	echo " Ciphers aes128-ctr,aes192-ctr,weak-cipher,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc,rijndael-cbc@lysator\.liu\.se" >> /etc/ssh/sshd_config
++fi
+diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
+index 88b50d5ef..ecd256c68 100644
+--- a/rhel7/profiles/stig.profile
++++ b/rhel7/profiles/stig.profile
+@@ -239,8 +239,7 @@ selections:
+     - install_antivirus
+     - accounts_max_concurrent_login_sessions
+     - configure_firewalld_ports
+-    - sshd_approved_ciphers=stig
+-    - sshd_use_approved_ciphers
++    - sshd_use_approved_ciphers_ordered_stig
+     - accounts_tmout
+     - sshd_enable_warning_banner
+     - sssd_ldap_start_tls
diff --git a/SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch b/SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
new file mode 100644
index 0000000..92677e1
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
@@ -0,0 +1,386 @@
+From 5f8f98024f8955a0327b67f873923757a51d082c Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 19 Jan 2021 12:32:07 +0100
+Subject: [PATCH 1/7] add rule and remediations
+
+---
+ .../ansible/shared.yml                        | 13 +++++
+ .../bash/shared.sh                            |  7 +++
+ .../oval/shared.xml                           | 38 +++++++++++++
+ .../rule.yml                                  | 57 +++++++++++++++++++
+ 5 files changed, 115 insertions(+), 1 deletion(-)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
+new file mode 100644
+index 0000000000..cefba7db05
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/ansible/shared.yml
+@@ -0,0 +1,13 @@
++# platform = Red Hat Enterprise Linux 7,Oracle Linux 7
++# reboot = false
++# strategy = restrict
++# complexity = low
++# disruption = low
++
++- name: "Configure sshd to use approved MACs"
++  lineinfile:
++    path: /etc/ssh/sshd_config
++    line: 'MACs hmac-sha2-512,hmac-sha2-256'
++    state: present
++    regexp: '^[\s]*MACs[\s]+(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$'
++    create: True
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+new file mode 100644
+index 0000000000..c76190fb96
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+@@ -0,0 +1,7 @@
++# platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
++
++if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
++  sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
++else
++  echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+new file mode 100644
+index 0000000000..d7fbd9f0ed
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+@@ -0,0 +1,38 @@
++<def-group>
++  <definition class="compliance" id="sshd_use_approved_macs_ordered_stig" version="1">
++    {{{ oval_metadata("Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.") }}}
++    <criteria operator="AND">
++      <extend_definition comment="Installed OS is FIPS certified" definition_ref="installed_OS_is_FIPS_certified" />
++      <criteria comment="SSH is configured correctly or is not installed"
++      operator="OR">
++        <criteria comment="sshd is not installed" operator="AND">
++          <extend_definition comment="sshd is not required or requirement is unset"
++          definition_ref="sshd_not_required_or_unset" />
++          <extend_definition comment="rpm package openssh-server removed"
++          definition_ref="package_openssh-server_removed" />
++        </criteria>
++        <criteria comment="sshd is installed and configured" operator="AND">
++          <extend_definition comment="sshd is required or requirement is unset"
++          definition_ref="sshd_required_or_unset" />
++          <extend_definition comment="rpm package openssh-server installed"
++          definition_ref="package_openssh-server_installed" />
++          <criterion comment="Check MACs in /etc/ssh/sshd_config"
++          test_ref="test_sshd_use_approved_macs_ordered_stig" />
++        </criteria>
++      </criteria>
++    </criteria>
++  </definition>
++
++  <ind:textfilecontent54_test check="all" check_existence="all_exist"
++  comment="tests the value of MACs setting in the /etc/ssh/sshd_config file"
++  id="test_sshd_use_approved_macs_ordered_stig" version="1">
++    <ind:object object_ref="obj_sshd_use_approved_macs_ordered_stig" />
++  </ind:textfilecontent54_test>
++
++  <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
++    <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
++    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+new file mode 100644
+index 0000000000..dc9f7dca7c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/rule.yml
+@@ -0,0 +1,57 @@
++documentation_complete: true
++
++prodtype: rhel7
++
++title: 'Use Only FIPS 140-2 Validated MACs'
++
++description: |-
++    Limit the MACs to those hash algorithms which are FIPS-approved.
++    The following line in <tt>/etc/ssh/sshd_config</tt>
++    demonstrates use of FIPS-approved MACs:
++    <pre>MACs hmac-sha2-512,hmac-sha2-256</pre>
++    This rule ensures that there are configured MACs mentioned
++    above (or their subset), keeping the given order of algorithms.
++
++rationale: |-
++    DoD Information Systems are required to use FIPS-approved cryptographic hash
++    functions. The only SSHv2 hash algorithms meeting this requirement is SHA2.
++
++severity: medium
++
++identifiers:
++    cce@rhel7: CCE-83398-8
++
++references:
++    disa: CCI-000068,CCI-000803,CCI-000877,CCI-001453,CCI-003123
++    srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
++    stigid@rhel7: RHEL-07-040400
++
++ocil_clause: 'MACs option is commented out or not using FIPS-approved hash algorithms'
++
++ocil: |-
++    Only FIPS-approved MACs should be used. To verify that only FIPS-approved
++    MACs are in use, run the following command:
++    <pre>$ sudo grep -i macs /etc/ssh/sshd_config</pre>
++    The output should contain only following MACs (or a subset) in the exact order:
++    <pre>hmac-sha2-512,hmac-sha2-256</pre>
++
++warnings:
++    - general: |-
++        The system needs to be rebooted for these changes to take effect.
++    - regulatory: |-
++        System Crypto Modules must be provided by a vendor that undergoes
++        FIPS-140 certifications.
++        FIPS-140 is applicable to all Federal agencies that use
++        cryptographic-based security systems to protect sensitive information
++        in computer and telecommunication systems (including voice systems) as
++        defined in Section 5131 of the Information Technology Management Reform
++        Act of 1996, Public Law 104-106. This standard shall be used in
++        designing and implementing cryptographic modules that Federal
++        departments and agencies operate or are operated for them under
++        contract. See <b>{{{ weblink(link="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf") }}}</b>
++        To meet this, the system has to have cryptographic software provided by
++        a vendor that has undergone this certification. This means providing
++        documentation, test results, design information, and independent third
++        party review by an accredited lab. While open source software is
++        capable of meeting this, it does not meet FIPS-140 unless the vendor
++        submits to this process.
+
+From 18ea3b8671e15c06a5c1c864d9d1d67f4262189e Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 19 Jan 2021 12:32:25 +0100
+Subject: [PATCH 2/7] add tests
+
+---
+ .../tests/comment.fail.sh                                  | 7 +++++++
+ .../tests/correct_reduced_list.pass.sh                     | 7 +++++++
+ .../tests/correct_scrambled.fail.sh                        | 7 +++++++
+ .../tests/correct_value.pass.sh                            | 7 +++++++
+ .../tests/line_not_there.fail.sh                           | 3 +++
+ .../tests/no_parameters.fail.sh                            | 7 +++++++
+ .../tests/wrong_value.fail.sh                              | 7 +++++++
+ 7 files changed, 45 insertions(+)
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
+ create mode 100644 linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
+new file mode 100644
+index 0000000000..26bf18234c
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/comment.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^MACs" /etc/ssh/sshd_config; then
++	sed -i "s/^MACs.*/# MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
++else
++	echo "# ciphers MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
+new file mode 100644
+index 0000000000..0d922cdee9
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_reduced_list.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^MACs" /etc/ssh/sshd_config; then
++	sed -i "s/^MACs.*/MACs hmac-sha2-512/" /etc/ssh/sshd_config
++else
++	echo "MACs hmac-sha2-512" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
+new file mode 100644
+index 0000000000..ce3f459352
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_scrambled.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^MACs" /etc/ssh/sshd_config; then
++	sed -i "s/^MACs.*/MACs hmac-sha2-256,hmac-sha2-512/" /etc/ssh/sshd_config
++else
++	echo "MACs hmac-sha2-256,hmac-sha2-512" >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
+new file mode 100644
+index 0000000000..19da7102a7
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/correct_value.pass.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^MACs" /etc/ssh/sshd_config; then
++	sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256/" /etc/ssh/sshd_config
++else
++	echo 'MACs hmac-sha2-512,hmac-sha2-256' >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
+new file mode 100644
+index 0000000000..fd1f19347a
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/line_not_there.fail.sh
+@@ -0,0 +1,3 @@
++#!/bin/bash
++
++sed -i "/^MACs.*/d" /etc/ssh/sshd_config
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
+new file mode 100644
+index 0000000000..44c07c6de0
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/no_parameters.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^MACs" /etc/ssh/sshd_config; then
++	sed -i "s/^MACs.*/MACs /" /etc/ssh/sshd_config
++else
++	echo 'MACs ' >> /etc/ssh/sshd_config
++fi
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
+new file mode 100644
+index 0000000000..cf56cd228f
+--- /dev/null
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/tests/wrong_value.fail.sh
+@@ -0,0 +1,7 @@
++#!/bin/bash
++
++if grep -q "^MACs" /etc/ssh/sshd_config; then
++	sed -i "s/^MACs.*/MACs hmac-sha2-512,hmac-sha2-256,blahblah/" /etc/ssh/sshd_config
++else
++	echo "MACs hmac-sha2-512,hmac-sha2-256,blahblah" >> /etc/ssh/sshd_config
++fi
+
+From a334b4b434adf92c94b8bd6bb888751782e70ad3 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 19 Jan 2021 12:32:58 +0100
+Subject: [PATCH 3/7] modify rhel7 stig profile
+
+---
+ rhel7/profiles/stig.profile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
+index 6c06a8ede6..17c781d3eb 100644
+--- a/rhel7/profiles/stig.profile
++++ b/rhel7/profiles/stig.profile
+@@ -28,7 +28,6 @@ selections:
+     - inactivity_timeout_value=15_minutes
+     - var_screensaver_lock_delay=5_seconds
+     - sshd_idle_timeout_value=10_minutes
+-    - sshd_approved_macs=stig
+     - var_accounts_fail_delay=4
+     - var_selinux_state=enforcing
+     - var_selinux_policy_name=targeted
+@@ -259,7 +258,7 @@ selections:
+     - sshd_print_last_log
+     - sshd_disable_root_login
+     - sshd_allow_only_protocol2
+-    - sshd_use_approved_macs
++    - sshd_use_approved_macs_ordered_stig
+     - file_permissions_sshd_pub_key
+     - file_permissions_sshd_private_key
+     - sshd_disable_gssapi_auth
+
+From df71fc735efa8754a73fab5d355d422c6e0ffa53 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Tue, 19 Jan 2021 12:33:10 +0100
+Subject: [PATCH 4/7] remove rhel7 stigid from sshd_use_approved_macs
+
+---
+ .../services/ssh/ssh_server/sshd_use_approved_macs/rule.yml      | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+index 394c733f51..d47eb443f5 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs/rule.yml
+@@ -54,7 +54,6 @@ references:
+     nist-csf: PR.AC-1,PR.AC-3,PR.DS-5,PR.PT-4
+     srg: SRG-OS-000125-GPOS-00065,SRG-OS-000250-GPOS-00093,SRG-OS-000394-GPOS-00174
+     vmmsrg: SRG-OS-000033-VMM-000140,SRG-OS-000120-VMM-000600,SRG-OS-000478-VMM-001980,SRG-OS-000480-VMM-002000,SRG-OS-000396-VMM-001590
+-    stigid@rhel7: RHEL-07-040400
+     stigid@sle12: SLES-12-030180
+     isa-62443-2013: 'SR 1.1,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.6,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
+     isa-62443-2009: 4.3.3.5.1,4.3.3.6.6
+
+From 9c24aaaba67f0123a82335672fd25aacd913caa4 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 Jan 2021 11:43:16 +0100
+Subject: [PATCH 5/7] simplify regex
+
+---
+ .../sshd_use_approved_macs_ordered_stig/oval/shared.xml         | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+index d7fbd9f0ed..5973488661 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+@@ -31,7 +31,7 @@
+ 
+   <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
+     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,-@]+|$),?)?(hmac-sha2-256(?=[\w,-@]+|$),?)?[\s]*(?:#.*)?$</ind:pattern>
++    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
+
+From e3973f4c2988308a2d1a18e67a730a059f791336 Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 Jan 2021 11:55:19 +0100
+Subject: [PATCH 6/7] make bash remediation more readable
+
+---
+ .../sshd_use_approved_macs_ordered_stig/bash/shared.sh          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+index c76190fb96..f8f6f39bee 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/bash/shared.sh
+@@ -1,6 +1,6 @@
+ # platform = multi_platform_wrlinux,Red Hat Enterprise Linux 7,Oracle Linux 7
+ 
+-if grep -q -P '^[[:space:]]*MACs[[:space:]]+' /etc/ssh/sshd_config; then
++if grep -q -P '^\s*MACs\s+' /etc/ssh/sshd_config; then
+   sed -i 's/^\s*MACs.*/MACs hmac-sha2-512,hmac-sha2-256/' /etc/ssh/sshd_config
+ else
+   echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
+
+From e5c379ac8cbd7bd42b116d3a5473a78406a662fd Mon Sep 17 00:00:00 2001
+From: Vojtech Polasek <vpolasek@redhat.com>
+Date: Thu, 21 Jan 2021 13:05:18 +0100
+Subject: [PATCH 7/7] one more small fix to oval regex
+
+---
+ .../sshd_use_approved_macs_ordered_stig/oval/shared.xml         | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+index 5973488661..b5443b07c4 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_use_approved_macs_ordered_stig/oval/shared.xml
+@@ -31,7 +31,7 @@
+ 
+   <ind:textfilecontent54_object id="obj_sshd_use_approved_macs_ordered_stig" version="1">
+     <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
+-    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w,-@]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
++    <ind:pattern operation="pattern match">^[\s]*(?i)MACs(?-i)[\s]+(?=[\w]+)(hmac-sha2-512(?=[\w,]+|$),?)?(hmac-sha2-256)?[\s]*(?:#.*)?$</ind:pattern>
+     <ind:instance datatype="int">1</ind:instance>
+   </ind:textfilecontent54_object>
+ 
diff --git a/SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch b/SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
new file mode 100644
index 0000000..63b4d45
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
@@ -0,0 +1,30 @@
+From e5399b7bf17d5bdb995851b3d2a27f3ab2e6066a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Mon, 18 Jan 2021 15:21:51 +0100
+Subject: [PATCH] Supress Ansible lint error 503
+
+It says that Tasks that run when changed should likely be handlers.
+However, we don't use handlers, and developer guide says that handlers
+aren't supported. I assume handlers would cause problems for SCAP
+scanners. Unless we start to support handlers this error isn't fixable
+for us therefore we can suppress it globally.
+
+Addressing problems in scap-security-guide-lint-check Jenkins job:
+30/48 Test #260: ansible-playbook-ansible-lint-check-rhel8 .........***Failed  630.77 sec
+all/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
+anssi_bp28_enhanced/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
+anssi_bp28_high/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
+anssi_bp28_intermediary/sudo_add_umask.yml:30: [E503] Tasks that run when changed should likely be handlers
+---
+ tests/ansible-lint_config.yml | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/ansible-lint_config.yml b/tests/ansible-lint_config.yml
+index d5107476a9..e4b4443f8c 100644
+--- a/tests/ansible-lint_config.yml
++++ b/tests/ansible-lint_config.yml
+@@ -3,3 +3,4 @@ skip_list:
+   - '301' # Commands should not change things if nothing needs doing
+   - '303' # Using command rather than module
+   - '403' # Package installs should not use latest
++  - '503' # Tasks that run when changed should likely be handlers
diff --git a/SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch b/SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
new file mode 100644
index 0000000..6e545d7
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
@@ -0,0 +1,73 @@
+From 35eb6ba272c4ca0b7bae1c10af182e59e3e52c6a Mon Sep 17 00:00:00 2001
+From: Gabriel Becker <ggasparb@redhat.com>
+Date: Fri, 15 Jan 2021 16:28:07 +0100
+Subject: [PATCH] RHEL-07-040710 now configures X11Forwarding to disable.
+
+---
+ .../sshd_disable_x11_forwarding/rule.yml      | 19 ++++++++++---------
+ .../sshd_enable_x11_forwarding/rule.yml       |  1 -
+ rhel7/profiles/stig.profile                   |  2 +-
+ 3 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+index 1779129f87..7da2e067a6 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_disable_x11_forwarding/rule.yml
+@@ -19,22 +19,23 @@ rationale: |-
+     other users on the X11 server. Note that even if X11 forwarding is disabled,
+     users can always install their own forwarders.
+ 
+-severity: low
++severity: medium
+ 
+-ocil_clause: "that the X11Forwarding option exists and is enabled"
+-
+-ocil: |-
+-    {{{ ocil_sshd_option(default="no", option="X11Forwarding", value="no") }}}
++{{{ complete_ocil_entry_sshd_option(default="yes", option="X11Forwarding", value="no") }}}
+ 
+ identifiers:
+     cce@rhel7: CCE-83359-0
+     cce@rhel8: CCE-83360-8
+ 
+ references:
+-  cis@rhel7: 5.2.4
+-  cis@rhel8: 5.2.6
+-  cis@sle12: 5.2.4
+-  cis@sle15: 5.2.6
++    cis@rhel7: 5.2.4
++    cis@rhel8: 5.2.6
++    cis@sle12: 5.2.4
++    cis@sle15: 5.2.6
++    stigid@rhel7: RHEL-07-040710
++    srg: SRG-OS-000480-GPOS-00227
++    disa: CCI-000366
++    nist: CM-6(b)
+ 
+ template:
+     name: sshd_lineinfile
+diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+index 803e581a0f..87c3cb7f5a 100644
+--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
++++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_x11_forwarding/rule.yml
+@@ -29,7 +29,6 @@ references:
+     nist: CM-6(a),AC-17(a),AC-17(2)
+     nist-csf: DE.AE-1,PR.DS-7,PR.IP-1
+     srg: SRG-OS-000480-GPOS-00227
+-    stigid@rhel7: RHEL-07-040710
+     stigid@sle12: SLES-12-030260
+     isa-62443-2013: 'SR 7.6'
+     isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.4.3.3
+diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
+index 817e0982e5..6c06a8ede6 100644
+--- a/rhel7/profiles/stig.profile
++++ b/rhel7/profiles/stig.profile
+@@ -285,7 +285,7 @@ selections:
+     - postfix_prevent_unrestricted_relay
+     - package_vsftpd_removed
+     - package_tftp-server_removed
+-    - sshd_enable_x11_forwarding
++    - sshd_disable_x11_forwarding
+     - sshd_x11_use_localhost
+     - tftpd_uses_secure_mode
+     - package_xorg-x11-server-common_removed
diff --git a/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch b/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
new file mode 100644
index 0000000..9903603
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
@@ -0,0 +1,688 @@
+From e3dd773f905114c1d16ac3283611218a685f1722 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Feb 2021 09:17:15 +0100
+Subject: [PATCH 1/5] Remove extends key from ANSSI intermediary profile
+
+This is not necessary as the ANSSI controls file handles this.
+---
+ rhel8/profiles/anssi_bp28_intermediary.profile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
+index 64a9b542a0..4d0029af1d 100644
+--- a/rhel8/profiles/anssi_bp28_intermediary.profile
++++ b/rhel8/profiles/anssi_bp28_intermediary.profile
+@@ -7,7 +7,6 @@ description:
+     Agence nationale de la sécurité des systèmes d''information. Based on
+     https://www.ssi.gouv.fr/.
+ 
+-extends: anssi_bp28_minimal
+ 
+ selections:
+   - anssi:all:intermediary
+
+From 48845dbde69e69a043fc90622f21dc73d6a72018 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Feb 2021 09:21:47 +0100
+Subject: [PATCH 2/5] Update title and descriptions of ANSSI profiles
+
+---
+ controls/anssi.yml                             |  2 +-
+ rhel7/profiles/anssi_nt28_enhanced.profile     | 12 +++++++++---
+ rhel7/profiles/anssi_nt28_high.profile         | 12 +++++++++---
+ rhel7/profiles/anssi_nt28_intermediary.profile | 14 ++++++++++----
+ rhel7/profiles/anssi_nt28_minimal.profile      | 14 ++++++++++----
+ rhel8/profiles/anssi_bp28_enhanced.profile     | 12 ++++++++----
+ rhel8/profiles/anssi_bp28_high.profile         | 14 +++++++++-----
+ rhel8/profiles/anssi_bp28_intermediary.profile | 11 +++++++----
+ rhel8/profiles/anssi_bp28_minimal.profile      | 12 ++++++++----
+ 9 files changed, 71 insertions(+), 32 deletions(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index 2173d23f9d..54c05245b7 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -1,5 +1,5 @@
+ policy: 'ANSSI-BP-028'
+-title: 'ANSSI-BP-028'
++title: 'Configuration Recommendations of a GNU/Linux System'
+ id: anssi
+ version: '1.2'
+ source: https://www.ssi.gouv.fr/uploads/2019/03/linux_configuration-en-v1.2.pdf
+diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
+index 5893d12dbd..49fa8593fe 100644
+--- a/rhel7/profiles/anssi_nt28_enhanced.profile
++++ b/rhel7/profiles/anssi_nt28_enhanced.profile
+@@ -1,9 +1,15 @@
+ documentation_complete: true
+ 
+-title: 'DRAFT - ANSSI DAT-BP28 (enhanced)'
++title: 'ANSSI BP-028 (enhanced)'
+ 
+-description: 'Draft profile for ANSSI compliance at the enhanced level. ANSSI stands for Agence nationale de la sécurité des
+-    systèmes d''information. Based on https://www.ssi.gouv.fr/.'
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+     - anssi:all:enhanced
+diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
+index 52ae1dd6d2..2853f20607 100644
+--- a/rhel7/profiles/anssi_nt28_high.profile
++++ b/rhel7/profiles/anssi_nt28_high.profile
+@@ -1,9 +1,15 @@
+ documentation_complete: true
+ 
+-title: 'DRAFT - ANSSI DAT-BP28 (high)'
++title: 'DRAFT - ANSSI BP-028 (high)'
+ 
+-description: 'Draft profile for ANSSI compliance at the high level. ANSSI stands for Agence nationale de la sécurité des systèmes
+-    d''information. Based on https://www.ssi.gouv.fr/.'
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+     - anssi:all:high
+diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
+index e18225247b..55f985a7a9 100644
+--- a/rhel7/profiles/anssi_nt28_intermediary.profile
++++ b/rhel7/profiles/anssi_nt28_intermediary.profile
+@@ -1,10 +1,16 @@
+ # Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
+ documentation_complete: true
+ 
+-title: 'DRAFT - ANSSI DAT-BP28 (intermediary)'
++title: 'ANSSI BP-028 (intermediary)'
+ 
+-description: 'Draft profile for ANSSI compliance at the intermediary level. ANSSI stands for Agence nationale de la sécurité
+-    des systèmes d''information. Based on https://www.ssi.gouv.fr/.'
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+-  - anssi:all:intermediary
++    - anssi:all:intermediary
+diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
+index 214f37d14b..7786a26b45 100644
+--- a/rhel7/profiles/anssi_nt28_minimal.profile
++++ b/rhel7/profiles/anssi_nt28_minimal.profile
+@@ -1,9 +1,15 @@
+ documentation_complete: true
+ 
+-title: 'DRAFT - ANSSI DAT-BP28 (minimal)'
++title: 'ANSSI BP-028 (minimal)'
+ 
+-description: 'Draft profile for ANSSI compliance at the minimal level. ANSSI stands for Agence nationale de la sécurité des
+-    systèmes d''information. Based on https://www.ssi.gouv.fr/.'
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+-  - anssi:all:minimal
++    - anssi:all:minimal
+diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
+index 4c39852b65..49fa8593fe 100644
+--- a/rhel8/profiles/anssi_bp28_enhanced.profile
++++ b/rhel8/profiles/anssi_bp28_enhanced.profile
+@@ -2,10 +2,14 @@ documentation_complete: true
+ 
+ title: 'ANSSI BP-028 (enhanced)'
+ 
+-description: 
+-    ANSSI BP-028 compliance at the enhanced level. ANSSI stands for
+-    Agence nationale de la sécurité des systèmes d'information. Based on
+-    https://www.ssi.gouv.fr/.
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+     - anssi:all:enhanced
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index 6b0489e0f1..2853f20607 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -1,11 +1,15 @@
+ documentation_complete: false
+ 
+-title: 'ANSSI BP-028 (high)'
++title: 'DRAFT - ANSSI BP-028 (high)'
+ 
+-description: 
+-    ANSSI BP-028 compliance at the high level. ANSSI stands for
+-    Agence nationale de la sécurité des systèmes d'information. Based on
+-    https://www.ssi.gouv.fr/.
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+     - anssi:all:high
+diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
+index 4d0029af1d..50ab1ba0b8 100644
+--- a/rhel8/profiles/anssi_bp28_intermediary.profile
++++ b/rhel8/profiles/anssi_bp28_intermediary.profile
+@@ -2,11 +2,14 @@ documentation_complete: true
+ 
+ title: 'ANSSI BP-028 (intermediary)'
+ 
+-description: 
+-    ANSSI BP-028 compliance at the intermediary level. ANSSI stands for
+-    Agence nationale de la sécurité des systèmes d''information. Based on
+-    https://www.ssi.gouv.fr/.
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
+ 
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+   - anssi:all:intermediary
+diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
+index d8f076c3e7..d477d34787 100644
+--- a/rhel8/profiles/anssi_bp28_minimal.profile
++++ b/rhel8/profiles/anssi_bp28_minimal.profile
+@@ -2,10 +2,14 @@ documentation_complete: true
+ 
+ title: 'ANSSI BP-028 (minimal)'
+ 
+-description: 
+-    ANSSI BP-028 compliance at the minimal level. ANSSI stands for
+-    Agence nationale de la sécurité des systèmes d'information. Based on
+-    https://www.ssi.gouv.fr/.
++description: |-
++    This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
++
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++
++    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+   - anssi:all:minimal
+
+From 5ea9fe70c78df6c4278aec71b9ab000a9884cea7 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 3 Feb 2021 12:23:14 +0100
+Subject: [PATCH 3/5] Add missing hyphen in ANSSI profiles descriptions
+
+---
+ rhel7/profiles/anssi_nt28_enhanced.profile     | 8 ++++----
+ rhel7/profiles/anssi_nt28_high.profile         | 8 ++++----
+ rhel7/profiles/anssi_nt28_intermediary.profile | 8 ++++----
+ rhel7/profiles/anssi_nt28_minimal.profile      | 8 ++++----
+ rhel8/profiles/anssi_bp28_enhanced.profile     | 8 ++++----
+ rhel8/profiles/anssi_bp28_high.profile         | 8 ++++----
+ rhel8/profiles/anssi_bp28_intermediary.profile | 8 ++++----
+ rhel8/profiles/anssi_bp28_minimal.profile      | 8 ++++----
+ 8 files changed, 32 insertions(+), 32 deletions(-)
+
+diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
+index 49fa8593fe..411f0c03aa 100644
+--- a/rhel7/profiles/anssi_nt28_enhanced.profile
++++ b/rhel7/profiles/anssi_nt28_enhanced.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: true
+ 
+-title: 'ANSSI BP-028 (enhanced)'
++title: 'ANSSI-BP-028 (enhanced)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
+index 2853f20607..d9147b2dd0 100644
+--- a/rhel7/profiles/anssi_nt28_high.profile
++++ b/rhel7/profiles/anssi_nt28_high.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: true
+ 
+-title: 'DRAFT - ANSSI BP-028 (high)'
++title: 'DRAFT - ANSSI-BP-028 (high)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
+index 55f985a7a9..6e39a978e5 100644
+--- a/rhel7/profiles/anssi_nt28_intermediary.profile
++++ b/rhel7/profiles/anssi_nt28_intermediary.profile
+@@ -1,15 +1,15 @@
+ # Don't forget to enable build of tables in rhel7CMakeLists.txt when setting to true
+ documentation_complete: true
+ 
+-title: 'ANSSI BP-028 (intermediary)'
++title: 'ANSSI-BP-028 (intermediary)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
+index 7786a26b45..f0a77bccd7 100644
+--- a/rhel7/profiles/anssi_nt28_minimal.profile
++++ b/rhel7/profiles/anssi_nt28_minimal.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: true
+ 
+-title: 'ANSSI BP-028 (minimal)'
++title: 'ANSSI-BP-028 (minimal)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
+index 49fa8593fe..411f0c03aa 100644
+--- a/rhel8/profiles/anssi_bp28_enhanced.profile
++++ b/rhel8/profiles/anssi_bp28_enhanced.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: true
+ 
+-title: 'ANSSI BP-028 (enhanced)'
++title: 'ANSSI-BP-028 (enhanced)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the enhanced hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index 2853f20607..d9147b2dd0 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: false
+ 
+-title: 'DRAFT - ANSSI BP-028 (high)'
++title: 'DRAFT - ANSSI-BP-028 (high)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the high hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
+index 50ab1ba0b8..6dcd2b8ef2 100644
+--- a/rhel8/profiles/anssi_bp28_intermediary.profile
++++ b/rhel8/profiles/anssi_bp28_intermediary.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: true
+ 
+-title: 'ANSSI BP-028 (intermediary)'
++title: 'ANSSI-BP-028 (intermediary)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the intermediary hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
+index d477d34787..54e8cbd5a6 100644
+--- a/rhel8/profiles/anssi_bp28_minimal.profile
++++ b/rhel8/profiles/anssi_bp28_minimal.profile
+@@ -1,14 +1,14 @@
+ documentation_complete: true
+ 
+-title: 'ANSSI BP-028 (minimal)'
++title: 'ANSSI-BP-028 (minimal)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI BP-28 at the minimal hardening level.
++    This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+-    ANSSI BP-028 is a configuration recommendation for GNU/Linux systems.
++    ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+-    A copy of the ANSSI BP-028 can be found at the ANSSI website:
++    A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+     https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/
+ 
+ selections:
+
+From c111061d6f1b9c134cc4cff1b712c44f271bcf42 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 5 Feb 2021 11:11:57 +0100
+Subject: [PATCH 4/5] Fix ANSSI document number for consistency
+
+---
+ rhel7/profiles/anssi_nt28_enhanced.profile     | 2 +-
+ rhel7/profiles/anssi_nt28_high.profile         | 2 +-
+ rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
+ rhel7/profiles/anssi_nt28_minimal.profile      | 2 +-
+ rhel8/profiles/anssi_bp28_enhanced.profile     | 2 +-
+ rhel8/profiles/anssi_bp28_high.profile         | 2 +-
+ rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
+ rhel8/profiles/anssi_bp28_minimal.profile      | 2 +-
+ 8 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
+index 411f0c03aa..846ace9002 100644
+--- a/rhel7/profiles/anssi_nt28_enhanced.profile
++++ b/rhel7/profiles/anssi_nt28_enhanced.profile
+@@ -3,7 +3,7 @@ documentation_complete: true
+ title: 'ANSSI-BP-028 (enhanced)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
+index d9147b2dd0..e4db830291 100644
+--- a/rhel7/profiles/anssi_nt28_high.profile
++++ b/rhel7/profiles/anssi_nt28_high.profile
+@@ -3,7 +3,7 @@ documentation_complete: true
+ title: 'DRAFT - ANSSI-BP-028 (high)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
+index 6e39a978e5..4454976862 100644
+--- a/rhel7/profiles/anssi_nt28_intermediary.profile
++++ b/rhel7/profiles/anssi_nt28_intermediary.profile
+@@ -4,7 +4,7 @@ documentation_complete: true
+ title: 'ANSSI-BP-028 (intermediary)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
+index f0a77bccd7..cc2cbd8359 100644
+--- a/rhel7/profiles/anssi_nt28_minimal.profile
++++ b/rhel7/profiles/anssi_nt28_minimal.profile
+@@ -3,7 +3,7 @@ documentation_complete: true
+ title: 'ANSSI-BP-028 (minimal)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
+index 411f0c03aa..846ace9002 100644
+--- a/rhel8/profiles/anssi_bp28_enhanced.profile
++++ b/rhel8/profiles/anssi_bp28_enhanced.profile
+@@ -3,7 +3,7 @@ documentation_complete: true
+ title: 'ANSSI-BP-028 (enhanced)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the enhanced hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index d9147b2dd0..e4db830291 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -3,7 +3,7 @@ documentation_complete: false
+ title: 'DRAFT - ANSSI-BP-028 (high)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the high hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
+index 6dcd2b8ef2..a9e0442257 100644
+--- a/rhel8/profiles/anssi_bp28_intermediary.profile
++++ b/rhel8/profiles/anssi_bp28_intermediary.profile
+@@ -3,7 +3,7 @@ documentation_complete: true
+ title: 'ANSSI-BP-028 (intermediary)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the intermediary hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
+index 54e8cbd5a6..090b571bb6 100644
+--- a/rhel8/profiles/anssi_bp28_minimal.profile
++++ b/rhel8/profiles/anssi_bp28_minimal.profile
+@@ -3,7 +3,7 @@ documentation_complete: true
+ title: 'ANSSI-BP-028 (minimal)'
+ 
+ description: |-
+-    This profile contains configurations that align to ANSSI-BP-28 at the minimal hardening level.
++    This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
+ 
+     ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+
+From c4b11df5dabe389129f3cbc8a5bd9444fce09850 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Fri, 5 Feb 2021 16:05:07 +0100
+Subject: [PATCH 5/5] Fix single quote in ANSSI name
+
+Previously the description was enclosed in single quotes, requiring a
+single quote to be escaped.
+Now the description is not enclosed in single quotes and there is no
+need to escape it.
+---
+ rhel7/profiles/anssi_nt28_enhanced.profile     | 2 +-
+ rhel7/profiles/anssi_nt28_high.profile         | 2 +-
+ rhel7/profiles/anssi_nt28_intermediary.profile | 2 +-
+ rhel7/profiles/anssi_nt28_minimal.profile      | 2 +-
+ rhel8/profiles/anssi_bp28_enhanced.profile     | 2 +-
+ rhel8/profiles/anssi_bp28_high.profile         | 2 +-
+ rhel8/profiles/anssi_bp28_intermediary.profile | 2 +-
+ rhel8/profiles/anssi_bp28_minimal.profile      | 2 +-
+ 8 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/rhel7/profiles/anssi_nt28_enhanced.profile b/rhel7/profiles/anssi_nt28_enhanced.profile
+index 846ace9002..bbc11353f3 100644
+--- a/rhel7/profiles/anssi_nt28_enhanced.profile
++++ b/rhel7/profiles/anssi_nt28_enhanced.profile
+@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel7/profiles/anssi_nt28_high.profile b/rhel7/profiles/anssi_nt28_high.profile
+index e4db830291..22efad9c09 100644
+--- a/rhel7/profiles/anssi_nt28_high.profile
++++ b/rhel7/profiles/anssi_nt28_high.profile
+@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel7/profiles/anssi_nt28_intermediary.profile b/rhel7/profiles/anssi_nt28_intermediary.profile
+index 4454976862..0c43ab8d73 100644
+--- a/rhel7/profiles/anssi_nt28_intermediary.profile
++++ b/rhel7/profiles/anssi_nt28_intermediary.profile
+@@ -6,7 +6,7 @@ title: 'ANSSI-BP-028 (intermediary)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel7/profiles/anssi_nt28_minimal.profile b/rhel7/profiles/anssi_nt28_minimal.profile
+index cc2cbd8359..480333747c 100644
+--- a/rhel7/profiles/anssi_nt28_minimal.profile
++++ b/rhel7/profiles/anssi_nt28_minimal.profile
+@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel8/profiles/anssi_bp28_enhanced.profile b/rhel8/profiles/anssi_bp28_enhanced.profile
+index 846ace9002..bbc11353f3 100644
+--- a/rhel8/profiles/anssi_bp28_enhanced.profile
++++ b/rhel8/profiles/anssi_bp28_enhanced.profile
+@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (enhanced)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel8/profiles/anssi_bp28_high.profile b/rhel8/profiles/anssi_bp28_high.profile
+index e4db830291..22efad9c09 100644
+--- a/rhel8/profiles/anssi_bp28_high.profile
++++ b/rhel8/profiles/anssi_bp28_high.profile
+@@ -5,7 +5,7 @@ title: 'DRAFT - ANSSI-BP-028 (high)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel8/profiles/anssi_bp28_intermediary.profile b/rhel8/profiles/anssi_bp28_intermediary.profile
+index a9e0442257..a592031673 100644
+--- a/rhel8/profiles/anssi_bp28_intermediary.profile
++++ b/rhel8/profiles/anssi_bp28_intermediary.profile
+@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (intermediary)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
+diff --git a/rhel8/profiles/anssi_bp28_minimal.profile b/rhel8/profiles/anssi_bp28_minimal.profile
+index 090b571bb6..cef8394114 100644
+--- a/rhel8/profiles/anssi_bp28_minimal.profile
++++ b/rhel8/profiles/anssi_bp28_minimal.profile
+@@ -5,7 +5,7 @@ title: 'ANSSI-BP-028 (minimal)'
+ description: |-
+     This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
+ 
+-    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d''information.
++    ANSSI is the French National Information Security Agency, and stands for Agence nationale de la sécurité des systèmes d'information.
+     ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
+ 
+     A copy of the ANSSI-BP-028 can be found at the ANSSI website:
diff --git a/SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch b/SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
new file mode 100644
index 0000000..d3eb75f
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
@@ -0,0 +1,89 @@
+From ce6a307518c55b333897f5c130f5372dee9eeae8 Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Mon, 18 Jan 2021 11:18:43 +0100
+Subject: [PATCH] Update metadata for a few miminal and intermediary
+ requirements
+
+---
+ controls/anssi.yml | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/controls/anssi.yml b/controls/anssi.yml
+index dec9d68c99..9288ac1663 100644
+--- a/controls/anssi.yml
++++ b/controls/anssi.yml
+@@ -506,7 +506,10 @@ controls:
+   - id: R27
+     title: Disabling service accounts
+     level: intermediary
+-    # rules: TBD
++    notes: >-
++      It is difficult to generally identify the system's service accounts.
++      Assisting rules could list users which are not disabled for manual review.
++    automated: no
+ 
+   - id: R28
+     level: enhanced
+@@ -530,7 +533,10 @@ controls:
+   - id: R30
+     level: minimal
+     title: Applications using PAM
+-    # rules: TBD
++    notes: >-
++      Manual review is necessary to decide if the list of applications using PAM is minimal.
++      Asssising rules could be created to list all applications using PAM for manual review.
++    automated: no
+ 
+   - id: R31
+     title: Securing PAM Authentication Network Services
+@@ -580,6 +586,7 @@ controls:
+   - id: R36
+     title: Rights to access sensitive content files
+     level: intermediary
++    automated: yes
+     rules:
+     - file_owner_etc_shadow
+     - file_permissions_etc_shadow
+@@ -637,7 +644,10 @@ controls:
+   - id: R42
+     level: minimal
+     title: In memory services and daemons
+-    # rules: TBD
++    notes: >-
++      Manual review is necessary to decide if the list of resident daemons is minimal.
++      Asssising rules could be created to list sevices listening on the network for manual review.
++    automated: no
+ 
+   - id: R43
+     title: Hardening and configuring the syslog
+@@ -709,6 +719,7 @@ controls:
+   - id: R48
+     level: intermediary
+     title: Configuring the local messaging service
++    automated: yes
+     rules:
+     - postfix_network_listening_disabled
+ 
+@@ -825,6 +836,7 @@ controls:
+     level: intermediary
+     title: Privileges of target sudo users
+     description: The targeted users of a rule should be, as much as possible, non privileged users.
++    automated: yes
+     rules:
+     - sudoers_no_root_target
+ 
+@@ -840,12 +852,14 @@ controls:
+     level: intermediary
+     title: Good use of negation in a sudoers file
+     description: The sudoers configuration rules should not involve negation.
++    automated: yes
+     rules:
+     - sudoers_no_command_negation
+ 
+   - id: R63
+     level: intermediary
+     title: Explicit arguments in sudo specifications
++    automated: yes
+     rules:
+     - sudoers_explicit_command_args
+ 
diff --git a/SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch b/SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
new file mode 100644
index 0000000..7ca1ead
--- /dev/null
+++ b/SOURCES/scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
@@ -0,0 +1,352 @@
+From cbede36c7a4e35cb882c35892cff72f9f190cbf9 Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.com>
+Date: Mon, 8 Feb 2021 15:57:43 +0100
+Subject: [PATCH 1/5] Add nodev,nosuid,noexec options to /boot in ANSSI
+ kickstart
+
+---
+ rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg     | 2 +-
+ rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg         | 2 +-
+ rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg | 2 +-
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg     | 2 +-
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg         | 2 +-
+ rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+index 1d35bedb91..c381512476 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_enhanced-ks.cfg
+@@ -99,7 +99,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+ part pv.01 --grow --size=1
+ 
+ # Create a Logical Volume Management (LVM) group (optional)
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+index 73225c2fab..a672b38b83 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_high-ks.cfg
+@@ -103,7 +103,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+ part pv.01 --grow --size=1
+ 
+ # Create a Logical Volume Management (LVM) group (optional)
+diff --git a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+index 20c4c59a78..88a7cee8ab 100644
+--- a/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
++++ b/rhel7/kickstart/ssg-rhel7-anssi_nt28_intermediary-ks.cfg
+@@ -99,7 +99,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+ part pv.01 --grow --size=1
+ 
+ # Create a Logical Volume Management (LVM) group (optional)
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+index 728946ecb7..6f66a3774b 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_enhanced-ks.cfg
+@@ -90,7 +90,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+ part pv.01 --grow --size=1
+ 
+ # Create a Logical Volume Management (LVM) group (optional)
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+index cd0eff2625..b5c09253a5 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_high-ks.cfg
+@@ -94,7 +94,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+ part pv.01 --grow --size=1
+ 
+ # Create a Logical Volume Management (LVM) group (optional)
+diff --git a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+index 3a241b06f4..fb785e0c11 100644
+--- a/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
++++ b/rhel8/kickstart/ssg-rhel8-anssi_bp28_intermediary-ks.cfg
+@@ -90,7 +90,7 @@ zerombr
+ clearpart --linux --initlabel
+ 
+ # Create primary system partitions (required for installs)
+-part /boot --fstype=xfs --size=512
++part /boot --fstype=xfs --size=512 --fsoptions="nodev,nosuid,noexec"
+ part pv.01 --grow --size=1
+ 
+ # Create a Logical Volume Management (LVM) group (optional)
+
+From 15be64cc2d6c21b0351bb8d3d1b55b1924be99ca Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.com>
+Date: Tue, 9 Feb 2021 12:45:34 +0100
+Subject: [PATCH 2/5] Add mount_option_nodev_nonroot_local_partitions bash
+ remediation
+
+---
+ .../bash/shared.sh                             | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
+
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
+new file mode 100644
+index 0000000000..7e2b3bd76b
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/bash/shared.sh
+@@ -0,0 +1,18 @@
++# platform = multi_platform_all
++. /usr/share/scap-security-guide/remediation_functions
++
++include_mount_options_functions
++
++MOUNT_OPTION="nodev"
++# Create array of local non-root partitions
++readarray -t partitions_records < <(findmnt --mtab --raw --evaluate | grep "^/\w" | grep "\s/dev/\w")
++
++for partition_record in "${partitions_records[@]}"; do
++    # Get all important information for fstab
++    mount_point="$(echo ${partition_record} | cut -d " " -f1)"
++    device="$(echo ${partition_record} | cut -d " " -f2)"
++    device_type="$(echo ${partition_record} | cut -d " " -f3)"
++    # device and device_type will be used only in case when the device doesn't have fstab record
++    ensure_mount_option_in_fstab "$mount_point" "$MOUNT_OPTION" "$device" "$device_type"
++    ensure_partition_is_mounted "$mount_point"
++done
+
+From 36958b72896a69cb580f00a986673c8ae99cb011 Mon Sep 17 00:00:00 2001
+From: Milan Lysonek <mlysonek@redhat.com>
+Date: Tue, 9 Feb 2021 12:45:54 +0100
+Subject: [PATCH 3/5] Add mount_option_nodev_nonroot_local_partitions test
+ scenarios
+
+---
+ .../tests/correct.pass.sh                     | 23 +++++++++++++++++
+ .../local_mounted_during_runtime.fail.sh      | 19 ++++++++++++++
+ .../tests/missing_multiple_nodev.fail.sh      | 23 +++++++++++++++++
+ .../tests/missing_one_nodev.fail.sh           | 23 +++++++++++++++++
+ .../tests/remote_without_nodev.pass.sh        | 25 +++++++++++++++++++
+ 5 files changed, 113 insertions(+)
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
+
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
+new file mode 100644
+index 0000000000..8bfac4b80f
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/correct.pass.sh
+@@ -0,0 +1,23 @@
++#!/bin/bash
++
++. $SHARED/partition.sh
++
++# Add nodev option to all records in fstab to ensure that test will
++# run on environment where everything is set correctly for rule check.
++cp /etc/fstab /etc/fstab.backup
++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
++# Remount all partitions. (--all option can't be used because it doesn't
++# mount e.g. /boot partition
++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
++for partition in ${partitions[@]}; do
++    mount -o remount "$partition"
++done
++
++PARTITION="/dev/new_partition1"; create_partition
++make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
++mount_partition "/tmp/partition1"
++
++PARTITION="/dev/new_partition2"; create_partition
++make_fstab_given_partition_line "/tmp/partition2" ext2 nodev
++mount_partition "/tmp/partition2"
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
+new file mode 100644
+index 0000000000..84cadd6f73
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/local_mounted_during_runtime.fail.sh
+@@ -0,0 +1,19 @@
++#!/bin/bash
++
++. $SHARED/partition.sh
++
++# Add nodev option to all records in fstab to ensure that test will
++# run on environment where everything is set correctly for rule check.
++cp /etc/fstab /etc/fstab.backup
++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
++# Remount all partitions. (--all option can't be used because it doesn't
++# mount e.g. /boot partition
++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
++for partition in ${partitions[@]}; do
++    mount -o remount "$partition"
++done
++
++PARTITION="/dev/new_partition1"; create_partition
++mkdir /tmp/test_dir
++mount $PARTITION /tmp/test_dir
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
+new file mode 100644
+index 0000000000..7a09093f46
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_multiple_nodev.fail.sh
+@@ -0,0 +1,23 @@
++#!/bin/bash
++
++. $SHARED/partition.sh
++
++# Add nodev option to all records in fstab to ensure that test will
++# run on environment where everything is set correctly for rule check.
++cp /etc/fstab /etc/fstab.backup
++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
++# Remount all partitions. (--all option can't be used because it doesn't
++# mount e.g. /boot partition
++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
++for partition in ${partitions[@]}; do
++    mount -o remount "$partition"
++done
++
++PARTITION="/dev/new_partition1"; create_partition
++make_fstab_given_partition_line "/tmp/partition1" ext2
++mount_partition "/tmp/partition1"
++
++PARTITION="/dev/new_partition2"; create_partition
++make_fstab_given_partition_line "/tmp/partition2" ext2
++mount_partition "/tmp/partition2"
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
+new file mode 100644
+index 0000000000..c20a98bdcc
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/missing_one_nodev.fail.sh
+@@ -0,0 +1,23 @@
++#!/bin/bash
++
++. $SHARED/partition.sh
++
++# Add nodev option to all records in fstab to ensure that test will
++# run on environment where everything is set correctly for rule check.
++cp /etc/fstab /etc/fstab.backup
++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
++# Remount all partitions. (--all option can't be used because it doesn't
++# mount e.g. /boot partition
++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
++for partition in ${partitions[@]}; do
++    mount -o remount "$partition"
++done
++
++PARTITION="/dev/new_partition1"; create_partition
++make_fstab_given_partition_line "/tmp/partition1" ext2 nodev
++mount_partition "/tmp/partition1"
++
++PARTITION="/dev/new_partition2"; create_partition
++make_fstab_given_partition_line "/tmp/partition2" ext2
++mount_partition "/tmp/partition2"
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
+new file mode 100644
+index 0000000000..a95410526f
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/tests/remote_without_nodev.pass.sh
+@@ -0,0 +1,25 @@
++#!/bin/bash
++# packages = nfs-utils
++
++. $SHARED/partition.sh
++
++# Add nodev option to all records in fstab to ensure that test will
++# run on environment where everything is set correctly for rule check.
++cp /etc/fstab /etc/fstab.backup
++sed -e 's/\bnodev\b/,/g' -e 's/,,//g' -e 's/\s,\s/defaults/g' /etc/fstab.backup
++awk '{$4 = $4",nodev"; print}' /etc/fstab.backup > /etc/fstab
++# Remount all partitions. (--all option can't be used because it doesn't
++# mount e.g. /boot partition
++declare -a partitions=( $(awk '{print $2}' /etc/fstab | grep "^/\w") )
++for partition in ${partitions[@]}; do
++    mount -o remount "$partition"
++done
++
++mkdir /tmp/testdir
++mkdir /tmp/testmount
++chown 2 /tmp/testdir
++chmod 777 /tmp/testdir
++
++echo '/tmp/testdir localhost(rw)' > /etc/exports
++systemctl restart nfs-server
++mount.nfs localhost:/tmp/testdir /tmp/testmount
+
+From b7bec83d7a3ad186413777f70fe2b5d20e01e56b Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Feb 2021 18:32:26 +0100
+Subject: [PATCH 4/5] Add Ansible for
+ mount_option_nodev_nonroot_local_partitions
+
+The remediation metadata were inspired by the template mount_options
+---
+ .../ansible/shared.yml                         | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+ create mode 100644 linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+new file mode 100644
+index 0000000000..8530604308
+--- /dev/null
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+@@ -0,0 +1,18 @@
++# platform = multi_platform_all
++# reboot = false
++# strategy = configure
++# complexity = low
++# disruption = high
++
++- name: Ensure non-root local partitions are mounted with nodev option
++  mount:
++    path: "{{ item.mount }}"
++    src: "{{ item.device}}"
++    opts: "{{ item.options }},nodev"
++    state: "mounted"
++    fstype: "{{ item.fstype }}"
++  when:
++    - "item.mount is match('/\\w')"
++    - "item.options is not search('nodev')"
++  with_items:
++    - "{{ ansible_facts.mounts }}"
+
+From dab22894ca0798dde27c77704a7fd34d62d77f8f Mon Sep 17 00:00:00 2001
+From: Watson Sato <wsato@redhat.com>
+Date: Wed, 10 Feb 2021 20:29:32 +0100
+Subject: [PATCH 5/5] Add space before and after variable
+
+---
+ .../ansible/shared.yml                                          | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+index 8530604308..2aa9a53e4d 100644
+--- a/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
++++ b/linux_os/guide/system/permissions/partitions/mount_option_nodev_nonroot_local_partitions/ansible/shared.yml
+@@ -7,7 +7,7 @@
+ - name: Ensure non-root local partitions are mounted with nodev option
+   mount:
+     path: "{{ item.mount }}"
+-    src: "{{ item.device}}"
++    src: "{{ item.device }}"
+     opts: "{{ item.options }},nodev"
+     state: "mounted"
+     fstype: "{{ item.fstype }}"
diff --git a/SPECS/scap-security-guide.spec b/SPECS/scap-security-guide.spec
index 5683054..d3d8d1a 100644
--- a/SPECS/scap-security-guide.spec
+++ b/SPECS/scap-security-guide.spec
@@ -2,72 +2,49 @@
 # RHEL 7.X uses versioned docs dir, hence the definition below
 %global _pkgdocdir %{_docdir}/%{name}-%{version}
 
+# Base name of static rhel6 content tarball
+%global _static_rhel6_content %{name}-0.1.52-2.el7_9-rhel6
+
 Name:		scap-security-guide
-Version:	0.1.52
-Release:	2%{?dist}
+Version:	0.1.54
+Release:	3%{?dist}
 Summary:	Security guidance and baselines in SCAP formats
 
 Group:		System Environment/Base
 License:	BSD-3-Clause
 URL:		https://github.com/ComplianceAsCode/content
 Source0:	%{name}-%{version}.tar.bz2
+# Include tarball with last shipped rhel6 content
+Source1:	%{_static_rhel6_content}.tar.bz2
 Patch0:	disable-not-in-good-shape-profiles.patch
-Patch1:	scap-security-guide-0.1.53-update_rule_max_pass_life-PR_6027.patch
-Patch2:	scap-security-guide-0.1.53-update_rule_disable_ctrlaltdel_reboot-PR_6043.patch
-Patch3:	scap-security-guide-0.1.53-remove_srg_accounts_pam_retry-PR_6045.patch
-Patch4:	scap-security-guide-0.1.53-update_severity_fail_delay-PR_6040.patch
-Patch5:	scap-security-guide-0.1.53-update_stig_RHEL_07_040180-PR_6032.diff
-Patch6:	scap-security-guide-0.1.53-fix_srg_mapping_2-PR_6068.patch
-Patch7:	scap-security-guide-0.1.53-update_tftpd_uses_secure_mode-PR_6051.patch
-Patch8:	scap-security-guide-0.1.53-update_stig_RHEL_07_010320_2-PR_6067.patch
-Patch9:	scap-security-guide-0.1.53-update_stig_RHEL_07_040000-PR_6063.patch
-Patch10:	scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch
-Patch11:	scap-security-guide-0.1.53-value_macros-PR_6048.patch
-Patch12:	scap-security-guide-0.1.53-update_stig_RHEL_07_020310-PR_6060.patch
-Patch13:	scap-security-guide-0.1.53-update_srgs_smartcart_cert_checking-PR_6073.patch
-Patch14:	scap-security-guide-0.1.53-remove_screen_from_stig-PR_6072.patch
-Patch15:	scap-security-guide-0.1.53-tftpd_fix_variable_type-PR_6077.patch
-Patch16:	scap-security-guide-0.1.53-update_stig_RHEL_07_010310-PR_6084.patch
-Patch17:	scap-security-guide-0.1.53-remove_stig_rule-PR_6086.patch
-Patch18:	scap-security-guide-0.1.53-clean_boilerplate-PR_6042.patch
-Patch19:	scap-security-guide-0.1.53-update_stig_RHEL_07_040160-PR_6085.patch
-Patch20:	scap-security-guide-0.1.53-add_ocil_rsyslog_nolisten-PR_6074.patch
-Patch21:	scap-security-guide-0.1.53-update_stig_references-PR_6104.patch
-Patch22:	scap-security-guide-0.1.53-update_snmpd_no_default_password-PR_6050.patch
-Patch23:	scap-security-guide-0.1.53-update_stig_RHEL_07_041001-PR_6083.diff
-Patch24:	scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch
-Patch25:	scap-security-guide-0.1.53-update_audisp_network_failure_action-PR_6071.patch
-Patch26:	scap-security-guide-0.1.53-ansible_platforms-PR_6025.patch
-Patch27:	scap-security-guide-0.1.53-introduce_package_platform_name_overrides-PR_6047.patch
-Patch28:	scap-security-guide-0.1.53-remove_eap6-PR_6119.patch
-Patch29:	scap-security-guide-0.1.53-fix_ansible_remediation-PR_6116.patch
-Patch30:	scap-security-guide-0.1.53-fix_severity_stig-PR_6110.patch
-Patch31:	scap-security-guide-0.1.53-update_rule_install_hips-PR_6039.diff
-Patch32:	scap-security-guide-0.1.53-fix_aide_rules-PR_6152.patch
-Patch33:	scap-security-guide-0.1.53-fix_scap_val-PR_6166.patch
-Patch34:	scap-security-guide-0.1.53-remove_ub1404-PR_6154.patch
-Patch35:	scap-security-guide-0.1.53-correct_templates-PR_6162.patch
-Patch36:	scap-security-guide-0.1.53-fix_efi_grub_rule-PR_6276.patch
-Patch37:	scap-security-guide-0.1.53-fix_audit_rules_privileged_commands_duplicate_rules-PR_6279.patch
-Patch38:	scap-security-guide-0.1.53-bash_platforms-PR_6061.patch
-Patch39:	scap-security-guide-0.1.53-fix_emtpy_wrapping-PR_6173.patch
-Patch40:	scap-security-guide-0.1.53-fix_platform_bash_shellcheck_warning-PR_6184.patch
-Patch41:	scap-security-guide-0.1.53-fix_zipl_package_mapping-PR_6130.patch
-Patch42:	scap-security-guide-0.1.53-handle_non_package_cpes-PR_6292.patch
 # make other profiles than STIG stable in regards to the rule set.
 # The z-stream for STIG update is not supposed to touch any other RHEL7 profiles than the STIG itself.
-Patch43:	remove_package_rear_installed_from_e8_profile.patch
-Patch44:	scap-security-guide-0.1.54-split-dconf-automount-rule-PR_5961.patch
-Patch45:	scap-security-guide-0.1.54-fix-bash_dconf_settings-macro-PR_6364.patch
-Patch46:	scap-security-guide-0.1.53-fix-extended-definition-PR_6186.patch
-Patch47:	scap-security-guide-0.1.54-update_stig_reference-PR_6422.patch
-Patch48:	scap-security-guide-0.1.54-select_xwindows_runlevel_target_stig-PR_6420.patch
-Patch49:	scap-security-guide-0.1.54-update_stig_severity-PR_6417.patch
-Patch50:	scap-security-guide-0.1.54-update_RHEL_07_910055-PR_6430.patch
-Patch51:	scap-security-guide-0.1.54-update_grub2_enable_fips_mode-PR_6418.patch
-Patch52:	scap-security-guide-0.1.54-add_dir_perms_world_writable_system_owned_group-PR_6421.patch
-Patch53:	scap-security-guide-0.1.54-update_stig_v3r1-PR_6438.patch
-Patch999:       centos-debranding.patch
+Patch1:	remove_package_rear_installed_from_e8_profile.patch
+# Keep profiles stable through the z-stream, only ANSSI and STIG are to be changed
+Patch2: profile-stability-rebase-0.1.54.patch
+Patch3:	scap-security-guide-0.1.55-add_sshd_x11_proxy_localhost-PR_6534.patch
+Patch4:	scap-security-guide-0.1.55-update_RHEL_07_040710-PR_6537.patch
+Patch5:	scap-security-guide-0.1.55-sshd_approved_ciphers_ordered-PR_6541.diff
+Patch6:	scap-security-guide-0.1.55-sshd_use_approved_macs_stig-PR_6546.patch
+Patch7:	scap-security-guide-0.1.55-fix_cce_rhel7_mac-PR_6564.patch
+Patch8:	scap-security-guide-0.1.55-bump_rhel7_stig_version_to-PR_6576.patch
+Patch9:	scap-security-guide-0.1.55-add_sudoers_explicit_command_args-PR_6525.diff
+Patch10:	scap-security-guide-0.1.55-add_rule_sysctl_kernel_modules_disabled-PR_6533.patch
+Patch11:	scap-security-guide-0.1.55-supress_lint_errors-PR_6542.patch
+Patch12:	scap-security-guide-0.1.55-add_notes_and_rule_for_R35-PR_6548.patch
+Patch13:	scap-security-guide-0.1.55-update_metadata_for_minimal_intermediary-PR_6549.patch
+Patch14:	scap-security-guide-0.1.55-add_rules_for_R18-PR_6539.patch
+Patch15:	scap-security-guide-0.1.55-add_rules_for_R37-PR_6540.patch
+Patch16:	scap-security-guide-0.1.55-drop_fix_sysctl_kernel_modules_disabled-PR_6586.patch
+Patch17:	scap-security-guide-0.1.55-add_selector_for_R29-PR_6553.patch
+Patch18:	scap-security-guide-0.1.55-update_anssi_profile_title-PR_6592.patch
+Patch19:	scap-security-guide-0.1.55-adjust_ks_partion_sizes-PR_6600.patch
+Patch20:	scap-security-guide-0.1.55-better_align_anssi_ks-PR_6589.patch
+Patch21:	scap-security-guide-0.1.55-update_nodev_nonroot_mount_option-PR_6606.patch
+# Until ANSSI High profile is shipped we drop the ks too
+Patch22:		remove-ANSSI-high-ks.patch
+Patch23:		scap-security-guide-0.1.55-fix_stigid_reference-PR_6628.patch
+
 BuildArch:	noarch
 
 BuildRequires:	libxslt, expat, python, openscap-scanner >= 1.2.16, python-jinja2, cmake >= 2.8, PyYAML
@@ -94,7 +71,7 @@ The %{name}-doc package contains HTML formatted documents containing security gu
 been generated from XCCDF benchmarks present in %{name} package.
 
 %prep
-%setup -q -n %{name}-%{version}
+%setup -q -n %{name}-%{version} -b 1
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
@@ -119,37 +96,7 @@ been generated from XCCDF benchmarks present in %{name} package.
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
-%patch34 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-%patch38 -p1
-%patch39 -p1
-%patch40 -p1
-%patch41 -p1
-%patch42 -p1
-%patch43 -p1
-%patch44 -p1
-%patch45 -p1
-%patch46 -p1
-%patch47 -p1
-%patch48 -p1
-%patch49 -p1
-%patch50 -p1
-%patch51 -p1
-%patch52 -p1
-%patch53 -p1
-%patch999 -p1
+
 # Workaround to remove Python byte cache files from the upstream sources
 # See https://github.com/ComplianceAsCode/content/issues/4042
 find . -name '*.pyc' -exec rm -f {} ';'
@@ -161,7 +108,6 @@ mkdir -p build && cd build
 -DSSG_PRODUCT_DEFAULT:BOOL=OFF \
 -DSSG_PRODUCT_FIREFOX:BOOL=ON \
 -DSSG_PRODUCT_JRE:BOOL=ON \
--DSSG_PRODUCT_RHEL6:BOOL=ON \
 -DSSG_PRODUCT_RHEL7:BOOL=ON \
 -DSSG_PRODUCT_RHEL8:BOOL=ON \
 -DSSG_CENTOS_DERIVATIVES_ENABLED:BOOL=OFF \
@@ -172,6 +118,11 @@ make %{?_smp_mflags}
 %install
 cd build
 %make_install
+# Manually install pre-built rhel6 content
+cp -r %{_builddir}/%{_static_rhel6_content}/usr %{buildroot}
+cp -r %{_builddir}/%{_static_rhel6_content}/tables %{buildroot}%{_docdir}/%{name}-%{version}
+# The guide files need to be put in the build system directory for the files section below
+cp -r %{_builddir}/%{_static_rhel6_content}/guides %{_builddir}/%{name}-%{version}/build
 
 %files
 %defattr(-,root,root,-)
@@ -188,9 +139,23 @@ cd build
 
 %files doc
 %defattr(-,root,root,-)
+# Installing guide files from cmake install doens't work because of versioned docs
+# So we take them from the build directory
 %doc build/guides/ssg-*-guide-*.html
 
 %changelog
+* Wed Feb 24 2021 Watson Sato <wsato@redhat.com> - 0.1.54-3
+- Realign PCI-DSS rules selection to v0.1.54 (RHBZ#1497415)
+
+* Wed Feb 17 2021 Watson Sato <wsato@redhat.com> - 0.1.54-2
+- Remove Kickstart for not shipped profile (RHBZ#1497415)
+- Fix STIG id reference format for sshd_x11_use_localhost (RHBZ#1921643)
+
+* Wed Feb 03 2021 Watson Sato <wsato@redhat.com> - 0.1.54-1
+- Rebase to incorporate ANSSI Profile (RHBZ#1497415)
+- Update RHEL7 STIG profile to V3R2 (RHBZ#1921643)
+- Add Minimal, Intermediary and Enhanced ANSSI Profiles (RHBZ#1497415)
+
 * Fri Nov 27 2020 Gabriel Becker <ggasparb@redhat.com> - 0.1.52-2
 - Update RHEL7 DISA STIG to V3R1 (RHBZ#1665233)