StigData/Processed/Ubuntu-18.04-2.6.org.default.xml
|
<!-- The organizational settings file is used to define the local organizations preferred setting within an allowed range of the STIG. Each setting in this file is linked by STIG ID and the valid range is in an associated comment. --> <OrganizationalSettings fullversion="2.6"> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO). If the space_left_action parameter is set to "exec", make sure the command being execute notifies the System Administrator (SA) and Information System Security Officer (ISSO).--> <OrganizationalSetting id="V-219152.a" ContainsLine="space_left_action = email" DoesNotContainPattern="^#\s*space_left_action.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: Set the space_left parameter to be, at least, 25% of the repository maximum audit record storage capacity. --> <OrganizationalSetting id="V-219152.b" ContainsLine="" DoesNotContainPattern="" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the remote_server parameter is not set or is set with a local address, or is set with invalid address, this is a finding i.e.: remote_server = <your remote audit log server ip>--> <OrganizationalSetting id="V-219153.c" ContainsLine="" DoesNotContainPattern="" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "ucredit" parameter is greater than "-1", or is commented out, this is a finding." --> <OrganizationalSetting id="V-219172" ContainsLine="ucredit=-1" DoesNotContainPattern="^#\s*ucredit.*$|^ucredit\s*=\s*(?!-1\b)\w*$" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "lcredit" parameter is greater than "-1", or is commented out, this is a finding." --> <OrganizationalSetting id="V-219173" ContainsLine="lcredit=-1" DoesNotContainPattern="^#\s*lcredit.*$|^lcredit\s*=\s*(?!-1\b)\w*$" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "dcredit" parameter is greater than "-1", or is commented out, this is a finding." --> <OrganizationalSetting id="V-219174" ContainsLine="dcredit=-1" DoesNotContainPattern="^#\s*dcredit.*$|^dcredit\s*=\s*(?!-1\b)\w*$" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "difok" parameter is less than "8", or is commented out, this is a finding." --> <OrganizationalSetting id="V-219175" ContainsLine="difok=8" DoesNotContainPattern="^\s*difok\s*=\s*(-|)[0-7]$|#\s*difok\s*=.*|difok\s+=\s+.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding." --> <OrganizationalSetting id="V-219176" ContainsLine="ENCRYPT_METHOD SHA512" DoesNotContainPattern="#\s*ENCRYPT_METHOD\s*SHA512" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MIN_DAYS" parameter value is less than 1, or commented out, this is a finding." --> <OrganizationalSetting id="V-219178" ContainsLine="PASS_MIN_DAYS 1" DoesNotContainPattern="^\s*PASS_MIN_DAYS\s*[0]*$|#\s*PASS_MIN_DAYS.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "PASS_MAX_DAYS" parameter value is less than 60, or commented out, this is a finding." --> <OrganizationalSetting id="V-219179" ContainsLine="PASS_MAX_DAYS 60" DoesNotContainPattern="^\s*PASS_MAX_DAYS\s*([6][1-9]|[7-9][0-9]|\d{3,})$|#\s*PASS_MAX_DAYS.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "minlen" parameter value is not 15 or higher, or is commented out, this is a finding." --> <OrganizationalSetting id="V-219181" ContainsLine="minlen=15" DoesNotContainPattern="^\s*minlen\s*=\s*([0-9]|[1][1-4])$|#\s*minlen.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the "ocredit" parameter is greater than "-1", or is commented out, this is a finding." --> <OrganizationalSetting id="V-219210" ContainsLine="ocredit=-1" DoesNotContainPattern="^#\s*ocredit.*$|^ocredit\s*=\s*(?!-1)\w*$" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding." --> <OrganizationalSetting id="V-219226" ContainsLine="action_mail_acct = root" DoesNotContainPattern="#\s*action_mail_acct\s*=\s*root" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. --> <OrganizationalSetting id="V-219227" ContainsLine="disk_full_action = HALT" DoesNotContainPattern="#\s*disk_full_action.*|^\s*disk_full_action\s*=\s*(?!HALT\b)\w+" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If the file "/etc/profile.d/autologout.sh" does not exist with the contents shown above, the value of "TMOUT" is greater than 900, or the timeout values are commented out, this is a finding.--> <OrganizationalSetting id="V-219303.b" ContainsLine="TMOUT=900" DoesNotContainPattern="^\s*TMOUT\s*=\s*[0-8]?[0-9]?[0-9]?$|^#\s*TMOUT.*" /> <!-- Ensure the following statement is true when leveraging the correct nxFileLine ContainsLine format: "If "ClientAliveInterval" does not exist, is not set to a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding." --> <OrganizationalSetting id="V-219311" ContainsLine="ClientAliveInterval 600" DoesNotContainPattern="^\s*ClientAliveInterval\s*[0-5]?[0-9]?[0-9]?\s*$|^#\s*ClientAliveInterval.*|^\s*ClientAliveInterval\s*$" /> </OrganizationalSettings> |