Security Configuration Assessment Report

for crosslife-cybersec

  • Target IP Address: 127.0.0.1

CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0

  • Level 1 - Server
  • Wednesday, April 13 2022 17:15:30
  • Assessment Duration: 25 seconds

Report generated by the Center for Internet Security's Configuration Assessment Tool (CIS-CAT Pro Assessor) v4.14.0.

For further information, please visit The Center for Internet Security or our Product Support page.

Copyright ©2022, The Center for Internet Security

Content generated on 04/13/2022 17:15 PM. Content last obtained on 01/26/2022 14:26 PM.

Summary

Description Tests Scoring
Pass Fail Error Unkn. Man. Score Max Percent
1 Initial Setup 42 0 0 0 7 42.0 42.0 100%
1.1 Filesystem Configuration 21 0 0 0 3 21.0 21.0 100%
1.1.1 Disable unused filesystems 6 0 0 0 0 6.0 6.0 100%
1.2 Configure Software Updates 0 0 0 0 2 0.0 0.0 0%
1.3 Filesystem Integrity Checking 2 0 0 0 0 2.0 2.0 100%
1.4 Secure Boot Settings 4 0 0 0 0 4.0 4.0 100%
1.5 Additional Process Hardening 3 0 0 0 1 3.0 3.0 100%
1.6 Mandatory Access Control 3 0 0 0 0 3.0 3.0 100%
1.6.1 Configure AppArmor 3 0 0 0 0 3.0 3.0 100%
1.7 Command Line Warning Banners 6 0 0 0 0 6.0 6.0 100%
1.8 GNOME Display Manager 3 0 0 0 0 3.0 3.0 100%
2 Services 26 0 0 0 1 26.0 26.0 100%
2.1 Special Purpose Services 20 0 0 0 0 20.0 20.0 100%
2.1.1 Time Synchronization 4 0 0 0 0 4.0 4.0 100%
2.2 Service Clients 6 0 0 0 0 6.0 6.0 100%
3 Network Configuration 34 0 0 0 6 34.0 34.0 100%
3.1 Disable unused network protocols and devices 1 0 0 0 0 1.0 1.0 100%
3.2 Network Parameters (Host Only) 2 0 0 0 0 2.0 2.0 100%
3.3 Network Parameters (Host and Router) 9 0 0 0 0 9.0 9.0 100%
3.4 Uncommon Network Protocols 0 0 0 0 0 0.0 0.0 0%
3.5 Firewall Configuration 22 0 0 0 6 22.0 22.0 100%
3.5.1 Configure UncomplicatedFirewall 5 0 0 0 2 5.0 5.0 100%
3.5.2 Configure nftables 8 0 0 0 2 8.0 8.0 100%
3.5.3 Configure iptables 9 0 0 0 2 9.0 9.0 100%
3.5.3.1 Configure iptables software 3 0 0 0 0 3.0 3.0 100%
3.5.3.2 Configure IPv4 iptables 3 0 0 0 1 3.0 3.0 100%
3.5.3.3 Configure IPv6 ip6tables 3 0 0 0 1 3.0 3.0 100%
4 Logging and Auditing 8 1 0 0 3 8.0 9.0 89%
4.1 Configure System Accounting (auditd) 0 0 0 0 0 0.0 0.0 0%
4.1.1 Ensure auditing is enabled 0 0 0 0 0 0.0 0.0 0%
4.1.2 Configure Data Retention 0 0 0 0 0 0.0 0.0 0%
4.2 Configure Logging 7 1 0 0 2 7.0 8.0 88%
4.2.1 Configure rsyslog 3 1 0 0 2 3.0 4.0 75%
4.2.2 Configure journald 3 0 0 0 0 3.0 3.0 100%
5 Access, Authentication and Authorization 46 0 0 0 1 46.0 46.0 100%
5.1 Configure time-based job schedulers 9 0 0 0 0 9.0 9.0 100%
5.2 Configure sudo 3 0 0 0 0 3.0 3.0 100%
5.3 Configure SSH Server 20 0 0 0 0 20.0 20.0 100%
5.4 Configure PAM 4 0 0 0 0 4.0 4.0 100%
5.5 User Accounts and Environment 9 0 0 0 0 9.0 9.0 100%
5.5.1 Set Shadow Password Suite Parameters 5 0 0 0 0 5.0 5.0 100%
6 System Maintenance 27 1 0 0 2 27.0 28.0 96%
6.1 System File Permissions 11 0 0 0 2 11.0 11.0 100%
6.2 User and Group Settings 16 1 0 0 0 16.0 17.0 94%
Total 183 2 0 0 20 183.0 185.0 99%

Note: Actual scores are subject to rounding errors. The sum of these values may not result in the exact overall score.

Profiles

This benchmark contains 4 profiles.The Level 1 - Server profile was used for this assessment.

Title Description
Level 1 - Server

Items in this profile intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

This profile is intended for servers.

Show Profile XML
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
               xmlns="http://checklists.nist.gov/xccdf/1.2"
               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
               xmlns:notes="http://benchmarks.cisecurity.org/notes"
               xmlns:xhtml="http://www.w3.org/1999/xhtml"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream"
               xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog"
               xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:xlink="http://www.w3.org/1999/xlink"
               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
               id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Server">
   <xccdf:title xml:lang="en">Level 1 - Server</xccdf:title>
   <xccdf:description xml:lang="en">
      <xhtml:p>Items in this profile intend to:</xhtml:p>
      <xhtml:ul>
         <xhtml:li>be practical and prudent;</xhtml:li>
         <xhtml:li>provide a clear security benefit; and</xhtml:li>
         <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li>
      </xhtml:ul>
      <xhtml:p>This profile is intended for servers.</xhtml:p>
   </xccdf:description>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Ensure_X_Window_System_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Ensure_CUPS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts."
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty"
                 selected="true"/>
</xccdf:Profile>
Level 2 - Server

This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.

This profile is intended for servers.

Show Profile XML
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
               xmlns="http://checklists.nist.gov/xccdf/1.2"
               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
               xmlns:notes="http://benchmarks.cisecurity.org/notes"
               xmlns:xhtml="http://www.w3.org/1999/xhtml"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream"
               xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog"
               xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:xlink="http://www.w3.org/1999/xlink"
               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
               id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server">
   <xccdf:title xml:lang="en">Level 2 - Server</xccdf:title>
   <xccdf:description xml:lang="en">
      <xhtml:p>This profile extends the "Level 1 - Server" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p>
      <xhtml:ul>
         <xhtml:li>are intended for environments or use cases where security is paramount.</xhtml:li>
         <xhtml:li>acts as defense in depth measure.</xhtml:li>
         <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li>
      </xhtml:ul>
      <xhtml:p>This profile is intended for servers.</xhtml:p>
   </xccdf:description>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Ensure_mounting_of_squashfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Ensure_separate_partition_exists_for_var"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.11_Ensure_separate_partition_exists_for_vartmp"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Ensure_separate_partition_exists_for_varlog"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Ensure_separate_partition_exists_for_varlogaudit"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Ensure_separate_partition_exists_for_home"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.4_Ensure_all_AppArmor_Profiles_are_enforcing"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.1_Ensure_GNOME_Display_Manager_is_removed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.2_Ensure_X_Window_System_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Ensure_CUPS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Disable_IPv6"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.1_Ensure_DCCP_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.2_Ensure_SCTP_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.3_Ensure_RDS_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.4_Ensure_TIPC_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.1_Ensure_auditd_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.2_Ensure_auditd_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.4_Ensure_audit_backlog_limit_is_sufficient"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.1_Ensure_audit_log_storage_size_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4_Ensure_events_that_modify_usergroup_information_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.7_Ensure_login_and_logout_events_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.8_Ensure_session_initiation_information_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.11_Ensure_use_of_privileged_commands_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.12_Ensure_successful_file_system_mounts_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.13_Ensure_file_deletion_events_by_users_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.17_Ensure_the_audit_configuration_is_immutable"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts."
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_SSH_X11_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Audit_system_file_permissions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty"
                 selected="true"/>
</xccdf:Profile>
Level 1 - Workstation

Items in this profile intend to:

  • be practical and prudent;
  • provide a clear security benefit; and
  • not inhibit the utility of the technology beyond acceptable means.

This profile is intended for workstations.

Show Profile XML
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
               xmlns="http://checklists.nist.gov/xccdf/1.2"
               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
               xmlns:notes="http://benchmarks.cisecurity.org/notes"
               xmlns:xhtml="http://www.w3.org/1999/xhtml"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream"
               xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog"
               xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:xlink="http://www.w3.org/1999/xlink"
               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
               id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Workstation">
   <xccdf:title xml:lang="en">Level 1 - Workstation</xccdf:title>
   <xccdf:description xml:lang="en">
      <xhtml:p>Items in this profile intend to:</xhtml:p>
      <xhtml:ul>
         <xhtml:li>be practical and prudent;</xhtml:li>
         <xhtml:li>provide a clear security benefit; and</xhtml:li>
         <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li>
      </xhtml:ul>
      <xhtml:p>This profile is intended for workstations.</xhtml:p>
   </xccdf:description>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts."
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_SSH_X11_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty"
                 selected="true"/>
</xccdf:Profile>
Level 2 - Workstation

This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:

  • are intended for environments or use cases where security is paramount.
  • acts as defense in depth measure.
  • may negatively inhibit the utility or performance of the technology.

This profile is intended for workstations.

Show Profile XML
<xccdf:Profile xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
               xmlns="http://checklists.nist.gov/xccdf/1.2"
               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
               xmlns:notes="http://benchmarks.cisecurity.org/notes"
               xmlns:xhtml="http://www.w3.org/1999/xhtml"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:sce="http://open-scap.org/page/SCE_xccdf_stream"
               xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog"
               xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:xlink="http://www.w3.org/1999/xlink"
               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
               id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Workstation">
   <xccdf:title xml:lang="en">Level 2 - Workstation</xccdf:title>
   <xccdf:description xml:lang="en">
      <xhtml:p>This profile extends the "Level 1 - Workstation" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p>
      <xhtml:ul>
         <xhtml:li>are intended for environments or use cases where security is paramount.</xhtml:li>
         <xhtml:li>acts as defense in depth measure.</xhtml:li>
         <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li>
      </xhtml:ul>
      <xhtml:p>This profile is intended for workstations.</xhtml:p>
   </xccdf:description>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.6_Ensure_mounting_of_squashfs_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.10_Ensure_separate_partition_exists_for_var"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.11_Ensure_separate_partition_exists_for_vartmp"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.15_Ensure_separate_partition_exists_for_varlog"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.16_Ensure_separate_partition_exists_for_varlogaudit"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.17_Ensure_separate_partition_exists_for_home"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.1_Ensure_AIDE_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.3.2_Ensure_filesystem_integrity_is_regularly_checked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_permissions_on_bootloader_config_are_not_overridden"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.2_Ensure_bootloader_password_is_set"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.3_Ensure_permissions_on_bootloader_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.4.4_Ensure_authentication_required_for_single_user_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.1_Ensure_XDNX_support_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.2_Ensure_address_space_layout_randomization_ASLR_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.3_Ensure_prelink_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.5.4_Ensure_core_dumps_are_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.1_Ensure_AppArmor_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.2_Ensure_AppArmor_is_enabled_in_the_bootloader_configuration"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.3_Ensure_all_AppArmor_Profiles_are_in_enforce_or_complain_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.6.1.4_Ensure_all_AppArmor_Profiles_are_enforcing"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.1_Ensure_message_of_the_day_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.2_Ensure_local_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.3_Ensure_remote_login_warning_banner_is_configured_properly"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.4_Ensure_permissions_on_etcmotd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.5_Ensure_permissions_on_etcissue_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.7.6_Ensure_permissions_on_etcissue.net_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.2_Ensure_GDM_login_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.3_Ensure_disable-user-list_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.8.4_Ensure_XDCMP_is_not_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_1.9_Ensure_updates_patches_and_additional_security_software_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.1_Ensure_time_synchronization_is_in_use"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.2_Ensure_systemd-timesyncd_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.3_Ensure_chrony_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.1.4_Ensure_ntp_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.3_Ensure_Avahi_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.4_Ensure_CUPS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.5_Ensure_DHCP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.6_Ensure_LDAP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.7_Ensure_NFS_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.8_Ensure_DNS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.9_Ensure_FTP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.10_Ensure_HTTP_server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.11_Ensure_IMAP_and_POP3_server_are_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.12_Ensure_Samba_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.13_Ensure_HTTP_Proxy_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.14_Ensure_SNMP_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.15_Ensure_mail_transfer_agent_is_configured_for_local-only_mode"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.16_Ensure_rsync_service_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.1.17_Ensure_NIS_Server_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_Ensure_NIS_Client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_Ensure_rsh_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_Ensure_talk_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_Ensure_telnet_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_Ensure_LDAP_client_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_Ensure__RPC_is_not_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_2.3_Ensure_nonessential_services_are_removed_or_masked"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.1_Disable_IPv6"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.1.2_Ensure_wireless_interfaces_are_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.1_Ensure_packet_redirect_sending_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.2.2_Ensure_IP_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.1_Ensure_source_routed_packets_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.2_Ensure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.3_Ensure_secure_ICMP_redirects_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.4_Ensure_suspicious_packets_are_logged"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.5_Ensure_broadcast_ICMP_requests_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.6_Ensure_bogus_ICMP_responses_are_ignored"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.7_Ensure_Reverse_Path_Filtering_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.8_Ensure_TCP_SYN_Cookies_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.3.9_Ensure_IPv6_router_advertisements_are_not_accepted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.1_Ensure_DCCP_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.2_Ensure_SCTP_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.3_Ensure_RDS_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.4.4_Ensure_TIPC_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.1_Ensure_ufw_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.2_Ensure_iptables-persistent_is_not_installed_with_ufw"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.3_Ensure_ufw_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.4_Ensure_ufw_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.5_Ensure_ufw_outbound_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.6_Ensure_ufw_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.1.7_Ensure_ufw_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.1_Ensure_nftables_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.2_Ensure_ufw_is_uninstalled_or_disabled_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.3_Ensure_iptables_are_flushed_with_nftables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.4_Ensure_a_nftables_table_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.5_Ensure_nftables_base_chains_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.6_Ensure_nftables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.7_Ensure_nftables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.8_Ensure_nftables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.9_Ensure_nftables_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.2.10_Ensure_nftables_rules_are_permanent"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.1_Ensure_iptables_packages_are_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.2_Ensure_nftables_is_not_installed_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.1.3_Ensure_ufw_is_uninstalled_or_disabled_with_iptables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.1_Ensure_iptables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.2_Ensure_iptables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.3_Ensure_iptables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.2.4_Ensure_iptables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.1_Ensure_ip6tables_loopback_traffic_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.2_Ensure_ip6tables_outbound_and_established_connections_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.3_Ensure_ip6tables_default_deny_firewall_policy"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_3.5.3.3.4_Ensure_ip6tables_firewall_rules_exist_for_all_open_ports"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.1_Ensure_auditd_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.2_Ensure_auditd_service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.3_Ensure_auditing_for_processes_that_start_prior_to_auditd_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.1.4_Ensure_audit_backlog_limit_is_sufficient"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.1_Ensure_audit_log_storage_size_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.2_Ensure_audit_logs_are_not_automatically_deleted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.2.3_Ensure_system_is_disabled_when_audit_logs_are_full"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.3_Ensure_events_that_modify_date_and_time_information_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.4_Ensure_events_that_modify_usergroup_information_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.5_Ensure_events_that_modify_the_systems_network_environment_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.6_Ensure_events_that_modify_the_systems_Mandatory_Access_Controls_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.7_Ensure_login_and_logout_events_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.8_Ensure_session_initiation_information_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.9_Ensure_discretionary_access_control_permission_modification_events_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.10_Ensure_unsuccessful_unauthorized_file_access_attempts_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.11_Ensure_use_of_privileged_commands_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.12_Ensure_successful_file_system_mounts_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.13_Ensure_file_deletion_events_by_users_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.14_Ensure_changes_to_system_administration_scope_sudoers_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.15_Ensure_system_administrator_command_executions_sudo_are_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.16_Ensure_kernel_module_loading_and_unloading_is_collected"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.1.17_Ensure_the_audit_configuration_is_immutable"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.1_Ensure_rsyslog_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.2_Ensure_rsyslog_Service_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.3_Ensure_logging_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.4_Ensure_rsyslog_default_file_permissions_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.5_Ensure_rsyslog_is_configured_to_send_logs_to_a_remote_log_host"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.1.6_Ensure_remote_rsyslog_messages_are_only_accepted_on_designated_log_hosts."
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.1_Ensure_journald_is_configured_to_send_logs_to_rsyslog"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.2_Ensure_journald_is_configured_to_compress_large_log_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.2.3_Ensure_journald_is_configured_to_write_logfiles_to_persistent_disk"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.2.3_Ensure_permissions_on_all_logfiles_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.3_Ensure_logrotate_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_4.4_Ensure_logrotate_assigns_appropriate_permissions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.1_Ensure_cron_daemon_is_enabled_and_running"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.2_Ensure_permissions_on_etccrontab_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.3_Ensure_permissions_on_etccron.hourly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.4_Ensure_permissions_on_etccron.daily_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.5_Ensure_permissions_on_etccron.weekly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_permissions_on_etccron.monthly_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.7_Ensure_permissions_on_etccron.d_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.8_Ensure_cron_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.1.9_Ensure_at_is_restricted_to_authorized_users"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.1_Ensure_sudo_is_installed"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.2_Ensure_sudo_commands_use_pty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.2.3_Ensure_sudo_log_file_exists"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.1_Ensure_permissions_on_etcsshsshd_config_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.2_Ensure_permissions_on_SSH_private_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.3_Ensure_permissions_on_SSH_public_host_key_files_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.4_Ensure_SSH_access_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.5_Ensure_SSH_LogLevel_is_appropriate"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.6_Ensure_SSH_X11_forwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.7_Ensure_SSH_MaxAuthTries_is_set_to_4_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.8_Ensure_SSH_IgnoreRhosts_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.9_Ensure_SSH_HostbasedAuthentication_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.10_Ensure_SSH_root_login_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.11_Ensure_SSH_PermitEmptyPasswords_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.12_Ensure_SSH_PermitUserEnvironment_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.13_Ensure_only_strong_Ciphers_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.14_Ensure_only_strong_MAC_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.15_Ensure_only_strong_Key_Exchange_algorithms_are_used"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.16_Ensure_SSH_Idle_Timeout_Interval_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.17_Ensure_SSH_LoginGraceTime_is_set_to_one_minute_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.18_Ensure_SSH_warning_banner_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.19_Ensure_SSH_PAM_is_enabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.20_Ensure_SSH_AllowTcpForwarding_is_disabled"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.21_Ensure_SSH_MaxStartups_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.3.22_Ensure_SSH_MaxSessions_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.1_Ensure_password_creation_requirements_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.2_Ensure_lockout_for_failed_password_attempts_is_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.3_Ensure_password_reuse_is_limited"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.4.4_Ensure_password_hashing_algorithm_is_SHA-512"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.1_Ensure_minimum_days_between_password_changes_is__configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.2_Ensure_password_expiration_is_365_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.3_Ensure_password_expiration_warning_days_is_7_or_more"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.4_Ensure_inactive_password_lock_is_30_days_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.1.5_Ensure_all_users_last_password_change_date_is_in_the_past"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.2_Ensure_system_accounts_are_secured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.3_Ensure_default_group_for_the_root_account_is_GID_0"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.4_Ensure_default_user_umask_is_027_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.5.5_Ensure_default_user_shell_timeout_is_900_seconds_or_less"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.6_Ensure_root_login_is_restricted_to_system_console"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_5.7_Ensure_access_to_the_su_command_is_restricted"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.1_Audit_system_file_permissions"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.2_Ensure_permissions_on_etcpasswd_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.3_Ensure_permissions_on_etcpasswd-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.4_Ensure_permissions_on_etcgroup_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.5_Ensure_permissions_on_etcgroup-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.6_Ensure_permissions_on_etcshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.7_Ensure_permissions_on_etcshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.8_Ensure_permissions_on_etcgshadow_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.9_Ensure_permissions_on_etcgshadow-_are_configured"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.10_Ensure_no_world_writable_files_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.11_Ensure_no_unowned_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.12_Ensure_no_ungrouped_files_or_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.13_Audit_SUID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.1.14_Audit_SGID_executables"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.1_Ensure_accounts_in_etcpasswd_use_shadowed_passwords"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.2_Ensure_password_fields_are_not_empty"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.3_Ensure_all_groups_in_etcpasswd_exist_in_etcgroup"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.4_Ensure_all_users_home_directories_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.5_Ensure_users_own_their_home_directories"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.6_Ensure_users_home_directories_permissions_are_750_or_more_restrictive"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.7_Ensure_users_dot_files_are_not_group_or_world_writable"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.8_Ensure_no_users_have_.netrc_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.9_Ensure_no_users_have_.forward_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.10_Ensure_no_users_have_.rhosts_files"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.11_Ensure_root_is_the_only_UID_0_account"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.12_Ensure_root_PATH_Integrity"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.13_Ensure_no_duplicate_UIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.14_Ensure_no_duplicate_GIDs_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.15_Ensure_no_duplicate_user_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.16_Ensure_no_duplicate_group_names_exist"
                 selected="true"/>
   <xccdf:select idref="xccdf_org.cisecurity.benchmarks_rule_6.2.17_Ensure_shadow_group_is_empty"
                 selected="true"/>
</xccdf:Profile>

Assessment Results

w Benchmark Item Result
1 Initial Setup
1.1 Filesystem Configuration
1.1.1 Disable unused filesystems
1.0 1.1.1.1 Ensure mounting of cramfs filesystems is disabled Pass
1.0 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled Pass
1.0 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled Pass
1.0 1.1.1.4 Ensure mounting of hfs filesystems is disabled Pass
1.0 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled Pass
1.0 1.1.1.7 Ensure mounting of udf filesystems is disabled Pass
1.0 1.1.2 Ensure /tmp is configured Pass
1.0 1.1.3 Ensure nodev option set on /tmp partition Pass
1.0 1.1.4 Ensure nosuid option set on /tmp partition Pass
1.0 1.1.5 Ensure noexec option set on /tmp partition Pass
1.0 1.1.6 Ensure /dev/shm is configured Pass
1.0 1.1.7 Ensure nodev option set on /dev/shm partition Pass
1.0 1.1.8 Ensure nosuid option set on /dev/shm partition Pass
1.0 1.1.9 Ensure noexec option set on /dev/shm partition Pass
1.0 1.1.12 Ensure /var/tmp partition includes the nodev option Pass
1.0 1.1.13 Ensure /var/tmp partition includes the nosuid option Pass
1.0 1.1.14 Ensure /var/tmp partition includes the noexec option Pass
1.0 1.1.18 Ensure /home partition includes the nodev option Pass


1.1.19 Ensure nodev option set on removable media partitions Manual


1.1.20 Ensure nosuid option set on removable media partitions Manual


1.1.21 Ensure noexec option set on removable media partitions Manual
1.0 1.1.22 Ensure sticky bit is set on all world-writable directories Pass
1.0 1.1.23 Disable Automounting Pass
1.0 1.1.24 Disable USB Storage Pass
1.2 Configure Software Updates


1.2.1 Ensure package manager repositories are configured Manual


1.2.2 Ensure GPG keys are configured Manual
1.3 Filesystem Integrity Checking
1.0 1.3.1 Ensure AIDE is installed Pass
1.0 1.3.2 Ensure filesystem integrity is regularly checked Pass
1.4 Secure Boot Settings
1.0 1.4.1 Ensure permissions on bootloader config are not overridden Pass
1.0 1.4.2 Ensure bootloader password is set Pass
1.0 1.4.3 Ensure permissions on bootloader config are configured Pass
1.0 1.4.4 Ensure authentication required for single user mode Pass
1.5 Additional Process Hardening


1.5.1 Ensure XD/NX support is enabled Manual
1.0 1.5.2 Ensure address space layout randomization (ASLR) is enabled Pass
1.0 1.5.3 Ensure prelink is not installed Pass
1.0 1.5.4 Ensure core dumps are restricted Pass
1.6 Mandatory Access Control
1.6.1 Configure AppArmor
1.0 1.6.1.1 Ensure AppArmor is installed Pass
1.0 1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration Pass
1.0 1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode Pass
1.7 Command Line Warning Banners
1.0 1.7.1 Ensure message of the day is configured properly Pass
1.0 1.7.2 Ensure local login warning banner is configured properly Pass
1.0 1.7.3 Ensure remote login warning banner is configured properly Pass
1.0 1.7.4 Ensure permissions on /etc/motd are configured Pass
1.0 1.7.5 Ensure permissions on /etc/issue are configured Pass
1.0 1.7.6 Ensure permissions on /etc/issue.net are configured Pass
1.8 GNOME Display Manager
1.0 1.8.2 Ensure GDM login banner is configured Pass
1.0 1.8.3 Ensure disable-user-list is enabled Pass
1.0 1.8.4 Ensure XDCMP is not enabled Pass


1.9 Ensure updates, patches, and additional security software are installed Manual
2 Services
2.1 Special Purpose Services
2.1.1 Time Synchronization
1.0 2.1.1.1 Ensure time synchronization is in use Pass
1.0 2.1.1.2 Ensure systemd-timesyncd is configured Pass
1.0 2.1.1.3 Ensure chrony is configured Pass
1.0 2.1.1.4 Ensure ntp is configured Pass
1.0 2.1.2 Ensure X Window System is not installed Pass
1.0 2.1.3 Ensure Avahi Server is not installed Pass
1.0 2.1.4 Ensure CUPS is not installed Pass
1.0 2.1.5 Ensure DHCP Server is not installed Pass
1.0 2.1.6 Ensure LDAP server is not installed Pass
1.0 2.1.7 Ensure NFS is not installed Pass
1.0 2.1.8 Ensure DNS Server is not installed Pass
1.0 2.1.9 Ensure FTP Server is not installed Pass
1.0 2.1.10 Ensure HTTP server is not installed Pass
1.0 2.1.11 Ensure IMAP and POP3 server are not installed Pass
1.0 2.1.12 Ensure Samba is not installed Pass
1.0 2.1.13 Ensure HTTP Proxy Server is not installed Pass
1.0 2.1.14 Ensure SNMP Server is not installed Pass
1.0 2.1.15 Ensure mail transfer agent is configured for local-only mode Pass
1.0 2.1.16 Ensure rsync service is not installed Pass
1.0 2.1.17 Ensure NIS Server is not installed Pass
2.2 Service Clients
1.0 2.2.1 Ensure NIS Client is not installed Pass
1.0 2.2.2 Ensure rsh client is not installed Pass
1.0 2.2.3 Ensure talk client is not installed Pass
1.0 2.2.4 Ensure telnet client is not installed Pass
1.0 2.2.5 Ensure LDAP client is not installed Pass
1.0 2.2.6 Ensure RPC is not installed Pass


2.3 Ensure nonessential services are removed or masked Manual
3 Network Configuration
3.1 Disable unused network protocols and devices
1.0 3.1.2 Ensure wireless interfaces are disabled Pass
3.2 Network Parameters (Host Only)
1.0 3.2.1 Ensure packet redirect sending is disabled Pass
1.0 3.2.2 Ensure IP forwarding is disabled Pass
3.3 Network Parameters (Host and Router)
1.0 3.3.1 Ensure source routed packets are not accepted Pass
1.0 3.3.2 Ensure ICMP redirects are not accepted Pass
1.0 3.3.3 Ensure secure ICMP redirects are not accepted Pass
1.0 3.3.4 Ensure suspicious packets are logged Pass
1.0 3.3.5 Ensure broadcast ICMP requests are ignored Pass
1.0 3.3.6 Ensure bogus ICMP responses are ignored Pass
1.0 3.3.7 Ensure Reverse Path Filtering is enabled Pass
1.0 3.3.8 Ensure TCP SYN Cookies is enabled Pass
1.0 3.3.9 Ensure IPv6 router advertisements are not accepted Pass
3.4 Uncommon Network Protocols
3.5 Firewall Configuration
3.5.1 Configure UncomplicatedFirewall
1.0 3.5.1.1 Ensure ufw is installed Pass
1.0 3.5.1.2 Ensure iptables-persistent is not installed with ufw Pass
1.0 3.5.1.3 Ensure ufw service is enabled Pass
1.0 3.5.1.4 Ensure ufw loopback traffic is configured Pass


3.5.1.5 Ensure ufw outbound connections are configured Manual


3.5.1.6 Ensure ufw firewall rules exist for all open ports Manual
1.0 3.5.1.7 Ensure ufw default deny firewall policy Pass
3.5.2 Configure nftables
1.0 3.5.2.1 Ensure nftables is installed Pass
1.0 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables Pass


3.5.2.3 Ensure iptables are flushed with nftables Manual
1.0 3.5.2.4 Ensure a nftables table exists Pass
1.0 3.5.2.5 Ensure nftables base chains exist Pass
1.0 3.5.2.6 Ensure nftables loopback traffic is configured Pass


3.5.2.7 Ensure nftables outbound and established connections are configured Manual
1.0 3.5.2.8 Ensure nftables default deny firewall policy Pass
1.0 3.5.2.9 Ensure nftables service is enabled Pass
1.0 3.5.2.10 Ensure nftables rules are permanent Pass
3.5.3 Configure iptables
3.5.3.1 Configure iptables software
1.0 3.5.3.1.1 Ensure iptables packages are installed Pass
1.0 3.5.3.1.2 Ensure nftables is not installed with iptables Pass
1.0 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables Pass
3.5.3.2 Configure IPv4 iptables
1.0 3.5.3.2.1 Ensure iptables loopback traffic is configured Pass


3.5.3.2.2 Ensure iptables outbound and established connections are configured Manual
1.0 3.5.3.2.3 Ensure iptables default deny firewall policy Pass
1.0 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports Pass
3.5.3.3 Configure IPv6 ip6tables
1.0 3.5.3.3.1 Ensure ip6tables loopback traffic is configured Pass


3.5.3.3.2 Ensure ip6tables outbound and established connections are configured Manual
1.0 3.5.3.3.3 Ensure ip6tables default deny firewall policy Pass
1.0 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports Pass
4 Logging and Auditing
4.1 Configure System Accounting (auditd)
4.1.1 Ensure auditing is enabled
4.1.2 Configure Data Retention
4.2 Configure Logging
4.2.1 Configure rsyslog
1.0 4.2.1.1 Ensure rsyslog is installed Pass
1.0 4.2.1.2 Ensure rsyslog Service is enabled Pass


4.2.1.3 Ensure logging is configured Manual
1.0 4.2.1.4 Ensure rsyslog default file permissions configured Pass
1.0 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host Fail


4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts. Manual
4.2.2 Configure journald
1.0 4.2.2.1 Ensure journald is configured to send logs to rsyslog Pass
1.0 4.2.2.2 Ensure journald is configured to compress large log files Pass
1.0 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk Pass
1.0 4.2.3 Ensure permissions on all logfiles are configured Pass


4.3 Ensure logrotate is configured Manual
1.0 4.4 Ensure logrotate assigns appropriate permissions Pass
5 Access, Authentication and Authorization
5.1 Configure time-based job schedulers
1.0 5.1.1 Ensure cron daemon is enabled and running Pass
1.0 5.1.2 Ensure permissions on /etc/crontab are configured Pass
1.0 5.1.3 Ensure permissions on /etc/cron.hourly are configured Pass
1.0 5.1.4 Ensure permissions on /etc/cron.daily are configured Pass
1.0 5.1.5 Ensure permissions on /etc/cron.weekly are configured Pass
1.0 5.1.6 Ensure permissions on /etc/cron.monthly are configured Pass
1.0 5.1.7 Ensure permissions on /etc/cron.d are configured Pass
1.0 5.1.8 Ensure cron is restricted to authorized users Pass
1.0 5.1.9 Ensure at is restricted to authorized users Pass
5.2 Configure sudo
1.0 5.2.1 Ensure sudo is installed Pass
1.0 5.2.2 Ensure sudo commands use pty Pass
1.0 5.2.3 Ensure sudo log file exists Pass
5.3 Configure SSH Server
1.0 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured Pass
1.0 5.3.2 Ensure permissions on SSH private host key files are configured Pass
1.0 5.3.3 Ensure permissions on SSH public host key files are configured Pass
1.0 5.3.4 Ensure SSH access is limited Pass
1.0 5.3.5 Ensure SSH LogLevel is appropriate Pass
1.0 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less Pass
1.0 5.3.8 Ensure SSH IgnoreRhosts is enabled Pass
1.0 5.3.9 Ensure SSH HostbasedAuthentication is disabled Pass
1.0 5.3.10 Ensure SSH root login is disabled Pass
1.0 5.3.11 Ensure SSH PermitEmptyPasswords is disabled Pass
1.0 5.3.12 Ensure SSH PermitUserEnvironment is disabled Pass
1.0 5.3.13 Ensure only strong Ciphers are used Pass
1.0 5.3.14 Ensure only strong MAC algorithms are used Pass
1.0 5.3.15 Ensure only strong Key Exchange algorithms are used Pass
1.0 5.3.16 Ensure SSH Idle Timeout Interval is configured Pass
1.0 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less Pass
1.0 5.3.18 Ensure SSH warning banner is configured Pass
1.0 5.3.19 Ensure SSH PAM is enabled Pass
1.0 5.3.21 Ensure SSH MaxStartups is configured Pass
1.0 5.3.22 Ensure SSH MaxSessions is limited Pass
5.4 Configure PAM
1.0 5.4.1 Ensure password creation requirements are configured Pass
1.0 5.4.2 Ensure lockout for failed password attempts is configured Pass
1.0 5.4.3 Ensure password reuse is limited Pass
1.0 5.4.4 Ensure password hashing algorithm is SHA-512 Pass
5.5 User Accounts and Environment
5.5.1 Set Shadow Password Suite Parameters
1.0 5.5.1.1 Ensure minimum days between password changes is configured Pass
1.0 5.5.1.2 Ensure password expiration is 365 days or less Pass
1.0 5.5.1.3 Ensure password expiration warning days is 7 or more Pass
1.0 5.5.1.4 Ensure inactive password lock is 30 days or less Pass
1.0 5.5.1.5 Ensure all users last password change date is in the past Pass
1.0 5.5.2 Ensure system accounts are secured Pass
1.0 5.5.3 Ensure default group for the root account is GID 0 Pass
1.0 5.5.4 Ensure default user umask is 027 or more restrictive Pass
1.0 5.5.5 Ensure default user shell timeout is 900 seconds or less Pass


5.6 Ensure root login is restricted to system console Manual
1.0 5.7 Ensure access to the su command is restricted Pass
6 System Maintenance
6.1 System File Permissions
1.0 6.1.2 Ensure permissions on /etc/passwd are configured Pass
1.0 6.1.3 Ensure permissions on /etc/passwd- are configured Pass
1.0 6.1.4 Ensure permissions on /etc/group are configured Pass
1.0 6.1.5 Ensure permissions on /etc/group- are configured Pass
1.0 6.1.6 Ensure permissions on /etc/shadow are configured Pass
1.0 6.1.7 Ensure permissions on /etc/shadow- are configured Pass
1.0 6.1.8 Ensure permissions on /etc/gshadow are configured Pass
1.0 6.1.9 Ensure permissions on /etc/gshadow- are configured Pass
1.0 6.1.10 Ensure no world writable files exist Pass
1.0 6.1.11 Ensure no unowned files or directories exist Pass
1.0 6.1.12 Ensure no ungrouped files or directories exist Pass


6.1.13 Audit SUID executables Manual


6.1.14 Audit SGID executables Manual
6.2 User and Group Settings
1.0 6.2.1 Ensure accounts in /etc/passwd use shadowed passwords Pass
1.0 6.2.2 Ensure password fields are not empty Pass
1.0 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group Pass
1.0 6.2.4 Ensure all users' home directories exist Pass
1.0 6.2.5 Ensure users own their home directories Fail
1.0 6.2.6 Ensure users' home directories permissions are 750 or more restrictive Pass
1.0 6.2.7 Ensure users' dot files are not group or world writable Pass
1.0 6.2.8 Ensure no users have .netrc files Pass
1.0 6.2.9 Ensure no users have .forward files Pass
1.0 6.2.10 Ensure no users have .rhosts files Pass
1.0 6.2.11 Ensure root is the only UID 0 account Pass
1.0 6.2.12 Ensure root PATH Integrity Pass
1.0 6.2.13 Ensure no duplicate UIDs exist Pass
1.0 6.2.14 Ensure no duplicate GIDs exist Pass
1.0 6.2.15 Ensure no duplicate user names exist Pass
1.0 6.2.16 Ensure no duplicate group names exist Pass
1.0 6.2.17 Ensure shadow group is empty Pass

Assessment Details

1 Initial Setup

Items in this section are advised for all systems, but may be difficult or require extensive preparation after the initial setup of the system.

1.1 Filesystem Configuration

Directories that are used for system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory's intended use. Users' data can be stored on separate partitions and have stricter mount options. A user partition is a filesystem that has been established for use by the users and does not contain software for system operations.

The recommendations in this section are easier to perform during initial system installation. If the system is already installed, it is recommended that a full backup be performed before repartitioning the system.

Note: If you are repartitioning a system that has already been installed, make sure the data has been copied over to the new partition, unmount it and then remove the data from the directory that was in the old partition. Otherwise it will still consume space in the old partition that will be masked when the new filesystem is mounted. For example, if a system is in single-user mode with no filesystems mounted and the administrator adds a lot of data to the /tmp directory, this data will still consume space in / once the /tmp filesystem is mounted unless it is removed first.

1.1.1 Disable unused filesystems

A number of uncommon filesystem types are supported under Linux. Removing support for unneeded filesystem types reduces the local attack surface of the system. If a filesystem type is not needed it should be disabled. Native Linux file systems are designed to ensure that built-in security controls function as expected. Non-native filesystems can lead to unexpected consequences to both the security and functionality of the system and should be used with caution. Many filesystems are created for niche use cases and are not maintained and supported as the operating systems are updated and patched. Users of non-native filesystems should ensure that there is attention and ongoing support for them, especially in light of frequent operating system changes.

Standard network connectivity and Internet access to cloud storage may make the use of non-standard filesystem formats to directly attach heterogeneous devices much less attractive.

Note: This should not be considered a comprehensive list of filesystems. You may wish to consider additions to those listed here for your environment.

Pass

1.1.1.1 Ensure mounting of cramfs filesystems is disabled

Description:

The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.

Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it.

Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

Example: vim /etc/modprobe.d/cramfs.conf

and add the following line:

install cramfs /bin/true

Run the following command to unload the cramfs module:

# rmmod cramfs

Show Assessment Evidence
Complex Check
AND
Criterion: Ensure kernel module cramfs is not loadable
Existence Check: At Least One Exists
Item Check: At least one
Result: Pass
Shellcommand Item
Name Type Status Value
Command String Exists modprobe -n -v cramfs
Line Selection String Exists .+
Exit Status Int Exists 0
Stdout Line String Exists insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko
Stdout Line String Exists install /bin/true
Criterion: Ensure kernel module cramfs is not loaded
Existence Check: At Least One Exists
Item Check: None satisfy
Result: Pass
Shellcommand Item
Name Type Status Value
Command String Exists modprobe -n -v cramfs
Line Selection String Exists .+
Exit Status Int Exists 0
Stdout Line String Exists insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko
Stdout Line String Exists install /bin/true


Show Rule Result XML
<xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                   xmlns:notes="http://benchmarks.cisecurity.org/notes"
                   xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                   xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                   xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                   xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                   xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                   xmlns="http://checklists.nist.gov/xccdf/1.2"
                   xmlns:xhtml="http://www.w3.org/1999/xhtml"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                   xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                   xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                   xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                   idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.1_Ensure_mounting_of_cramfs_filesystems_is_disabled"
                   role="full"
                   severity="unknown"
                   time="2022-04-13T17:15:55.958Z"
                   version="1"
                   weight="1.0">
   <xccdf:result>pass</xccdf:result>
   <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                system="http://cisecurity.org/20-cc/v7.0"/>
   <xccdf:complex-check operator="AND" negate="false">
      <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                   negate="false"
                   multi-check="false">
         <xccdf:check-content-ref href="#OVAL-Results-1"
                                  name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455907"/>
         <evidence xmlns="http://cisecurity.org/evidence">
            <div class="definition"
                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455907">
               <div class="criteria">
                  <div class="criterion"
                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455907"
                       check="at least one"
                       check_existence="at_least_one_exists">
                     <table class="evidence-sep" width="100%">
                        <tbody class="tbe">
                           <tr>
                              <td class="bold">Criterion:</td>
                              <td>Ensure kernel module cramfs is not loadable</td>
                           </tr>
                           <tr>
                              <td class="bold">Existence Check:</td>
                              <td>At Least One Exists</td>
                           </tr>
                           <tr>
                              <td class="bold">Item Check:</td>
                              <td>At least one</td>
                           </tr>
                           <tr>
                              <td class="bold">Result:</td>
                              <td class="pass">Pass</td>
                           </tr>
                        </tbody>
                     </table>
                     <table class="evidence" width="100%">
                        <caption>Shellcommand Item</caption>
                        <thead>
                           <tr>
                              <th scope="col">Name</th>
                              <th scope="col">Type</th>
                              <th scope="col">Status</th>
                              <th scope="col">Value</th>
                           </tr>
                        </thead>
                        <tbody class="tbe">
                           <tr>
                              <td>Command</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>modprobe -n -v cramfs</td>
                           </tr>
                           <tr>
                              <td>Line Selection</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>.+</td>
                           </tr>
                           <tr>
                              <td>Exit Status</td>
                              <td>Int</td>
                              <td>Exists</td>
                              <td>0</td>
                           </tr>
                           <tr class="evaluated">
                              <td>Stdout Line</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td>
                           </tr>
                           <tr class="evaluated">
                              <td>Stdout Line</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>install /bin/true  </td>
                           </tr>
                        </tbody>
                     </table>
                  </div>
               </div>
            </div>
         </evidence>
      </xccdf:check>
      <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                   negate="false"
                   multi-check="false">
         <xccdf:check-content-ref href="#OVAL-Results-1"
                                  name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455908"/>
         <evidence xmlns="http://cisecurity.org/evidence">
            <div class="definition"
                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455908">
               <div class="criteria">
                  <div class="criterion"
                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455908"
                       check="none satisfy"
                       check_existence="at_least_one_exists">
                     <table class="evidence-sep" width="100%">
                        <tbody class="tbe">
                           <tr>
                              <td class="bold">Criterion:</td>
                              <td>Ensure kernel module cramfs is not loaded</td>
                           </tr>
                           <tr>
                              <td class="bold">Existence Check:</td>
                              <td>At Least One Exists</td>
                           </tr>
                           <tr>
                              <td class="bold">Item Check:</td>
                              <td>None satisfy</td>
                           </tr>
                           <tr>
                              <td class="bold">Result:</td>
                              <td class="pass">Pass</td>
                           </tr>
                        </tbody>
                     </table>
                     <table class="evidence" width="100%">
                        <caption>Shellcommand Item</caption>
                        <thead>
                           <tr>
                              <th scope="col">Name</th>
                              <th scope="col">Type</th>
                              <th scope="col">Status</th>
                              <th scope="col">Value</th>
                           </tr>
                        </thead>
                        <tbody class="tbe">
                           <tr>
                              <td>Command</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>modprobe -n -v cramfs</td>
                           </tr>
                           <tr>
                              <td>Line Selection</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>.+</td>
                           </tr>
                           <tr>
                              <td>Exit Status</td>
                              <td>Int</td>
                              <td>Exists</td>
                              <td>0</td>
                           </tr>
                           <tr class="evaluated">
                              <td>Stdout Line</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td>
                           </tr>
                           <tr class="evaluated">
                              <td>Stdout Line</td>
                              <td>String</td>
                              <td>Exists</td>
                              <td>install /bin/true  </td>
                           </tr>
                        </tbody>
                     </table>
                  </div>
               </div>
            </div>
         </evidence>
      </xccdf:check>
   </xccdf:complex-check>
</xccdf:rule-result>

References:

    CIS Controls V7.0:

    • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
      CIS Control Information
      Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
      Subcontrol: 5.1
      Label: Establish Secure Configurations
      Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

    Pass

    1.1.1.2 Ensure mounting of freevxfs filesystems is disabled

    Description:

    The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems.

    Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

    Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

    Example: vi /etc/modprobe.d/freevxfs.conf

    and add the following line:

    install freevxfs /bin/true

    Run the following command to unload the freevxfs module:

    rmmod freevxfs

    Show Assessment Evidence
    Complex Check
    AND
    Criterion: Ensure kernel module freevxfs is not loadable
    Existence Check: At Least One Exists
    Item Check: At least one
    Result: Pass
    Shellcommand Item
    Name Type Status Value
    Command String Exists modprobe -n -v freevxfs
    Line Selection String Exists .+
    Exit Status Int Exists 0
    Stdout Line String Exists install /bin/true
    Criterion: Ensure kernel module freevxfs is not loaded
    Existence Check: At Least One Exists
    Item Check: None satisfy
    Result: Pass
    Shellcommand Item
    Name Type Status Value
    Command String Exists modprobe -n -v freevxfs
    Line Selection String Exists .+
    Exit Status Int Exists 0
    Stdout Line String Exists install /bin/true


    Show Rule Result XML
    <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                       xmlns:notes="http://benchmarks.cisecurity.org/notes"
                       xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                       xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                       xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                       xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                       xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                       xmlns="http://checklists.nist.gov/xccdf/1.2"
                       xmlns:xhtml="http://www.w3.org/1999/xhtml"
                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                       xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                       xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                       xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                       idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.2_Ensure_mounting_of_freevxfs_filesystems_is_disabled"
                       role="full"
                       severity="unknown"
                       time="2022-04-13T17:15:55.958Z"
                       version="1"
                       weight="1.0">
       <xccdf:result>pass</xccdf:result>
       <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                    system="http://cisecurity.org/20-cc/v7.0"/>
       <xccdf:complex-check operator="AND" negate="false">
          <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                       negate="false"
                       multi-check="false">
             <xccdf:check-content-ref href="#OVAL-Results-1"
                                      name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455909"/>
             <evidence xmlns="http://cisecurity.org/evidence">
                <div class="definition"
                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455909">
                   <div class="criteria">
                      <div class="criterion"
                           id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455909"
                           check="at least one"
                           check_existence="at_least_one_exists">
                         <table class="evidence-sep" width="100%">
                            <tbody class="tbe">
                               <tr>
                                  <td class="bold">Criterion:</td>
                                  <td>Ensure kernel module freevxfs is not loadable</td>
                               </tr>
                               <tr>
                                  <td class="bold">Existence Check:</td>
                                  <td>At Least One Exists</td>
                               </tr>
                               <tr>
                                  <td class="bold">Item Check:</td>
                                  <td>At least one</td>
                               </tr>
                               <tr>
                                  <td class="bold">Result:</td>
                                  <td class="pass">Pass</td>
                               </tr>
                            </tbody>
                         </table>
                         <table class="evidence" width="100%">
                            <caption>Shellcommand Item</caption>
                            <thead>
                               <tr>
                                  <th scope="col">Name</th>
                                  <th scope="col">Type</th>
                                  <th scope="col">Status</th>
                                  <th scope="col">Value</th>
                               </tr>
                            </thead>
                            <tbody class="tbe">
                               <tr>
                                  <td>Command</td>
                                  <td>String</td>
                                  <td>Exists</td>
                                  <td>modprobe -n -v freevxfs</td>
                               </tr>
                               <tr>
                                  <td>Line Selection</td>
                                  <td>String</td>
                                  <td>Exists</td>
                                  <td>.+</td>
                               </tr>
                               <tr>
                                  <td>Exit Status</td>
                                  <td>Int</td>
                                  <td>Exists</td>
                                  <td>0</td>
                               </tr>
                               <tr class="evaluated">
                                  <td>Stdout Line</td>
                                  <td>String</td>
                                  <td>Exists</td>
                                  <td>install /bin/true  </td>
                               </tr>
                            </tbody>
                         </table>
                      </div>
                   </div>
                </div>
             </evidence>
          </xccdf:check>
          <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                       negate="false"
                       multi-check="false">
             <xccdf:check-content-ref href="#OVAL-Results-1"
                                      name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455910"/>
             <evidence xmlns="http://cisecurity.org/evidence">
                <div class="definition"
                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455910">
                   <div class="criteria">
                      <div class="criterion"
                           id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455910"
                           check="none satisfy"
                           check_existence="at_least_one_exists">
                         <table class="evidence-sep" width="100%">
                            <tbody class="tbe">
                               <tr>
                                  <td class="bold">Criterion:</td>
                                  <td>Ensure kernel module freevxfs is not loaded</td>
                               </tr>
                               <tr>
                                  <td class="bold">Existence Check:</td>
                                  <td>At Least One Exists</td>
                               </tr>
                               <tr>
                                  <td class="bold">Item Check:</td>
                                  <td>None satisfy</td>
                               </tr>
                               <tr>
                                  <td class="bold">Result:</td>
                                  <td class="pass">Pass</td>
                               </tr>
                            </tbody>
                         </table>
                         <table class="evidence" width="100%">
                            <caption>Shellcommand Item</caption>
                            <thead>
                               <tr>
                                  <th scope="col">Name</th>
                                  <th scope="col">Type</th>
                                  <th scope="col">Status</th>
                                  <th scope="col">Value</th>
                               </tr>
                            </thead>
                            <tbody class="tbe">
                               <tr>
                                  <td>Command</td>
                                  <td>String</td>
                                  <td>Exists</td>
                                  <td>modprobe -n -v freevxfs</td>
                               </tr>
                               <tr>
                                  <td>Line Selection</td>
                                  <td>String</td>
                                  <td>Exists</td>
                                  <td>.+</td>
                               </tr>
                               <tr>
                                  <td>Exit Status</td>
                                  <td>Int</td>
                                  <td>Exists</td>
                                  <td>0</td>
                               </tr>
                               <tr class="evaluated">
                                  <td>Stdout Line</td>
                                  <td>String</td>
                                  <td>Exists</td>
                                  <td>install /bin/true  </td>
                               </tr>
                            </tbody>
                         </table>
                      </div>
                   </div>
                </div>
             </evidence>
          </xccdf:check>
       </xccdf:complex-check>
    </xccdf:rule-result>
    

    References:

      CIS Controls V7.0:

      • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
        CIS Control Information
        Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
        Subcontrol: 5.1
        Label: Establish Secure Configurations
        Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

      Pass

      1.1.1.3 Ensure mounting of jffs2 filesystems is disabled

      Description:

      The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices.

      Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

      Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

      Example: vi /etc/modprobe.d/jffs2.conf

      and add the following line:

      install jffs2 /bin/true

      Run the following command to unload the jffs2 module:

      # rmmod jffs2

      Show Assessment Evidence
      Complex Check
      AND
      Criterion: Ensure kernel module jffs2 is not loadable
      Existence Check: At Least One Exists
      Item Check: At least one
      Result: Pass
      Shellcommand Item
      Name Type Status Value
      Command String Exists modprobe -n -v jffs2
      Line Selection String Exists .+
      Exit Status Int Exists 0
      Stdout Line String Exists insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko
      Stdout Line String Exists install /bin/true
      Criterion: Ensure kernel module jffs2 is not loaded
      Existence Check: At Least One Exists
      Item Check: None satisfy
      Result: Pass
      Shellcommand Item
      Name Type Status Value
      Command String Exists modprobe -n -v jffs2
      Line Selection String Exists .+
      Exit Status Int Exists 0
      Stdout Line String Exists insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko
      Stdout Line String Exists install /bin/true


      Show Rule Result XML
      <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                         xmlns:notes="http://benchmarks.cisecurity.org/notes"
                         xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                         xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                         xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                         xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                         xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                         xmlns="http://checklists.nist.gov/xccdf/1.2"
                         xmlns:xhtml="http://www.w3.org/1999/xhtml"
                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                         xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                         xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                         xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                         xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                         idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.3_Ensure_mounting_of_jffs2_filesystems_is_disabled"
                         role="full"
                         severity="unknown"
                         time="2022-04-13T17:15:55.958Z"
                         version="1"
                         weight="1.0">
         <xccdf:result>pass</xccdf:result>
         <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                      system="http://cisecurity.org/20-cc/v7.0"/>
         <xccdf:complex-check operator="AND" negate="false">
            <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                         negate="false"
                         multi-check="false">
               <xccdf:check-content-ref href="#OVAL-Results-1"
                                        name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455911"/>
               <evidence xmlns="http://cisecurity.org/evidence">
                  <div class="definition"
                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455911">
                     <div class="criteria">
                        <div class="criterion"
                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455911"
                             check="at least one"
                             check_existence="at_least_one_exists">
                           <table class="evidence-sep" width="100%">
                              <tbody class="tbe">
                                 <tr>
                                    <td class="bold">Criterion:</td>
                                    <td>Ensure kernel module jffs2 is not loadable</td>
                                 </tr>
                                 <tr>
                                    <td class="bold">Existence Check:</td>
                                    <td>At Least One Exists</td>
                                 </tr>
                                 <tr>
                                    <td class="bold">Item Check:</td>
                                    <td>At least one</td>
                                 </tr>
                                 <tr>
                                    <td class="bold">Result:</td>
                                    <td class="pass">Pass</td>
                                 </tr>
                              </tbody>
                           </table>
                           <table class="evidence" width="100%">
                              <caption>Shellcommand Item</caption>
                              <thead>
                                 <tr>
                                    <th scope="col">Name</th>
                                    <th scope="col">Type</th>
                                    <th scope="col">Status</th>
                                    <th scope="col">Value</th>
                                 </tr>
                              </thead>
                              <tbody class="tbe">
                                 <tr>
                                    <td>Command</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>modprobe -n -v jffs2</td>
                                 </tr>
                                 <tr>
                                    <td>Line Selection</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>.+</td>
                                 </tr>
                                 <tr>
                                    <td>Exit Status</td>
                                    <td>Int</td>
                                    <td>Exists</td>
                                    <td>0</td>
                                 </tr>
                                 <tr class="evaluated">
                                    <td>Stdout Line</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td>
                                 </tr>
                                 <tr class="evaluated">
                                    <td>Stdout Line</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>install /bin/true </td>
                                 </tr>
                              </tbody>
                           </table>
                        </div>
                     </div>
                  </div>
               </evidence>
            </xccdf:check>
            <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                         negate="false"
                         multi-check="false">
               <xccdf:check-content-ref href="#OVAL-Results-1"
                                        name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455912"/>
               <evidence xmlns="http://cisecurity.org/evidence">
                  <div class="definition"
                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455912">
                     <div class="criteria">
                        <div class="criterion"
                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455912"
                             check="none satisfy"
                             check_existence="at_least_one_exists">
                           <table class="evidence-sep" width="100%">
                              <tbody class="tbe">
                                 <tr>
                                    <td class="bold">Criterion:</td>
                                    <td>Ensure kernel module jffs2 is not loaded</td>
                                 </tr>
                                 <tr>
                                    <td class="bold">Existence Check:</td>
                                    <td>At Least One Exists</td>
                                 </tr>
                                 <tr>
                                    <td class="bold">Item Check:</td>
                                    <td>None satisfy</td>
                                 </tr>
                                 <tr>
                                    <td class="bold">Result:</td>
                                    <td class="pass">Pass</td>
                                 </tr>
                              </tbody>
                           </table>
                           <table class="evidence" width="100%">
                              <caption>Shellcommand Item</caption>
                              <thead>
                                 <tr>
                                    <th scope="col">Name</th>
                                    <th scope="col">Type</th>
                                    <th scope="col">Status</th>
                                    <th scope="col">Value</th>
                                 </tr>
                              </thead>
                              <tbody class="tbe">
                                 <tr>
                                    <td>Command</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>modprobe -n -v jffs2</td>
                                 </tr>
                                 <tr>
                                    <td>Line Selection</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>.+</td>
                                 </tr>
                                 <tr>
                                    <td>Exit Status</td>
                                    <td>Int</td>
                                    <td>Exists</td>
                                    <td>0</td>
                                 </tr>
                                 <tr class="evaluated">
                                    <td>Stdout Line</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>insmod /lib/modules/5.4.0-26-generic/kernel/drivers/mtd/mtd.ko </td>
                                 </tr>
                                 <tr class="evaluated">
                                    <td>Stdout Line</td>
                                    <td>String</td>
                                    <td>Exists</td>
                                    <td>install /bin/true </td>
                                 </tr>
                              </tbody>
                           </table>
                        </div>
                     </div>
                  </div>
               </evidence>
            </xccdf:check>
         </xccdf:complex-check>
      </xccdf:rule-result>
      

      References:

        CIS Controls V7.0:

        • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
          CIS Control Information
          Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
          Subcontrol: 5.1
          Label: Establish Secure Configurations
          Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

        Pass

        1.1.1.4 Ensure mounting of hfs filesystems is disabled

        Description:

        The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems.

        Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

        Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

        Example: vi /etc/modprobe.d/hfs.conf

        and add the following line:

        install hfs /bin/true

        Run the following command to unload the hfs module:

        # rmmod hfs

        Show Assessment Evidence
        Complex Check
        AND
        Criterion: Ensure kernel module hfs is not loadable
        Existence Check: At Least One Exists
        Item Check: At least one
        Result: Pass
        Shellcommand Item
        Name Type Status Value
        Command String Exists modprobe -n -v hfs
        Line Selection String Exists .+
        Exit Status Int Exists 0
        Stdout Line String Exists install /bin/true
        Criterion: Ensure kernel module hfs is not loaded
        Existence Check: At Least One Exists
        Item Check: None satisfy
        Result: Pass
        Shellcommand Item
        Name Type Status Value
        Command String Exists modprobe -n -v hfs
        Line Selection String Exists .+
        Exit Status Int Exists 0
        Stdout Line String Exists install /bin/true


        Show Rule Result XML
        <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                           xmlns:notes="http://benchmarks.cisecurity.org/notes"
                           xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                           xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                           xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                           xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                           xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                           xmlns="http://checklists.nist.gov/xccdf/1.2"
                           xmlns:xhtml="http://www.w3.org/1999/xhtml"
                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                           xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                           xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                           xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                           xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                           idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.4_Ensure_mounting_of_hfs_filesystems_is_disabled"
                           role="full"
                           severity="unknown"
                           time="2022-04-13T17:15:55.959Z"
                           version="1"
                           weight="1.0">
           <xccdf:result>pass</xccdf:result>
           <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                        system="http://cisecurity.org/20-cc/v7.0"/>
           <xccdf:complex-check operator="AND" negate="false">
              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                           negate="false"
                           multi-check="false">
                 <xccdf:check-content-ref href="#OVAL-Results-1"
                                          name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455913"/>
                 <evidence xmlns="http://cisecurity.org/evidence">
                    <div class="definition"
                         id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455913">
                       <div class="criteria">
                          <div class="criterion"
                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455913"
                               check="at least one"
                               check_existence="at_least_one_exists">
                             <table class="evidence-sep" width="100%">
                                <tbody class="tbe">
                                   <tr>
                                      <td class="bold">Criterion:</td>
                                      <td>Ensure kernel module hfs is not loadable</td>
                                   </tr>
                                   <tr>
                                      <td class="bold">Existence Check:</td>
                                      <td>At Least One Exists</td>
                                   </tr>
                                   <tr>
                                      <td class="bold">Item Check:</td>
                                      <td>At least one</td>
                                   </tr>
                                   <tr>
                                      <td class="bold">Result:</td>
                                      <td class="pass">Pass</td>
                                   </tr>
                                </tbody>
                             </table>
                             <table class="evidence" width="100%">
                                <caption>Shellcommand Item</caption>
                                <thead>
                                   <tr>
                                      <th scope="col">Name</th>
                                      <th scope="col">Type</th>
                                      <th scope="col">Status</th>
                                      <th scope="col">Value</th>
                                   </tr>
                                </thead>
                                <tbody class="tbe">
                                   <tr>
                                      <td>Command</td>
                                      <td>String</td>
                                      <td>Exists</td>
                                      <td>modprobe -n -v hfs</td>
                                   </tr>
                                   <tr>
                                      <td>Line Selection</td>
                                      <td>String</td>
                                      <td>Exists</td>
                                      <td>.+</td>
                                   </tr>
                                   <tr>
                                      <td>Exit Status</td>
                                      <td>Int</td>
                                      <td>Exists</td>
                                      <td>0</td>
                                   </tr>
                                   <tr class="evaluated">
                                      <td>Stdout Line</td>
                                      <td>String</td>
                                      <td>Exists</td>
                                      <td>install /bin/true  </td>
                                   </tr>
                                </tbody>
                             </table>
                          </div>
                       </div>
                    </div>
                 </evidence>
              </xccdf:check>
              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                           negate="false"
                           multi-check="false">
                 <xccdf:check-content-ref href="#OVAL-Results-1"
                                          name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455914"/>
                 <evidence xmlns="http://cisecurity.org/evidence">
                    <div class="definition"
                         id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455914">
                       <div class="criteria">
                          <div class="criterion"
                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455914"
                               check="none satisfy"
                               check_existence="at_least_one_exists">
                             <table class="evidence-sep" width="100%">
                                <tbody class="tbe">
                                   <tr>
                                      <td class="bold">Criterion:</td>
                                      <td>Ensure kernel module hfs is not loaded</td>
                                   </tr>
                                   <tr>
                                      <td class="bold">Existence Check:</td>
                                      <td>At Least One Exists</td>
                                   </tr>
                                   <tr>
                                      <td class="bold">Item Check:</td>
                                      <td>None satisfy</td>
                                   </tr>
                                   <tr>
                                      <td class="bold">Result:</td>
                                      <td class="pass">Pass</td>
                                   </tr>
                                </tbody>
                             </table>
                             <table class="evidence" width="100%">
                                <caption>Shellcommand Item</caption>
                                <thead>
                                   <tr>
                                      <th scope="col">Name</th>
                                      <th scope="col">Type</th>
                                      <th scope="col">Status</th>
                                      <th scope="col">Value</th>
                                   </tr>
                                </thead>
                                <tbody class="tbe">
                                   <tr>
                                      <td>Command</td>
                                      <td>String</td>
                                      <td>Exists</td>
                                      <td>modprobe -n -v hfs</td>
                                   </tr>
                                   <tr>
                                      <td>Line Selection</td>
                                      <td>String</td>
                                      <td>Exists</td>
                                      <td>.+</td>
                                   </tr>
                                   <tr>
                                      <td>Exit Status</td>
                                      <td>Int</td>
                                      <td>Exists</td>
                                      <td>0</td>
                                   </tr>
                                   <tr class="evaluated">
                                      <td>Stdout Line</td>
                                      <td>String</td>
                                      <td>Exists</td>
                                      <td>install /bin/true  </td>
                                   </tr>
                                </tbody>
                             </table>
                          </div>
                       </div>
                    </div>
                 </evidence>
              </xccdf:check>
           </xccdf:complex-check>
        </xccdf:rule-result>
        

        References:

          CIS Controls V7.0:

          • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
            CIS Control Information
            Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
            Subcontrol: 5.1
            Label: Establish Secure Configurations
            Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

          Pass

          1.1.1.5 Ensure mounting of hfsplus filesystems is disabled

          Description:

          The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems.

          Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

          Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

          Example: vi /etc/modprobe.d/hfsplus.conf

          and add the following line:

          install hfsplus /bin/true

          Run the following command to unload the hfsplus module:

          # rmmod hfsplus

          Show Assessment Evidence
          Complex Check
          AND
          Criterion: Ensure kernel module hfsplus is not loaded
          Existence Check: At Least One Exists
          Item Check: None satisfy
          Result: Pass
          Shellcommand Item
          Name Type Status Value
          Command String Exists modprobe -n -v hfsplus
          Line Selection String Exists .+
          Exit Status Int Exists 0
          Stdout Line String Exists install /bin/true
          Criterion: Ensure kernel module hfsplus is not loadable
          Existence Check: At Least One Exists
          Item Check: At least one
          Result: Pass
          Shellcommand Item
          Name Type Status Value
          Command String Exists modprobe -n -v hfsplus
          Line Selection String Exists .+
          Exit Status Int Exists 0
          Stdout Line String Exists install /bin/true


          Show Rule Result XML
          <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                             xmlns:notes="http://benchmarks.cisecurity.org/notes"
                             xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                             xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                             xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                             xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                             xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                             xmlns="http://checklists.nist.gov/xccdf/1.2"
                             xmlns:xhtml="http://www.w3.org/1999/xhtml"
                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                             xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                             xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                             xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                             xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.5_Ensure_mounting_of_hfsplus_filesystems_is_disabled"
                             role="full"
                             severity="unknown"
                             time="2022-04-13T17:15:55.959Z"
                             version="1"
                             weight="1.0">
             <xccdf:result>pass</xccdf:result>
             <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                          system="http://cisecurity.org/20-cc/v7.0"/>
             <xccdf:complex-check operator="AND" negate="false">
                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                             negate="false"
                             multi-check="false">
                   <xccdf:check-content-ref href="#OVAL-Results-1"
                                            name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455915"/>
                   <evidence xmlns="http://cisecurity.org/evidence">
                      <div class="definition"
                           id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455915">
                         <div class="criteria">
                            <div class="criterion"
                                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455915"
                                 check="none satisfy"
                                 check_existence="at_least_one_exists">
                               <table class="evidence-sep" width="100%">
                                  <tbody class="tbe">
                                     <tr>
                                        <td class="bold">Criterion:</td>
                                        <td>Ensure kernel module hfsplus is not loaded</td>
                                     </tr>
                                     <tr>
                                        <td class="bold">Existence Check:</td>
                                        <td>At Least One Exists</td>
                                     </tr>
                                     <tr>
                                        <td class="bold">Item Check:</td>
                                        <td>None satisfy</td>
                                     </tr>
                                     <tr>
                                        <td class="bold">Result:</td>
                                        <td class="pass">Pass</td>
                                     </tr>
                                  </tbody>
                               </table>
                               <table class="evidence" width="100%">
                                  <caption>Shellcommand Item</caption>
                                  <thead>
                                     <tr>
                                        <th scope="col">Name</th>
                                        <th scope="col">Type</th>
                                        <th scope="col">Status</th>
                                        <th scope="col">Value</th>
                                     </tr>
                                  </thead>
                                  <tbody class="tbe">
                                     <tr>
                                        <td>Command</td>
                                        <td>String</td>
                                        <td>Exists</td>
                                        <td>modprobe -n -v hfsplus</td>
                                     </tr>
                                     <tr>
                                        <td>Line Selection</td>
                                        <td>String</td>
                                        <td>Exists</td>
                                        <td>.+</td>
                                     </tr>
                                     <tr>
                                        <td>Exit Status</td>
                                        <td>Int</td>
                                        <td>Exists</td>
                                        <td>0</td>
                                     </tr>
                                     <tr class="evaluated">
                                        <td>Stdout Line</td>
                                        <td>String</td>
                                        <td>Exists</td>
                                        <td>install /bin/true  </td>
                                     </tr>
                                  </tbody>
                               </table>
                            </div>
                         </div>
                      </div>
                   </evidence>
                </xccdf:check>
                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                             negate="false"
                             multi-check="false">
                   <xccdf:check-content-ref href="#OVAL-Results-1"
                                            name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455916"/>
                   <evidence xmlns="http://cisecurity.org/evidence">
                      <div class="definition"
                           id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455916">
                         <div class="criteria">
                            <div class="criterion"
                                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455916"
                                 check="at least one"
                                 check_existence="at_least_one_exists">
                               <table class="evidence-sep" width="100%">
                                  <tbody class="tbe">
                                     <tr>
                                        <td class="bold">Criterion:</td>
                                        <td>Ensure kernel module hfsplus is not loadable</td>
                                     </tr>
                                     <tr>
                                        <td class="bold">Existence Check:</td>
                                        <td>At Least One Exists</td>
                                     </tr>
                                     <tr>
                                        <td class="bold">Item Check:</td>
                                        <td>At least one</td>
                                     </tr>
                                     <tr>
                                        <td class="bold">Result:</td>
                                        <td class="pass">Pass</td>
                                     </tr>
                                  </tbody>
                               </table>
                               <table class="evidence" width="100%">
                                  <caption>Shellcommand Item</caption>
                                  <thead>
                                     <tr>
                                        <th scope="col">Name</th>
                                        <th scope="col">Type</th>
                                        <th scope="col">Status</th>
                                        <th scope="col">Value</th>
                                     </tr>
                                  </thead>
                                  <tbody class="tbe">
                                     <tr>
                                        <td>Command</td>
                                        <td>String</td>
                                        <td>Exists</td>
                                        <td>modprobe -n -v hfsplus</td>
                                     </tr>
                                     <tr>
                                        <td>Line Selection</td>
                                        <td>String</td>
                                        <td>Exists</td>
                                        <td>.+</td>
                                     </tr>
                                     <tr>
                                        <td>Exit Status</td>
                                        <td>Int</td>
                                        <td>Exists</td>
                                        <td>0</td>
                                     </tr>
                                     <tr class="evaluated">
                                        <td>Stdout Line</td>
                                        <td>String</td>
                                        <td>Exists</td>
                                        <td>install /bin/true  </td>
                                     </tr>
                                  </tbody>
                               </table>
                            </div>
                         </div>
                      </div>
                   </evidence>
                </xccdf:check>
             </xccdf:complex-check>
          </xccdf:rule-result>
          

          References:

            CIS Controls V7.0:

            • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
              CIS Control Information
              Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
              Subcontrol: 5.1
              Label: Establish Secure Configurations
              Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

            Pass

            1.1.1.7 Ensure mounting of udf filesystems is disabled

            Description:

            The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats.

            Removing support for unneeded filesystem types reduces the local attack surface of the system. If this filesystem type is not needed, disable it.

            Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

            Example: vi /etc/modprobe.d/udf.conf

            and add the following line:

            install udf /bin/true

            Run the following command to unload the udf module:

            # rmmod udf

            Show Assessment Evidence
            Complex Check
            AND
            Criterion: Ensure kernel module udf is not loadable
            Existence Check: At Least One Exists
            Item Check: At least one
            Result: Pass
            Shellcommand Item
            Name Type Status Value
            Command String Exists modprobe -n -v udf
            Line Selection String Exists .+
            Exit Status Int Exists 0
            Stdout Line String Exists insmod /lib/modules/5.4.0-26-generic/kernel/lib/crc-itu-t.ko
            Stdout Line String Exists install /bin/true
            Criterion: Ensure kernel module udf is not loaded
            Existence Check: At Least One Exists
            Item Check: None satisfy
            Result: Pass
            Shellcommand Item
            Name Type Status Value
            Command String Exists modprobe -n -v udf
            Line Selection String Exists .+
            Exit Status Int Exists 0
            Stdout Line String Exists insmod /lib/modules/5.4.0-26-generic/kernel/lib/crc-itu-t.ko
            Stdout Line String Exists install /bin/true


            Show Rule Result XML
            <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                               xmlns:notes="http://benchmarks.cisecurity.org/notes"
                               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                               xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                               xmlns="http://checklists.nist.gov/xccdf/1.2"
                               xmlns:xhtml="http://www.w3.org/1999/xhtml"
                               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                               idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1.7_Ensure_mounting_of_udf_filesystems_is_disabled"
                               role="full"
                               severity="unknown"
                               time="2022-04-13T17:15:55.960Z"
                               version="1"
                               weight="1.0">
               <xccdf:result>pass</xccdf:result>
               <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                            system="http://cisecurity.org/20-cc/v7.0"/>
               <xccdf:complex-check operator="AND" negate="false">
                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                               negate="false"
                               multi-check="false">
                     <xccdf:check-content-ref href="#OVAL-Results-1"
                                              name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455919"/>
                     <evidence xmlns="http://cisecurity.org/evidence">
                        <div class="definition"
                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455919">
                           <div class="criteria">
                              <div class="criterion"
                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455919"
                                   check="at least one"
                                   check_existence="at_least_one_exists">
                                 <table class="evidence-sep" width="100%">
                                    <tbody class="tbe">
                                       <tr>
                                          <td class="bold">Criterion:</td>
                                          <td>Ensure kernel module udf is not loadable</td>
                                       </tr>
                                       <tr>
                                          <td class="bold">Existence Check:</td>
                                          <td>At Least One Exists</td>
                                       </tr>
                                       <tr>
                                          <td class="bold">Item Check:</td>
                                          <td>At least one</td>
                                       </tr>
                                       <tr>
                                          <td class="bold">Result:</td>
                                          <td class="pass">Pass</td>
                                       </tr>
                                    </tbody>
                                 </table>
                                 <table class="evidence" width="100%">
                                    <caption>Shellcommand Item</caption>
                                    <thead>
                                       <tr>
                                          <th scope="col">Name</th>
                                          <th scope="col">Type</th>
                                          <th scope="col">Status</th>
                                          <th scope="col">Value</th>
                                       </tr>
                                    </thead>
                                    <tbody class="tbe">
                                       <tr>
                                          <td>Command</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>modprobe -n -v udf</td>
                                       </tr>
                                       <tr>
                                          <td>Line Selection</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>.+</td>
                                       </tr>
                                       <tr>
                                          <td>Exit Status</td>
                                          <td>Int</td>
                                          <td>Exists</td>
                                          <td>0</td>
                                       </tr>
                                       <tr class="evaluated">
                                          <td>Stdout Line</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>insmod /lib/modules/5.4.0-26-generic/kernel/lib/crc-itu-t.ko </td>
                                       </tr>
                                       <tr class="evaluated">
                                          <td>Stdout Line</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>install /bin/true  </td>
                                       </tr>
                                    </tbody>
                                 </table>
                              </div>
                           </div>
                        </div>
                     </evidence>
                  </xccdf:check>
                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                               negate="false"
                               multi-check="false">
                     <xccdf:check-content-ref href="#OVAL-Results-1"
                                              name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455920"/>
                     <evidence xmlns="http://cisecurity.org/evidence">
                        <div class="definition"
                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455920">
                           <div class="criteria">
                              <div class="criterion"
                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455920"
                                   check="none satisfy"
                                   check_existence="at_least_one_exists">
                                 <table class="evidence-sep" width="100%">
                                    <tbody class="tbe">
                                       <tr>
                                          <td class="bold">Criterion:</td>
                                          <td>Ensure kernel module udf is not loaded</td>
                                       </tr>
                                       <tr>
                                          <td class="bold">Existence Check:</td>
                                          <td>At Least One Exists</td>
                                       </tr>
                                       <tr>
                                          <td class="bold">Item Check:</td>
                                          <td>None satisfy</td>
                                       </tr>
                                       <tr>
                                          <td class="bold">Result:</td>
                                          <td class="pass">Pass</td>
                                       </tr>
                                    </tbody>
                                 </table>
                                 <table class="evidence" width="100%">
                                    <caption>Shellcommand Item</caption>
                                    <thead>
                                       <tr>
                                          <th scope="col">Name</th>
                                          <th scope="col">Type</th>
                                          <th scope="col">Status</th>
                                          <th scope="col">Value</th>
                                       </tr>
                                    </thead>
                                    <tbody class="tbe">
                                       <tr>
                                          <td>Command</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>modprobe -n -v udf</td>
                                       </tr>
                                       <tr>
                                          <td>Line Selection</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>.+</td>
                                       </tr>
                                       <tr>
                                          <td>Exit Status</td>
                                          <td>Int</td>
                                          <td>Exists</td>
                                          <td>0</td>
                                       </tr>
                                       <tr class="evaluated">
                                          <td>Stdout Line</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>insmod /lib/modules/5.4.0-26-generic/kernel/lib/crc-itu-t.ko </td>
                                       </tr>
                                       <tr class="evaluated">
                                          <td>Stdout Line</td>
                                          <td>String</td>
                                          <td>Exists</td>
                                          <td>install /bin/true  </td>
                                       </tr>
                                    </tbody>
                                 </table>
                              </div>
                           </div>
                        </div>
                     </evidence>
                  </xccdf:check>
               </xccdf:complex-check>
            </xccdf:rule-result>
            

            References:

              CIS Controls V7.0:

              • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                CIS Control Information
                Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                Subcontrol: 5.1
                Label: Establish Secure Configurations
                Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

              Pass

              1.1.2 Ensure /tmp is configured

              Description:

              The /tmp directory is a world-writable directory used for temporary storage by all users and some applications

              Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

              This can be accomplished by either mounting tmpfs to /tmp, or creating a separate partition for /tmp.

              Configure /etc/fstab as appropriate.

              Example:

              tmpfs /tmp tmpfs defaults,rw,nosuid,nodev,noexec,relatime 0 0

              OR Run the following commands to enable systemd /tmp mounting:

              Run the following command to create the tmp.mount file is the correct location:

              # cp -v /usr/share/systemd/tmp.mount /etc/systemd/system/

              Edit /etc/systemd/system/tmp.mount to configure the /tmp mount:

              [Mount]

              What=tmpfs

              Where=/tmp

              Type=tmpfs

              Options=mode=1777,strictatime,nosuid,nodev,noexec

              Run the following command to reload the systemd daemon with the unpdated tmp.mount unit file:

              # systemctl daemon-reload

              Run the following command to enable and start tmp.mount

              # systemctl --now enable tmp.mount

              Impact:

              Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition.

              Running out of /tmp space is a problem regardless of what kind of filesystem lies under it, but in a default installation a disk-based /tmp will essentially have the whole disk available, as it only creates a single / partition. On the other hand, a RAM-based /tmp as with tmpfs will almost certainly be much smaller, which can lead to applications filling up the filesystem much more easily.

              /tmp utilizing tmpfs can be resized using the size={size} parameter on the Options line on the tmp.mount file

              Show Assessment Evidence
              Complex Check
              AND
              Criterion: Ensure partition at /tmp and all
              Existence Check: At Least One Exists
              Item Check: All
              Result: Pass
              Partition Item
              Name Type Status Value
              Mount Point String Exists /tmp
              Device String Exists tmpfs
              Uuid String Does not exist No Value
              Fs Type String Exists tmpfs
              Mount Options String Exists rw
              Mount Options String Exists nosuid
              Mount Options String Exists nodev
              Mount Options String Exists noexec
              Mount Options String Exists relatime
              Total Space Int Exists 1533605
              Space Used Int Exists 8
              Space Left Int Exists 1533597


              Show Rule Result XML
              <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                 xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                 xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                 xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                 xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                 xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                 xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                 xmlns="http://checklists.nist.gov/xccdf/1.2"
                                 xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                 xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                 xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                 xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                 xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                 idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_Ensure_tmp_is_configured"
                                 role="full"
                                 severity="unknown"
                                 time="2022-04-13T17:15:55.961Z"
                                 version="1"
                                 weight="1.0">
                 <xccdf:result>pass</xccdf:result>
                 <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                              system="http://cisecurity.org/20-cc/v7.0"/>
                 <xccdf:ident system="URL">AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/</xccdf:ident>
                 <xccdf:ident system="URL">https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/</xccdf:ident>
                 <xccdf:complex-check operator="AND" negate="false">
                    <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                 negate="false"
                                 multi-check="false">
                       <xccdf:check-content-ref href="#OVAL-Results-1"
                                                name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519226"/>
                       <evidence xmlns="http://cisecurity.org/evidence">
                          <div class="definition"
                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519226">
                             <div class="criteria">
                                <div class="criterion"
                                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519226"
                                     check="all"
                                     check_existence="at_least_one_exists">
                                   <table class="evidence-sep" width="100%">
                                      <tbody class="tbe">
                                         <tr>
                                            <td class="bold">Criterion:</td>
                                            <td>Ensure partition at /tmp  and all</td>
                                         </tr>
                                         <tr>
                                            <td class="bold">Existence Check:</td>
                                            <td>At Least One Exists</td>
                                         </tr>
                                         <tr>
                                            <td class="bold">Item Check:</td>
                                            <td>All</td>
                                         </tr>
                                         <tr>
                                            <td class="bold">Result:</td>
                                            <td class="pass">Pass</td>
                                         </tr>
                                      </tbody>
                                   </table>
                                   <table class="evidence" width="100%">
                                      <caption>Partition Item</caption>
                                      <thead>
                                         <tr>
                                            <th scope="col">Name</th>
                                            <th scope="col">Type</th>
                                            <th scope="col">Status</th>
                                            <th scope="col">Value</th>
                                         </tr>
                                      </thead>
                                      <tbody class="tbe">
                                         <tr>
                                            <td>Mount Point</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>/tmp</td>
                                         </tr>
                                         <tr>
                                            <td>Device</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>tmpfs</td>
                                         </tr>
                                         <tr>
                                            <td>Uuid</td>
                                            <td>String</td>
                                            <td>Does not exist</td>
                                            <td>No Value</td>
                                         </tr>
                                         <tr>
                                            <td>Fs Type</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>tmpfs</td>
                                         </tr>
                                         <tr>
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>rw</td>
                                         </tr>
                                         <tr>
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>nosuid</td>
                                         </tr>
                                         <tr>
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>nodev</td>
                                         </tr>
                                         <tr>
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>noexec</td>
                                         </tr>
                                         <tr>
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>relatime</td>
                                         </tr>
                                         <tr>
                                            <td>Total Space</td>
                                            <td>Int</td>
                                            <td>Exists</td>
                                            <td>1533605</td>
                                         </tr>
                                         <tr>
                                            <td>Space Used</td>
                                            <td>Int</td>
                                            <td>Exists</td>
                                            <td>8</td>
                                         </tr>
                                         <tr>
                                            <td>Space Left</td>
                                            <td>Int</td>
                                            <td>Exists</td>
                                            <td>1533597</td>
                                         </tr>
                                      </tbody>
                                   </table>
                                </div>
                             </div>
                          </div>
                       </evidence>
                    </xccdf:check>
                 </xccdf:complex-check>
              </xccdf:rule-result>
              

              References:

              • URL: AJ Lewis, "LVM HOWTO", http://tldp.org/HOWTO/LVM-HOWTO/
              • URL: https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems/

              CIS Controls V7.0:

              • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                CIS Control Information
                Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                Subcontrol: 5.1
                Label: Establish Secure Configurations
                Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

              Pass

              1.1.3 Ensure nodev option set on /tmp partition

              Description:

              The nodev mount option specifies that the filesystem cannot contain special devices.

              Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp .

              Edit the /etc/fstab file OR the /etc/systemd/system/local-fs.target.wants/tmp.mount file:

              If /etc/fstab is used to mount /tmp :

              Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.

              Run the following command to remount /tmp :

              # mount -o remount,nodev /tmp

              OR If systemd is used to mount /tmp :

              Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nodev to the /tmp mount options:

              [Mount]

              Options=mode=1777,strictatime,noexec,nodev,nosuid

              Run the following command to restart the systemd daemon:

              # systemctl daemon-reload

              Run the following command to restart tmp.mount

              # systemctl restart tmp.mount

              Show Assessment Evidence
              Complex Check
              AND
              Criterion: Ensure partition at /tmp and all
              Existence Check: At Least One Exists
              Item Check: All
              Result: Pass
              Partition Item
              Name Type Status Value
              Mount Point String Exists /tmp
              Device String Exists tmpfs
              Uuid String Does not exist No Value
              Fs Type String Exists tmpfs
              Mount Options String Exists rw
              Mount Options String Exists nosuid
              Mount Options String Exists nodev
              Mount Options String Exists noexec
              Mount Options String Exists relatime
              Total Space Int Exists 1533605
              Space Used Int Exists 8
              Space Left Int Exists 1533597


              Show Rule Result XML
              <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                 xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                 xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                 xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                 xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                 xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                 xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                 xmlns="http://checklists.nist.gov/xccdf/1.2"
                                 xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                 xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                 xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                 xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                 xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                 idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_Ensure_nodev_option_set_on_tmp_partition"
                                 role="full"
                                 severity="unknown"
                                 time="2022-04-13T17:15:55.961Z"
                                 version="1"
                                 weight="1.0">
                 <xccdf:result>pass</xccdf:result>
                 <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                              system="http://cisecurity.org/20-cc/v7.0"/>
                 <xccdf:complex-check operator="AND" negate="false">
                    <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                 negate="false"
                                 multi-check="false">
                       <xccdf:check-content-ref href="#OVAL-Results-1"
                                                name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455922"/>
                       <evidence xmlns="http://cisecurity.org/evidence">
                          <div class="definition"
                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455922">
                             <div class="criteria">
                                <div class="criterion"
                                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455922"
                                     check="all"
                                     check_existence="at_least_one_exists">
                                   <table class="evidence-sep" width="100%">
                                      <tbody class="tbe">
                                         <tr>
                                            <td class="bold">Criterion:</td>
                                            <td>Ensure partition at /tmp  and all</td>
                                         </tr>
                                         <tr>
                                            <td class="bold">Existence Check:</td>
                                            <td>At Least One Exists</td>
                                         </tr>
                                         <tr>
                                            <td class="bold">Item Check:</td>
                                            <td>All</td>
                                         </tr>
                                         <tr>
                                            <td class="bold">Result:</td>
                                            <td class="pass">Pass</td>
                                         </tr>
                                      </tbody>
                                   </table>
                                   <table class="evidence" width="100%">
                                      <caption>Partition Item</caption>
                                      <thead>
                                         <tr>
                                            <th scope="col">Name</th>
                                            <th scope="col">Type</th>
                                            <th scope="col">Status</th>
                                            <th scope="col">Value</th>
                                         </tr>
                                      </thead>
                                      <tbody class="tbe">
                                         <tr>
                                            <td>Mount Point</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>/tmp</td>
                                         </tr>
                                         <tr>
                                            <td>Device</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>tmpfs</td>
                                         </tr>
                                         <tr>
                                            <td>Uuid</td>
                                            <td>String</td>
                                            <td>Does not exist</td>
                                            <td>No Value</td>
                                         </tr>
                                         <tr>
                                            <td>Fs Type</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>tmpfs</td>
                                         </tr>
                                         <tr class="evaluated">
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>rw</td>
                                         </tr>
                                         <tr class="evaluated">
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>nosuid</td>
                                         </tr>
                                         <tr class="evaluated">
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>nodev</td>
                                         </tr>
                                         <tr class="evaluated">
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>noexec</td>
                                         </tr>
                                         <tr class="evaluated">
                                            <td>Mount Options</td>
                                            <td>String</td>
                                            <td>Exists</td>
                                            <td>relatime</td>
                                         </tr>
                                         <tr>
                                            <td>Total Space</td>
                                            <td>Int</td>
                                            <td>Exists</td>
                                            <td>1533605</td>
                                         </tr>
                                         <tr>
                                            <td>Space Used</td>
                                            <td>Int</td>
                                            <td>Exists</td>
                                            <td>8</td>
                                         </tr>
                                         <tr>
                                            <td>Space Left</td>
                                            <td>Int</td>
                                            <td>Exists</td>
                                            <td>1533597</td>
                                         </tr>
                                      </tbody>
                                   </table>
                                </div>
                             </div>
                          </div>
                       </evidence>
                    </xccdf:check>
                 </xccdf:complex-check>
              </xccdf:rule-result>
              

              References:

                CIS Controls V7.0:

                • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                  CIS Control Information
                  Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                  Subcontrol: 5.1
                  Label: Establish Secure Configurations
                  Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                Pass

                1.1.4 Ensure nosuid option set on /tmp partition

                Description:

                The nosuid mount option specifies that the filesystem cannot contain setuid files.

                Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp .

                Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.

                Run the following command to remount /tmp :

                # mount -o remount,nosuid /tmp

                OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add nosuid to the /tmp mount options:

                [Mount]

                Options=mode=1777,strictatime,noexec,nodev,nosuid

                Run the following command to remount /tmp :

                # mount -o remount,nosuid /tmp

                Show Assessment Evidence
                Complex Check
                AND
                Criterion: Ensure partition at /tmp may exists and all have at least one partition option equals 'nosuid' (string)
                Existence Check: Any Exist
                Item Check: All
                Result: Pass
                Partition Item
                Name Type Status Value
                Mount Point String Exists /tmp
                Device String Exists tmpfs
                Uuid String Does not exist No Value
                Fs Type String Exists tmpfs
                Mount Options String Exists rw
                Mount Options String Exists nosuid
                Mount Options String Exists nodev
                Mount Options String Exists noexec
                Mount Options String Exists relatime
                Total Space Int Exists 1533605
                Space Used Int Exists 8
                Space Left Int Exists 1533597


                Show Rule Result XML
                <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                   xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                   xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                   xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                   xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                   xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                   xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                   xmlns="http://checklists.nist.gov/xccdf/1.2"
                                   xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                   xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                   xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                   xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                   xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                   idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_Ensure_nosuid_option_set_on_tmp_partition"
                                   role="full"
                                   severity="unknown"
                                   time="2022-04-13T17:15:55.961Z"
                                   version="1"
                                   weight="1.0">
                   <xccdf:result>pass</xccdf:result>
                   <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                system="http://cisecurity.org/20-cc/v7.0"/>
                   <xccdf:complex-check operator="AND" negate="false">
                      <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                   negate="false"
                                   multi-check="false">
                         <xccdf:check-content-ref href="#OVAL-Results-1"
                                                  name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455923"/>
                         <evidence xmlns="http://cisecurity.org/evidence">
                            <div class="definition"
                                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455923">
                               <div class="criteria">
                                  <div class="criterion"
                                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455923"
                                       check="all"
                                       check_existence="any_exist">
                                     <table class="evidence-sep" width="100%">
                                        <tbody class="tbe">
                                           <tr>
                                              <td class="bold">Criterion:</td>
                                              <td>Ensure partition at /tmp may exists and all have at least one partition option equals 'nosuid' (string)</td>
                                           </tr>
                                           <tr>
                                              <td class="bold">Existence Check:</td>
                                              <td>Any Exist</td>
                                           </tr>
                                           <tr>
                                              <td class="bold">Item Check:</td>
                                              <td>All</td>
                                           </tr>
                                           <tr>
                                              <td class="bold">Result:</td>
                                              <td class="pass">Pass</td>
                                           </tr>
                                        </tbody>
                                     </table>
                                     <table class="evidence" width="100%">
                                        <caption>Partition Item</caption>
                                        <thead>
                                           <tr>
                                              <th scope="col">Name</th>
                                              <th scope="col">Type</th>
                                              <th scope="col">Status</th>
                                              <th scope="col">Value</th>
                                           </tr>
                                        </thead>
                                        <tbody class="tbe">
                                           <tr>
                                              <td>Mount Point</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>/tmp</td>
                                           </tr>
                                           <tr>
                                              <td>Device</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>tmpfs</td>
                                           </tr>
                                           <tr>
                                              <td>Uuid</td>
                                              <td>String</td>
                                              <td>Does not exist</td>
                                              <td>No Value</td>
                                           </tr>
                                           <tr>
                                              <td>Fs Type</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>tmpfs</td>
                                           </tr>
                                           <tr class="evaluated">
                                              <td>Mount Options</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>rw</td>
                                           </tr>
                                           <tr class="evaluated">
                                              <td>Mount Options</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>nosuid</td>
                                           </tr>
                                           <tr class="evaluated">
                                              <td>Mount Options</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>nodev</td>
                                           </tr>
                                           <tr class="evaluated">
                                              <td>Mount Options</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>noexec</td>
                                           </tr>
                                           <tr class="evaluated">
                                              <td>Mount Options</td>
                                              <td>String</td>
                                              <td>Exists</td>
                                              <td>relatime</td>
                                           </tr>
                                           <tr>
                                              <td>Total Space</td>
                                              <td>Int</td>
                                              <td>Exists</td>
                                              <td>1533605</td>
                                           </tr>
                                           <tr>
                                              <td>Space Used</td>
                                              <td>Int</td>
                                              <td>Exists</td>
                                              <td>8</td>
                                           </tr>
                                           <tr>
                                              <td>Space Left</td>
                                              <td>Int</td>
                                              <td>Exists</td>
                                              <td>1533597</td>
                                           </tr>
                                        </tbody>
                                     </table>
                                  </div>
                               </div>
                            </div>
                         </evidence>
                      </xccdf:check>
                   </xccdf:complex-check>
                </xccdf:rule-result>
                

                References:

                  CIS Controls V7.0:

                  • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                    CIS Control Information
                    Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                    Subcontrol: 5.1
                    Label: Establish Secure Configurations
                    Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                  Pass

                  1.1.5 Ensure noexec option set on /tmp partition

                  Description:

                  The noexec mount option specifies that the filesystem cannot contain executable binaries.

                  Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp .

                  Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /tmp partition. See the fstab(5) manual page for more information.

                  Run the following command to remount /tmp :

                  # mount -o remount,noexec /tmp

                  OR Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to add noexec to the /tmp mount options:

                  [Mount]

                  Options=mode=1777,strictatime,noexec,nodev,nosuid

                  Run the following command to remount /tmp :

                  # mount -o remount,noexec /tmp

                  Show Assessment Evidence
                  Complex Check
                  AND
                  Criterion: Ensure partition at /tmp may exists{else}exists and all
                  Existence Check: Any Exist
                  Item Check: All
                  Result: Pass
                  Partition Item
                  Name Type Status Value
                  Mount Point String Exists /tmp
                  Device String Exists tmpfs
                  Uuid String Does not exist No Value
                  Fs Type String Exists tmpfs
                  Mount Options String Exists rw
                  Mount Options String Exists nosuid
                  Mount Options String Exists nodev
                  Mount Options String Exists noexec
                  Mount Options String Exists relatime
                  Total Space Int Exists 1533605
                  Space Used Int Exists 8
                  Space Left Int Exists 1533597


                  Show Rule Result XML
                  <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                     xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                     xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                     xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                     xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                     xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                     xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                     xmlns="http://checklists.nist.gov/xccdf/1.2"
                                     xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                     xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                     xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                     xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                     xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                     idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_Ensure_noexec_option_set_on_tmp_partition"
                                     role="full"
                                     severity="unknown"
                                     time="2022-04-13T17:15:55.962Z"
                                     version="1"
                                     weight="1.0">
                     <xccdf:result>pass</xccdf:result>
                     <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6"
                                  system="http://cisecurity.org/20-cc/v7.0"/>
                     <xccdf:complex-check operator="AND" negate="false">
                        <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                     negate="false"
                                     multi-check="false">
                           <xccdf:check-content-ref href="#OVAL-Results-1"
                                                    name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455924"/>
                           <evidence xmlns="http://cisecurity.org/evidence">
                              <div class="definition"
                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455924">
                                 <div class="criteria">
                                    <div class="criterion"
                                         id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455924"
                                         check="all"
                                         check_existence="any_exist">
                                       <table class="evidence-sep" width="100%">
                                          <tbody class="tbe">
                                             <tr>
                                                <td class="bold">Criterion:</td>
                                                <td>Ensure partition at /tmp may exists{else}exists and all</td>
                                             </tr>
                                             <tr>
                                                <td class="bold">Existence Check:</td>
                                                <td>Any Exist</td>
                                             </tr>
                                             <tr>
                                                <td class="bold">Item Check:</td>
                                                <td>All</td>
                                             </tr>
                                             <tr>
                                                <td class="bold">Result:</td>
                                                <td class="pass">Pass</td>
                                             </tr>
                                          </tbody>
                                       </table>
                                       <table class="evidence" width="100%">
                                          <caption>Partition Item</caption>
                                          <thead>
                                             <tr>
                                                <th scope="col">Name</th>
                                                <th scope="col">Type</th>
                                                <th scope="col">Status</th>
                                                <th scope="col">Value</th>
                                             </tr>
                                          </thead>
                                          <tbody class="tbe">
                                             <tr>
                                                <td>Mount Point</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>/tmp</td>
                                             </tr>
                                             <tr>
                                                <td>Device</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>tmpfs</td>
                                             </tr>
                                             <tr>
                                                <td>Uuid</td>
                                                <td>String</td>
                                                <td>Does not exist</td>
                                                <td>No Value</td>
                                             </tr>
                                             <tr>
                                                <td>Fs Type</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>tmpfs</td>
                                             </tr>
                                             <tr class="evaluated">
                                                <td>Mount Options</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>rw</td>
                                             </tr>
                                             <tr class="evaluated">
                                                <td>Mount Options</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>nosuid</td>
                                             </tr>
                                             <tr class="evaluated">
                                                <td>Mount Options</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>nodev</td>
                                             </tr>
                                             <tr class="evaluated">
                                                <td>Mount Options</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>noexec</td>
                                             </tr>
                                             <tr class="evaluated">
                                                <td>Mount Options</td>
                                                <td>String</td>
                                                <td>Exists</td>
                                                <td>relatime</td>
                                             </tr>
                                             <tr>
                                                <td>Total Space</td>
                                                <td>Int</td>
                                                <td>Exists</td>
                                                <td>1533605</td>
                                             </tr>
                                             <tr>
                                                <td>Space Used</td>
                                                <td>Int</td>
                                                <td>Exists</td>
                                                <td>8</td>
                                             </tr>
                                             <tr>
                                                <td>Space Left</td>
                                                <td>Int</td>
                                                <td>Exists</td>
                                                <td>1533597</td>
                                             </tr>
                                          </tbody>
                                       </table>
                                    </div>
                                 </div>
                              </div>
                           </evidence>
                        </xccdf:check>
                     </xccdf:complex-check>
                  </xccdf:rule-result>
                  

                  References:

                    CIS Controls V7.0:

                    • Control 2: Inventory and Control of Software Assets: -- More
                      CIS Control Information
                      Control: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.
                      Subcontrol: 2.6
                      Label: Address unapproved software
                      Description: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

                    Pass

                    1.1.6 Ensure /dev/shm is configured

                    Description:

                    /dev/shm is a traditional shared memory concept. One program will create a memory portion, which other processes (if permitted) can access. Mounting tmpfs at /dev/shm is handled automatically by systemd.

                    Any user can upload and execute files inside the /dev/shm similar to the /tmp partition. Configuring /dev/shm allows an administrator to set the noexec option on the mount, making /dev/shm useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.

                    Edit /etc/fstab and add or edit the following line:

                    tmpfs /dev/shm tmpfs defaults,noexec,nodev,nosuid,seclabel 0 0

                    Run the following command to remount /dev/shm :

                    # mount -o remount,noexec,nodev,nosuid /dev/shm

                    Show Assessment Evidence
                    Complex Check
                    AND
                    Criterion: Ensure partition at /dev/shm and all
                    Existence Check: At Least One Exists
                    Item Check: All
                    Result: Pass
                    Partition Item
                    Name Type Status Value
                    Mount Point String Exists /dev/shm
                    Device String Exists tmpfs
                    Uuid String Does not exist No Value
                    Fs Type String Exists tmpfs
                    Mount Options String Exists rw
                    Mount Options String Exists nosuid
                    Mount Options String Exists nodev
                    Mount Options String Exists noexec
                    Total Space Int Exists 1533605
                    Space Used Int Exists 0
                    Space Left Int Exists 1533605


                    Show Rule Result XML
                    <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                       xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                       xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                       xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                       xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                       xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                       xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                       xmlns="http://checklists.nist.gov/xccdf/1.2"
                                       xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                       xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                       xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                       xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                       xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                       idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_Ensure_devshm_is_configured"
                                       role="full"
                                       severity="unknown"
                                       time="2022-04-13T17:15:55.962Z"
                                       version="1"
                                       weight="1.0">
                       <xccdf:result>pass</xccdf:result>
                       <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                    system="http://cisecurity.org/20-cc/v7.0"/>
                       <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/13"
                                    system="http://cisecurity.org/20-cc/v7.0"/>
                       <xccdf:complex-check operator="AND" negate="false">
                          <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                       negate="false"
                                       multi-check="false">
                             <xccdf:check-content-ref href="#OVAL-Results-1"
                                                      name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519227"/>
                             <evidence xmlns="http://cisecurity.org/evidence">
                                <div class="definition"
                                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519227">
                                   <div class="criteria">
                                      <div class="criterion"
                                           id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519227"
                                           check="all"
                                           check_existence="at_least_one_exists">
                                         <table class="evidence-sep" width="100%">
                                            <tbody class="tbe">
                                               <tr>
                                                  <td class="bold">Criterion:</td>
                                                  <td>Ensure partition at /dev/shm  and all</td>
                                               </tr>
                                               <tr>
                                                  <td class="bold">Existence Check:</td>
                                                  <td>At Least One Exists</td>
                                               </tr>
                                               <tr>
                                                  <td class="bold">Item Check:</td>
                                                  <td>All</td>
                                               </tr>
                                               <tr>
                                                  <td class="bold">Result:</td>
                                                  <td class="pass">Pass</td>
                                               </tr>
                                            </tbody>
                                         </table>
                                         <table class="evidence" width="100%">
                                            <caption>Partition Item</caption>
                                            <thead>
                                               <tr>
                                                  <th scope="col">Name</th>
                                                  <th scope="col">Type</th>
                                                  <th scope="col">Status</th>
                                                  <th scope="col">Value</th>
                                               </tr>
                                            </thead>
                                            <tbody class="tbe">
                                               <tr>
                                                  <td>Mount Point</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>/dev/shm</td>
                                               </tr>
                                               <tr>
                                                  <td>Device</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>tmpfs</td>
                                               </tr>
                                               <tr>
                                                  <td>Uuid</td>
                                                  <td>String</td>
                                                  <td>Does not exist</td>
                                                  <td>No Value</td>
                                               </tr>
                                               <tr>
                                                  <td>Fs Type</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>tmpfs</td>
                                               </tr>
                                               <tr>
                                                  <td>Mount Options</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>rw</td>
                                               </tr>
                                               <tr>
                                                  <td>Mount Options</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>nosuid</td>
                                               </tr>
                                               <tr>
                                                  <td>Mount Options</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>nodev</td>
                                               </tr>
                                               <tr>
                                                  <td>Mount Options</td>
                                                  <td>String</td>
                                                  <td>Exists</td>
                                                  <td>noexec</td>
                                               </tr>
                                               <tr>
                                                  <td>Total Space</td>
                                                  <td>Int</td>
                                                  <td>Exists</td>
                                                  <td>1533605</td>
                                               </tr>
                                               <tr>
                                                  <td>Space Used</td>
                                                  <td>Int</td>
                                                  <td>Exists</td>
                                                  <td>0</td>
                                               </tr>
                                               <tr>
                                                  <td>Space Left</td>
                                                  <td>Int</td>
                                                  <td>Exists</td>
                                                  <td>1533605</td>
                                               </tr>
                                            </tbody>
                                         </table>
                                      </div>
                                   </div>
                                </div>
                             </evidence>
                          </xccdf:check>
                       </xccdf:complex-check>
                    </xccdf:rule-result>
                    

                    References:

                      CIS Controls V7.0:

                      • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                        CIS Control Information
                        Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                        Subcontrol: 5.1
                        Label: Establish Secure Configurations
                        Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.
                      • Control 13: Data Protection: -- More
                        CIS Control Information
                        Control: The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.

                      Pass

                      1.1.7 Ensure nodev option set on /dev/shm partition

                      Description:

                      The nodev mount option specifies that the filesystem cannot contain special devices.

                      Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.

                      Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.

                      Run the following command to remount /dev/shm :

                      # mount -o remount,nosuid,nodev,noexec /dev/shm

                      Show Assessment Evidence
                      Complex Check
                      AND
                      Criterion: Ensure partition at /dev/shm may exists{else}exists and all
                      Existence Check: Any Exist
                      Item Check: All
                      Result: Pass
                      Partition Item
                      Name Type Status Value
                      Mount Point String Exists /dev/shm
                      Device String Exists tmpfs
                      Uuid String Does not exist No Value
                      Fs Type String Exists tmpfs
                      Mount Options String Exists rw
                      Mount Options String Exists nosuid
                      Mount Options String Exists nodev
                      Mount Options String Exists noexec
                      Total Space Int Exists 1533605
                      Space Used Int Exists 0
                      Space Left Int Exists 1533605


                      Show Rule Result XML
                      <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                         xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                         xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                         xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                         xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                         xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                         xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                         xmlns="http://checklists.nist.gov/xccdf/1.2"
                                         xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                         xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                         xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                         xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                         xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                         idref="xccdf_org.cisecurity.benchmarks_rule_1.1.7_Ensure_nodev_option_set_on_devshm_partition"
                                         role="full"
                                         severity="unknown"
                                         time="2022-04-13T17:15:55.962Z"
                                         version="1"
                                         weight="1.0">
                         <xccdf:result>pass</xccdf:result>
                         <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                      system="http://cisecurity.org/20-cc/v7.0"/>
                         <xccdf:complex-check operator="AND" negate="false">
                            <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                         negate="false"
                                         multi-check="false">
                               <xccdf:check-content-ref href="#OVAL-Results-1"
                                                        name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455926"/>
                               <evidence xmlns="http://cisecurity.org/evidence">
                                  <div class="definition"
                                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455926">
                                     <div class="criteria">
                                        <div class="criterion"
                                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455926"
                                             check="all"
                                             check_existence="any_exist">
                                           <table class="evidence-sep" width="100%">
                                              <tbody class="tbe">
                                                 <tr>
                                                    <td class="bold">Criterion:</td>
                                                    <td>Ensure partition at /dev/shm may exists{else}exists and all</td>
                                                 </tr>
                                                 <tr>
                                                    <td class="bold">Existence Check:</td>
                                                    <td>Any Exist</td>
                                                 </tr>
                                                 <tr>
                                                    <td class="bold">Item Check:</td>
                                                    <td>All</td>
                                                 </tr>
                                                 <tr>
                                                    <td class="bold">Result:</td>
                                                    <td class="pass">Pass</td>
                                                 </tr>
                                              </tbody>
                                           </table>
                                           <table class="evidence" width="100%">
                                              <caption>Partition Item</caption>
                                              <thead>
                                                 <tr>
                                                    <th scope="col">Name</th>
                                                    <th scope="col">Type</th>
                                                    <th scope="col">Status</th>
                                                    <th scope="col">Value</th>
                                                 </tr>
                                              </thead>
                                              <tbody class="tbe">
                                                 <tr>
                                                    <td>Mount Point</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>/dev/shm</td>
                                                 </tr>
                                                 <tr>
                                                    <td>Device</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>tmpfs</td>
                                                 </tr>
                                                 <tr>
                                                    <td>Uuid</td>
                                                    <td>String</td>
                                                    <td>Does not exist</td>
                                                    <td>No Value</td>
                                                 </tr>
                                                 <tr>
                                                    <td>Fs Type</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>tmpfs</td>
                                                 </tr>
                                                 <tr class="evaluated">
                                                    <td>Mount Options</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>rw</td>
                                                 </tr>
                                                 <tr class="evaluated">
                                                    <td>Mount Options</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>nosuid</td>
                                                 </tr>
                                                 <tr class="evaluated">
                                                    <td>Mount Options</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>nodev</td>
                                                 </tr>
                                                 <tr class="evaluated">
                                                    <td>Mount Options</td>
                                                    <td>String</td>
                                                    <td>Exists</td>
                                                    <td>noexec</td>
                                                 </tr>
                                                 <tr>
                                                    <td>Total Space</td>
                                                    <td>Int</td>
                                                    <td>Exists</td>
                                                    <td>1533605</td>
                                                 </tr>
                                                 <tr>
                                                    <td>Space Used</td>
                                                    <td>Int</td>
                                                    <td>Exists</td>
                                                    <td>0</td>
                                                 </tr>
                                                 <tr>
                                                    <td>Space Left</td>
                                                    <td>Int</td>
                                                    <td>Exists</td>
                                                    <td>1533605</td>
                                                 </tr>
                                              </tbody>
                                           </table>
                                        </div>
                                     </div>
                                  </div>
                               </evidence>
                            </xccdf:check>
                         </xccdf:complex-check>
                      </xccdf:rule-result>
                      

                      References:

                        CIS Controls V7.0:

                        • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                          CIS Control Information
                          Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                          Subcontrol: 5.1
                          Label: Establish Secure Configurations
                          Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                        Pass

                        1.1.8 Ensure nosuid option set on /dev/shm partition

                        Description:

                        The nosuid mount option specifies that the filesystem cannot contain setuid files.

                        Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.

                        Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.

                        Run the following command to remount /dev/shm :

                        # mount -o remount,nosuid,nodev,noexec /dev/shm

                        Show Assessment Evidence
                        Complex Check
                        AND
                        Criterion: Ensure partition at /dev/shm may exists{else}exists and all
                        Existence Check: Any Exist
                        Item Check: All
                        Result: Pass
                        Partition Item
                        Name Type Status Value
                        Mount Point String Exists /dev/shm
                        Device String Exists tmpfs
                        Uuid String Does not exist No Value
                        Fs Type String Exists tmpfs
                        Mount Options String Exists rw
                        Mount Options String Exists nosuid
                        Mount Options String Exists nodev
                        Mount Options String Exists noexec
                        Total Space Int Exists 1533605
                        Space Used Int Exists 0
                        Space Left Int Exists 1533605


                        Show Rule Result XML
                        <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                           xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                           xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                           xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                           xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                           xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                           xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                           xmlns="http://checklists.nist.gov/xccdf/1.2"
                                           xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                           xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                           xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                           xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                           xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                           idref="xccdf_org.cisecurity.benchmarks_rule_1.1.8_Ensure_nosuid_option_set_on_devshm_partition"
                                           role="full"
                                           severity="unknown"
                                           time="2022-04-13T17:15:55.963Z"
                                           version="1"
                                           weight="1.0">
                           <xccdf:result>pass</xccdf:result>
                           <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                        system="http://cisecurity.org/20-cc/v7.0"/>
                           <xccdf:complex-check operator="AND" negate="false">
                              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                           negate="false"
                                           multi-check="false">
                                 <xccdf:check-content-ref href="#OVAL-Results-1"
                                                          name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455927"/>
                                 <evidence xmlns="http://cisecurity.org/evidence">
                                    <div class="definition"
                                         id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455927">
                                       <div class="criteria">
                                          <div class="criterion"
                                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455927"
                                               check="all"
                                               check_existence="any_exist">
                                             <table class="evidence-sep" width="100%">
                                                <tbody class="tbe">
                                                   <tr>
                                                      <td class="bold">Criterion:</td>
                                                      <td>Ensure partition at /dev/shm may exists{else}exists and all</td>
                                                   </tr>
                                                   <tr>
                                                      <td class="bold">Existence Check:</td>
                                                      <td>Any Exist</td>
                                                   </tr>
                                                   <tr>
                                                      <td class="bold">Item Check:</td>
                                                      <td>All</td>
                                                   </tr>
                                                   <tr>
                                                      <td class="bold">Result:</td>
                                                      <td class="pass">Pass</td>
                                                   </tr>
                                                </tbody>
                                             </table>
                                             <table class="evidence" width="100%">
                                                <caption>Partition Item</caption>
                                                <thead>
                                                   <tr>
                                                      <th scope="col">Name</th>
                                                      <th scope="col">Type</th>
                                                      <th scope="col">Status</th>
                                                      <th scope="col">Value</th>
                                                   </tr>
                                                </thead>
                                                <tbody class="tbe">
                                                   <tr>
                                                      <td>Mount Point</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>/dev/shm</td>
                                                   </tr>
                                                   <tr>
                                                      <td>Device</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>tmpfs</td>
                                                   </tr>
                                                   <tr>
                                                      <td>Uuid</td>
                                                      <td>String</td>
                                                      <td>Does not exist</td>
                                                      <td>No Value</td>
                                                   </tr>
                                                   <tr>
                                                      <td>Fs Type</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>tmpfs</td>
                                                   </tr>
                                                   <tr class="evaluated">
                                                      <td>Mount Options</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>rw</td>
                                                   </tr>
                                                   <tr class="evaluated">
                                                      <td>Mount Options</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>nosuid</td>
                                                   </tr>
                                                   <tr class="evaluated">
                                                      <td>Mount Options</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>nodev</td>
                                                   </tr>
                                                   <tr class="evaluated">
                                                      <td>Mount Options</td>
                                                      <td>String</td>
                                                      <td>Exists</td>
                                                      <td>noexec</td>
                                                   </tr>
                                                   <tr>
                                                      <td>Total Space</td>
                                                      <td>Int</td>
                                                      <td>Exists</td>
                                                      <td>1533605</td>
                                                   </tr>
                                                   <tr>
                                                      <td>Space Used</td>
                                                      <td>Int</td>
                                                      <td>Exists</td>
                                                      <td>0</td>
                                                   </tr>
                                                   <tr>
                                                      <td>Space Left</td>
                                                      <td>Int</td>
                                                      <td>Exists</td>
                                                      <td>1533605</td>
                                                   </tr>
                                                </tbody>
                                             </table>
                                          </div>
                                       </div>
                                    </div>
                                 </evidence>
                              </xccdf:check>
                           </xccdf:complex-check>
                        </xccdf:rule-result>
                        

                        References:

                          CIS Controls V7.0:

                          • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                            CIS Control Information
                            Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                            Subcontrol: 5.1
                            Label: Establish Secure Configurations
                            Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                          Pass

                          1.1.9 Ensure noexec option set on /dev/shm partition

                          Description:

                          The noexec mount option specifies that the filesystem cannot contain executable binaries.

                          Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.

                          Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. See the fstab(5) manual page for more information.

                          Run the following command to remount /dev/shm :

                          # mount -o remount,nosuid,nodev,noexec /dev/shm

                          Show Assessment Evidence
                          Complex Check
                          AND
                          Criterion: Ensure partition at /dev/shm may exists{else}exists and all
                          Existence Check: Any Exist
                          Item Check: All
                          Result: Pass
                          Partition Item
                          Name Type Status Value
                          Mount Point String Exists /dev/shm
                          Device String Exists tmpfs
                          Uuid String Does not exist No Value
                          Fs Type String Exists tmpfs
                          Mount Options String Exists rw
                          Mount Options String Exists nosuid
                          Mount Options String Exists nodev
                          Mount Options String Exists noexec
                          Total Space Int Exists 1533605
                          Space Used Int Exists 0
                          Space Left Int Exists 1533605


                          Show Rule Result XML
                          <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                             xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                             xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                             xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                             xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                             xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                             xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                             xmlns="http://checklists.nist.gov/xccdf/1.2"
                                             xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                             xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                             xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                             xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                             xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.9_Ensure_noexec_option_set_on_devshm_partition"
                                             role="full"
                                             severity="unknown"
                                             time="2022-04-13T17:15:55.963Z"
                                             version="1"
                                             weight="1.0">
                             <xccdf:result>pass</xccdf:result>
                             <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6"
                                          system="http://cisecurity.org/20-cc/v7.0"/>
                             <xccdf:complex-check operator="AND" negate="false">
                                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                             negate="false"
                                             multi-check="false">
                                   <xccdf:check-content-ref href="#OVAL-Results-1"
                                                            name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455928"/>
                                   <evidence xmlns="http://cisecurity.org/evidence">
                                      <div class="definition"
                                           id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455928">
                                         <div class="criteria">
                                            <div class="criterion"
                                                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455928"
                                                 check="all"
                                                 check_existence="any_exist">
                                               <table class="evidence-sep" width="100%">
                                                  <tbody class="tbe">
                                                     <tr>
                                                        <td class="bold">Criterion:</td>
                                                        <td>Ensure partition at /dev/shm may exists{else}exists and all</td>
                                                     </tr>
                                                     <tr>
                                                        <td class="bold">Existence Check:</td>
                                                        <td>Any Exist</td>
                                                     </tr>
                                                     <tr>
                                                        <td class="bold">Item Check:</td>
                                                        <td>All</td>
                                                     </tr>
                                                     <tr>
                                                        <td class="bold">Result:</td>
                                                        <td class="pass">Pass</td>
                                                     </tr>
                                                  </tbody>
                                               </table>
                                               <table class="evidence" width="100%">
                                                  <caption>Partition Item</caption>
                                                  <thead>
                                                     <tr>
                                                        <th scope="col">Name</th>
                                                        <th scope="col">Type</th>
                                                        <th scope="col">Status</th>
                                                        <th scope="col">Value</th>
                                                     </tr>
                                                  </thead>
                                                  <tbody class="tbe">
                                                     <tr>
                                                        <td>Mount Point</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>/dev/shm</td>
                                                     </tr>
                                                     <tr>
                                                        <td>Device</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>tmpfs</td>
                                                     </tr>
                                                     <tr>
                                                        <td>Uuid</td>
                                                        <td>String</td>
                                                        <td>Does not exist</td>
                                                        <td>No Value</td>
                                                     </tr>
                                                     <tr>
                                                        <td>Fs Type</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>tmpfs</td>
                                                     </tr>
                                                     <tr class="evaluated">
                                                        <td>Mount Options</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>rw</td>
                                                     </tr>
                                                     <tr class="evaluated">
                                                        <td>Mount Options</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>nosuid</td>
                                                     </tr>
                                                     <tr class="evaluated">
                                                        <td>Mount Options</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>nodev</td>
                                                     </tr>
                                                     <tr class="evaluated">
                                                        <td>Mount Options</td>
                                                        <td>String</td>
                                                        <td>Exists</td>
                                                        <td>noexec</td>
                                                     </tr>
                                                     <tr>
                                                        <td>Total Space</td>
                                                        <td>Int</td>
                                                        <td>Exists</td>
                                                        <td>1533605</td>
                                                     </tr>
                                                     <tr>
                                                        <td>Space Used</td>
                                                        <td>Int</td>
                                                        <td>Exists</td>
                                                        <td>0</td>
                                                     </tr>
                                                     <tr>
                                                        <td>Space Left</td>
                                                        <td>Int</td>
                                                        <td>Exists</td>
                                                        <td>1533605</td>
                                                     </tr>
                                                  </tbody>
                                               </table>
                                            </div>
                                         </div>
                                      </div>
                                   </evidence>
                                </xccdf:check>
                             </xccdf:complex-check>
                          </xccdf:rule-result>
                          

                          References:

                            CIS Controls V7.0:

                            • Control 2: Inventory and Control of Software Assets: -- More
                              CIS Control Information
                              Control: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.
                              Subcontrol: 2.6
                              Label: Address unapproved software
                              Description: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

                            Pass

                            1.1.12 Ensure /var/tmp partition includes the nodev option

                            Description:

                            The nodev mount option specifies that the filesystem cannot contain special devices.

                            Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp .

                            Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information.

                            Run the following command to remount /var/tmp :

                            # mount -o remount,nosuid,nodev,noexec /var/tmp

                            Show Assessment Evidence
                            Complex Check
                            AND
                            Criterion: Ensure partition at /var/tmp may exists and all have at least one partition option equals 'nodev' (string)
                            Existence Check: Any Exist
                            Item Check: All
                            Result: Pass
                            No matching system items were found.


                            Show Rule Result XML
                            <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                               xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                               xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                               xmlns="http://checklists.nist.gov/xccdf/1.2"
                                               xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                               idref="xccdf_org.cisecurity.benchmarks_rule_1.1.12_Ensure_vartmp_partition_includes_the_nodev_option"
                                               role="full"
                                               severity="unknown"
                                               time="2022-04-13T17:15:55.964Z"
                                               version="1"
                                               weight="1.0">
                               <xccdf:result>pass</xccdf:result>
                               <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                            system="http://cisecurity.org/20-cc/v7.0"/>
                               <xccdf:complex-check operator="AND" negate="false">
                                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                               negate="false"
                                               multi-check="false">
                                     <xccdf:check-content-ref href="#OVAL-Results-1"
                                                              name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519228"/>
                                     <evidence xmlns="http://cisecurity.org/evidence">
                                        <div class="definition"
                                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519228">
                                           <div class="criteria">
                                              <div class="criterion"
                                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519228"
                                                   check="all"
                                                   check_existence="any_exist">
                                                 <table class="evidence-sep" width="100%">
                                                    <tbody class="tbe">
                                                       <tr>
                                                          <td class="bold">Criterion:</td>
                                                          <td>Ensure partition at /var/tmp may exists and all have at least one partition option equals 'nodev' (string)</td>
                                                       </tr>
                                                       <tr>
                                                          <td class="bold">Existence Check:</td>
                                                          <td>Any Exist</td>
                                                       </tr>
                                                       <tr>
                                                          <td class="bold">Item Check:</td>
                                                          <td>All</td>
                                                       </tr>
                                                       <tr>
                                                          <td class="bold">Result:</td>
                                                          <td class="pass">Pass</td>
                                                       </tr>
                                                    </tbody>
                                                 </table>
                                                 <table class="evidence" width="100%">
                                                    <tr>
                                                       <td>No matching system items were found.</td>
                                                    </tr>
                                                 </table>
                                              </div>
                                           </div>
                                        </div>
                                     </evidence>
                                  </xccdf:check>
                               </xccdf:complex-check>
                            </xccdf:rule-result>
                            

                            References:

                              CIS Controls V7.0:

                              • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                                CIS Control Information
                                Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                                Subcontrol: 5.1
                                Label: Establish Secure Configurations
                                Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                              Pass

                              1.1.13 Ensure /var/tmp partition includes the nosuid option

                              Description:

                              The nosuid mount option specifies that the filesystem cannot contain setuid files.

                              Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp .

                              Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information.

                              Run the following command to remount /var/tmp :

                              # mount -o remount,nosuid,nodev,noexec /var/tmp

                              Show Assessment Evidence
                              Complex Check
                              AND
                              Criterion: Ensure partition at /var/tmp may exists and all have at least one partition option equals 'nosuid' (string)
                              Existence Check: Any Exist
                              Item Check: All
                              Result: Pass
                              No matching system items were found.


                              Show Rule Result XML
                              <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                 xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                 xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                 xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                 xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                 xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                 xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                 xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                 xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                 xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                 xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                 xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                 xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                 idref="xccdf_org.cisecurity.benchmarks_rule_1.1.13_Ensure_vartmp_partition_includes_the_nosuid_option"
                                                 role="full"
                                                 severity="unknown"
                                                 time="2022-04-13T17:15:55.964Z"
                                                 version="1"
                                                 weight="1.0">
                                 <xccdf:result>pass</xccdf:result>
                                 <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                              system="http://cisecurity.org/20-cc/v7.0"/>
                                 <xccdf:complex-check operator="AND" negate="false">
                                    <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                 negate="false"
                                                 multi-check="false">
                                       <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456427"/>
                                       <evidence xmlns="http://cisecurity.org/evidence">
                                          <div class="definition"
                                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456427">
                                             <div class="criteria">
                                                <div class="criterion"
                                                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1456427"
                                                     check="all"
                                                     check_existence="any_exist">
                                                   <table class="evidence-sep" width="100%">
                                                      <tbody class="tbe">
                                                         <tr>
                                                            <td class="bold">Criterion:</td>
                                                            <td>Ensure partition at /var/tmp may exists and all have at least one partition option equals 'nosuid' (string)</td>
                                                         </tr>
                                                         <tr>
                                                            <td class="bold">Existence Check:</td>
                                                            <td>Any Exist</td>
                                                         </tr>
                                                         <tr>
                                                            <td class="bold">Item Check:</td>
                                                            <td>All</td>
                                                         </tr>
                                                         <tr>
                                                            <td class="bold">Result:</td>
                                                            <td class="pass">Pass</td>
                                                         </tr>
                                                      </tbody>
                                                   </table>
                                                   <table class="evidence" width="100%">
                                                      <tr>
                                                         <td>No matching system items were found.</td>
                                                      </tr>
                                                   </table>
                                                </div>
                                             </div>
                                          </div>
                                       </evidence>
                                    </xccdf:check>
                                 </xccdf:complex-check>
                              </xccdf:rule-result>
                              

                              References:

                                CIS Controls V7.0:

                                • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                                  CIS Control Information
                                  Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                                  Subcontrol: 5.1
                                  Label: Establish Secure Configurations
                                  Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                                Pass

                                1.1.14 Ensure /var/tmp partition includes the noexec option

                                Description:

                                The noexec mount option specifies that the filesystem cannot contain executable binaries.

                                Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp .

                                Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. See the fstab(5) manual page for more information.

                                Run the following command to remount /var/tmp :

                                # mount -o remount,nosuid,nodev,noexec /var/tmp

                                Show Assessment Evidence
                                Complex Check
                                AND
                                Criterion: Ensure partition at /var/tmp may exists{else}exists and all
                                Existence Check: Any Exist
                                Item Check: All
                                Result: Pass
                                No matching system items were found.


                                Show Rule Result XML
                                <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                   xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                   xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                   xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                   xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                   xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                   xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                   xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                   xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                   xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                   xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                   xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                   xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                   idref="xccdf_org.cisecurity.benchmarks_rule_1.1.14_Ensure_vartmp_partition_includes_the_noexec_option"
                                                   role="full"
                                                   severity="unknown"
                                                   time="2022-04-13T17:15:55.964Z"
                                                   version="1"
                                                   weight="1.0">
                                   <xccdf:result>pass</xccdf:result>
                                   <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6"
                                                system="http://cisecurity.org/20-cc/v7.0"/>
                                   <xccdf:complex-check operator="AND" negate="false">
                                      <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                   negate="false"
                                                   multi-check="false">
                                         <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                  name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456428"/>
                                         <evidence xmlns="http://cisecurity.org/evidence">
                                            <div class="definition"
                                                 id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456428">
                                               <div class="criteria">
                                                  <div class="criterion"
                                                       id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1456428"
                                                       check="all"
                                                       check_existence="any_exist">
                                                     <table class="evidence-sep" width="100%">
                                                        <tbody class="tbe">
                                                           <tr>
                                                              <td class="bold">Criterion:</td>
                                                              <td>Ensure partition at /var/tmp may exists{else}exists and all</td>
                                                           </tr>
                                                           <tr>
                                                              <td class="bold">Existence Check:</td>
                                                              <td>Any Exist</td>
                                                           </tr>
                                                           <tr>
                                                              <td class="bold">Item Check:</td>
                                                              <td>All</td>
                                                           </tr>
                                                           <tr>
                                                              <td class="bold">Result:</td>
                                                              <td class="pass">Pass</td>
                                                           </tr>
                                                        </tbody>
                                                     </table>
                                                     <table class="evidence" width="100%">
                                                        <tr>
                                                           <td>No matching system items were found.</td>
                                                        </tr>
                                                     </table>
                                                  </div>
                                               </div>
                                            </div>
                                         </evidence>
                                      </xccdf:check>
                                   </xccdf:complex-check>
                                </xccdf:rule-result>
                                

                                References:

                                  CIS Controls V7.0:

                                  • Control 2: Inventory and Control of Software Assets: -- More
                                    CIS Control Information
                                    Control: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.
                                    Subcontrol: 2.6
                                    Label: Address unapproved software
                                    Description: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

                                  Pass

                                  1.1.18 Ensure /home partition includes the nodev option

                                  Description:

                                  The nodev mount option specifies that the filesystem cannot contain special devices.

                                  Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.

                                  Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /home partition. See the fstab(5) manual page for more information.

                                  # mount -o remount,nodev /home

                                  Show Assessment Evidence
                                  Complex Check
                                  AND
                                  Criterion: Ensure partition at /home may exists{else}exists and all
                                  Existence Check: Any Exist
                                  Item Check: All
                                  Result: Pass
                                  No matching system items were found.


                                  Show Rule Result XML
                                  <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                     xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                     xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                     xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                     xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                     xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                     xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                     xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                     xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                     xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                     xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                     xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                     xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                     idref="xccdf_org.cisecurity.benchmarks_rule_1.1.18_Ensure_home_partition_includes_the_nodev_option"
                                                     role="full"
                                                     severity="unknown"
                                                     time="2022-04-13T17:15:55.965Z"
                                                     version="1"
                                                     weight="1.0">
                                     <xccdf:result>pass</xccdf:result>
                                     <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                                  system="http://cisecurity.org/20-cc/v7.0"/>
                                     <xccdf:complex-check operator="AND" negate="false">
                                        <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                     negate="false"
                                                     multi-check="false">
                                           <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                    name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456429"/>
                                           <evidence xmlns="http://cisecurity.org/evidence">
                                              <div class="definition"
                                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1456429">
                                                 <div class="criteria">
                                                    <div class="criterion"
                                                         id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1456429"
                                                         check="all"
                                                         check_existence="any_exist">
                                                       <table class="evidence-sep" width="100%">
                                                          <tbody class="tbe">
                                                             <tr>
                                                                <td class="bold">Criterion:</td>
                                                                <td>Ensure partition at /home may exists{else}exists and all</td>
                                                             </tr>
                                                             <tr>
                                                                <td class="bold">Existence Check:</td>
                                                                <td>Any Exist</td>
                                                             </tr>
                                                             <tr>
                                                                <td class="bold">Item Check:</td>
                                                                <td>All</td>
                                                             </tr>
                                                             <tr>
                                                                <td class="bold">Result:</td>
                                                                <td class="pass">Pass</td>
                                                             </tr>
                                                          </tbody>
                                                       </table>
                                                       <table class="evidence" width="100%">
                                                          <tr>
                                                             <td>No matching system items were found.</td>
                                                          </tr>
                                                       </table>
                                                    </div>
                                                 </div>
                                              </div>
                                           </evidence>
                                        </xccdf:check>
                                     </xccdf:complex-check>
                                  </xccdf:rule-result>
                                  

                                  References:

                                    CIS Controls V7.0:

                                    • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                                      CIS Control Information
                                      Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                                      Subcontrol: 5.1
                                      Label: Establish Secure Configurations
                                      Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                                    Manual

                                    1.1.19 Ensure nodev option set on removable media partitions

                                    Description:

                                    The nodev mount option specifies that the filesystem cannot contain special devices.

                                    Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions.

                                    Edit the /etc/fstab file and add nodev to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.



                                    Show Rule Result XML
                                    <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                       xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                       xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                       xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                       xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                       xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                       xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                       xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                       xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                       xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                       xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                       xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                       xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                       idref="xccdf_org.cisecurity.benchmarks_rule_1.1.19_Ensure_nodev_option_set_on_removable_media_partitions"
                                                       role="unscored"
                                                       severity="unknown"
                                                       time="2022-04-13T17:15:55.965Z"
                                                       version="1"
                                                       weight="0.0">
                                       <xccdf:result>notchecked</xccdf:result>
                                       <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                                    system="http://cisecurity.org/20-cc/v7.0"/>
                                    </xccdf:rule-result>
                                    

                                    References:

                                      CIS Controls V7.0:

                                      • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                                        CIS Control Information
                                        Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                                        Subcontrol: 5.1
                                        Label: Establish Secure Configurations
                                        Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                                      Manual

                                      1.1.20 Ensure nosuid option set on removable media partitions

                                      Description:

                                      The nosuid mount option specifies that the filesystem cannot contain setuid files.

                                      Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.

                                      Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.



                                      Show Rule Result XML
                                      <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                         xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                         xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                         xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                         xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                         xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                         xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                         xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                         xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                         xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                         xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                         xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                         xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                         idref="xccdf_org.cisecurity.benchmarks_rule_1.1.20_Ensure_nosuid_option_set_on_removable_media_partitions"
                                                         role="unscored"
                                                         severity="unknown"
                                                         time="2022-04-13T17:15:55.965Z"
                                                         version="1"
                                                         weight="0.0">
                                         <xccdf:result>notchecked</xccdf:result>
                                         <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                                      system="http://cisecurity.org/20-cc/v7.0"/>
                                      </xccdf:rule-result>
                                      

                                      References:

                                        CIS Controls V7.0:

                                        • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                                          CIS Control Information
                                          Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                                          Subcontrol: 5.1
                                          Label: Establish Secure Configurations
                                          Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                                        Manual

                                        1.1.21 Ensure noexec option set on removable media partitions

                                        Description:

                                        The noexec mount option specifies that the filesystem cannot contain executable binaries.

                                        Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system.

                                        Edit the /etc/fstab file and add noexec to the fourth field (mounting options) of all removable media partitions. Look for entries that have mount points that contain words such as floppy or cdrom. See the fstab(5) manual page for more information.



                                        Show Rule Result XML
                                        <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                           xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                           xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                           xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                           xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                           xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                           xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                           xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                           xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                           xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                           xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                           xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                           xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                           idref="xccdf_org.cisecurity.benchmarks_rule_1.1.21_Ensure_noexec_option_set_on_removable_media_partitions"
                                                           role="unscored"
                                                           severity="unknown"
                                                           time="2022-04-13T17:15:55.965Z"
                                                           version="1"
                                                           weight="0.0">
                                           <xccdf:result>notchecked</xccdf:result>
                                           <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/2/subcontrol/6"
                                                        system="http://cisecurity.org/20-cc/v7.0"/>
                                        </xccdf:rule-result>
                                        

                                        References:

                                          CIS Controls V7.0:

                                          • Control 2: Inventory and Control of Software Assets: -- More
                                            CIS Control Information
                                            Control: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that all unauthorized and unmanaged software is found and prevented from installation or execution.
                                            Subcontrol: 2.6
                                            Label: Address unapproved software
                                            Description: Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

                                          Pass

                                          1.1.22 Ensure sticky bit is set on all world-writable directories

                                          Description:

                                          Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.

                                          This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user.

                                          Run the following command to set the sticky bit on all world writable directories:

                                          # df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'

                                          Show Assessment Evidence
                                          Complex Check
                                          AND
                                          Script: sce/world_writable_dirs_sticky.sh
                                          Result: Pass
                                          Exit Value: 101
                                          No output lines were collected.
                                          No error lines were collected.


                                          Show Rule Result XML
                                          <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                             xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                             xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                             xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                             xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                             xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                             xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                             xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                             xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                             xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                             xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                             xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                             xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                             idref="xccdf_org.cisecurity.benchmarks_rule_1.1.22_Ensure_sticky_bit_is_set_on_all_world-writable_directories"
                                                             role="full"
                                                             severity="unknown"
                                                             time="2022-04-13T17:15:55.966Z"
                                                             version="1"
                                                             weight="1.0">
                                             <xccdf:result>pass</xccdf:result>
                                             <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/5/subcontrol/1"
                                                          system="http://cisecurity.org/20-cc/v7.0"/>
                                             <xccdf:complex-check operator="AND" negate="false">
                                                <xccdf:check system="http://open-scap.org/page/SCE"
                                                             negate="false"
                                                             multi-check="false">
                                                   <xccdf:check-content-ref href="sce/world_writable_dirs_sticky.sh"/>
                                                   <xccdf:check-content>
                                                      <command_result href="sce/world_writable_dirs_sticky.sh"
                                                                      xccdf="pass"
                                                                      script="/home/crosslife/Assessor-CLI/sce/world_writable_dirs_sticky.sh"
                                                                      exit-value="101">
                                                         <out/>
                                                         <err/>
                                                         <env/>
                                                      </command_result>
                                                   </xccdf:check-content>
                                                   <evidence xmlns="http://cisecurity.org/evidence">
                                                      <div class="sce">
                                                         <table class="evidence-sep" width="100%">
                                                            <tbody class="tbe">
                                                               <tr>
                                                                  <td class="bold">Script:</td>
                                                                  <td>sce/world_writable_dirs_sticky.sh</td>
                                                               </tr>
                                                               <tr>
                                                                  <td class="bold">Result:</td>
                                                                  <td class="pass">Pass</td>
                                                               </tr>
                                                               <tr>
                                                                  <td class="bold">Exit Value:</td>
                                                                  <td>101</td>
                                                               </tr>
                                                            </tbody>
                                                         </table>
                                                         <table class="evidence" width="100%">
                                                            <tbody class="tbe">
                                                               <tr>
                                                                  <td>No output lines were collected.</td>
                                                               </tr>
                                                            </tbody>
                                                         </table>
                                                         <table class="evidence" width="100%">
                                                            <tbody class="tbe">
                                                               <tr>
                                                                  <td>No error lines were collected.</td>
                                                               </tr>
                                                            </tbody>
                                                         </table>
                                                      </div>
                                                   </evidence>
                                                </xccdf:check>
                                             </xccdf:complex-check>
                                          </xccdf:rule-result>
                                          

                                          References:

                                            CIS Controls V7.0:

                                            • Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: -- More
                                              CIS Control Information
                                              Control: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
                                              Subcontrol: 5.1
                                              Label: Establish Secure Configurations
                                              Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

                                            Pass

                                            1.1.23 Disable Automounting

                                            Description:

                                            autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.

                                            With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves.

                                            Run one of the following commands:

                                            Run the following command to disable autofs :

                                            # systemctl --now disable autofs

                                            OR run the following command to remove autofs

                                            # apt purge autofs

                                            Impact:

                                            The use of portable hard drives is very common for workstation users. If your organization allows the use of portable storage or media on workstations and physical access controls to workstations is considered adequate there is little value add in turning off automounting.

                                            Show Assessment Evidence
                                            Complex Check
                                            OR
                                            Criterion: Ensure systemd 'autofs.service' unit 'UnitFileState' property not equal enabled
                                            Existence Check: At Least One Exists
                                            Item Check: All
                                            Result: Pass
                                            Systemdunitproperty Item
                                            Name Type Status Value
                                            Unit String Exists autofs.service
                                            Property String Exists UnitFileState
                                            Value String Exists No Value
                                            Criterion: Ensure package name equals 'autofs' is not installed
                                            Existence Check: None Exist
                                            Item Check: All
                                            Result: Pass
                                            No matching system items were found.


                                            Show Rule Result XML
                                            <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                               xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                               xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                               xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                               xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                               xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                               xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                               xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                               xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                               xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                               xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                               xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                               xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                               idref="xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Automounting"
                                                               role="full"
                                                               severity="unknown"
                                                               time="2022-04-13T17:15:55.966Z"
                                                               version="1"
                                                               weight="1.0">
                                               <xccdf:result>pass</xccdf:result>
                                               <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/4"
                                                            system="http://cisecurity.org/20-cc/v7.0"/>
                                               <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/5"
                                                            system="http://cisecurity.org/20-cc/v7.0"/>
                                               <xccdf:complex-check operator="OR" negate="false">
                                                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                               negate="false"
                                                               multi-check="false">
                                                     <xccdf:check-export export-name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:var:1519231"
                                                                         value-id="xccdf_org.cisecurity.benchmarks_value_1519231_var"/>
                                                     <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                              name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519231"/>
                                                     <evidence xmlns="http://cisecurity.org/evidence">
                                                        <div class="definition"
                                                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519231">
                                                           <div class="criteria">
                                                              <div class="criterion"
                                                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519231"
                                                                   check="all"
                                                                   check_existence="at_least_one_exists">
                                                                 <table class="evidence-sep" width="100%">
                                                                    <tbody class="tbe">
                                                                       <tr>
                                                                          <td class="bold">Criterion:</td>
                                                                          <td>Ensure systemd 'autofs.service' unit 'UnitFileState' property not equal enabled</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td class="bold">Existence Check:</td>
                                                                          <td>At Least One Exists</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td class="bold">Item Check:</td>
                                                                          <td>All</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td class="bold">Result:</td>
                                                                          <td class="pass">Pass</td>
                                                                       </tr>
                                                                    </tbody>
                                                                 </table>
                                                                 <table class="evidence" width="100%">
                                                                    <caption>Systemdunitproperty Item</caption>
                                                                    <thead>
                                                                       <tr>
                                                                          <th scope="col">Name</th>
                                                                          <th scope="col">Type</th>
                                                                          <th scope="col">Status</th>
                                                                          <th scope="col">Value</th>
                                                                       </tr>
                                                                    </thead>
                                                                    <tbody class="tbe">
                                                                       <tr>
                                                                          <td>Unit</td>
                                                                          <td>String</td>
                                                                          <td>Exists</td>
                                                                          <td>autofs.service</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td>Property</td>
                                                                          <td>String</td>
                                                                          <td>Exists</td>
                                                                          <td>UnitFileState</td>
                                                                       </tr>
                                                                       <tr class="evaluated">
                                                                          <td>Value</td>
                                                                          <td>String</td>
                                                                          <td>Exists</td>
                                                                          <td>No Value</td>
                                                                       </tr>
                                                                    </tbody>
                                                                 </table>
                                                              </div>
                                                           </div>
                                                        </div>
                                                     </evidence>
                                                  </xccdf:check>
                                                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                               negate="false"
                                                               multi-check="false">
                                                     <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                              name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519232"/>
                                                     <evidence xmlns="http://cisecurity.org/evidence">
                                                        <div class="definition"
                                                             id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1519232">
                                                           <div class="criteria">
                                                              <div class="criterion"
                                                                   id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1519232"
                                                                   check="all"
                                                                   check_existence="none_exist">
                                                                 <table class="evidence-sep" width="100%">
                                                                    <tbody class="tbe">
                                                                       <tr>
                                                                          <td class="bold">Criterion:</td>
                                                                          <td>Ensure package name equals 'autofs' is not installed</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td class="bold">Existence Check:</td>
                                                                          <td>None Exist</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td class="bold">Item Check:</td>
                                                                          <td>All</td>
                                                                       </tr>
                                                                       <tr>
                                                                          <td class="bold">Result:</td>
                                                                          <td class="pass">Pass</td>
                                                                       </tr>
                                                                    </tbody>
                                                                 </table>
                                                                 <table class="evidence" width="100%">
                                                                    <tr>
                                                                       <td>No matching system items were found.</td>
                                                                    </tr>
                                                                 </table>
                                                              </div>
                                                           </div>
                                                        </div>
                                                     </evidence>
                                                  </xccdf:check>
                                               </xccdf:complex-check>
                                            </xccdf:rule-result>
                                            

                                            References:

                                              CIS Controls V7.0:

                                              • Control 8: Malware Defenses: -- More
                                                CIS Control Information
                                                Control: Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
                                                Subcontrol: 8.4
                                                Label: Configure Anti-Malware Scanning of Removable Devices
                                                Description: Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.
                                              • Control 8: Malware Defenses: -- More
                                                CIS Control Information
                                                Control: Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
                                                Subcontrol: 8.5
                                                Label: Configure Devices Not To Auto-Run Content
                                                Description: Configure devices to not auto-run content from removable media.

                                              Pass

                                              1.1.24 Disable USB Storage

                                              Description:

                                              USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a persistent threat within a networked environment.

                                              Note: An alternative solution to disabling the usb-storage module may be found in USBGuard. Use of USBGuard and construction of USB device policies should be done in alignment with site policy.

                                              Restricting USB access on the system will decrease the physical attack surface for a device and diminish the possible vectors to introduce malware.

                                              Edit or create a file in the /etc/modprobe.d/ directory ending in .conf

                                              Example: vi /etc/modprobe.d/usb_storage.conf and add the following line:

                                              install usb-storage /bin/true

                                              Run the following command to unload the usb-storage module:

                                              rmmod usb-storage

                                              Show Assessment Evidence
                                              Complex Check
                                              AND
                                              Criterion: Ensure kernel module usb-storage is not loaded
                                              Existence Check: At Least One Exists
                                              Item Check: None satisfy
                                              Result: Pass
                                              Shellcommand Item
                                              Name Type Status Value
                                              Command String Exists modprobe -n -v usb-storage
                                              Line Selection String Exists .+
                                              Exit Status Int Exists 0
                                              Stdout Line String Exists install /bin/true
                                              Criterion: Ensure kernel module usb-storage is not loadable
                                              Existence Check: At Least One Exists
                                              Item Check: At least one
                                              Result: Pass
                                              Shellcommand Item
                                              Name Type Status Value
                                              Command String Exists modprobe -n -v usb-storage
                                              Line Selection String Exists .+
                                              Exit Status Int Exists 0
                                              Stdout Line String Exists install /bin/true


                                              Show Rule Result XML
                                              <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                                 xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                                 xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                                 xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                                 xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                                 xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                                 xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                                 xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                                 xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                                 xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                                 xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                                 xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                                 xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                                 idref="xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_USB_Storage"
                                                                 role="full"
                                                                 severity="unknown"
                                                                 time="2022-04-13T17:15:55.966Z"
                                                                 version="1"
                                                                 weight="1.0">
                                                 <xccdf:result>pass</xccdf:result>
                                                 <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/4"
                                                              system="http://cisecurity.org/20-cc/v7.0"/>
                                                 <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/8/subcontrol/5"
                                                              system="http://cisecurity.org/20-cc/v7.0"/>
                                                 <xccdf:complex-check operator="AND" negate="false">
                                                    <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                                 negate="false"
                                                                 multi-check="false">
                                                       <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                                name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455960"/>
                                                       <evidence xmlns="http://cisecurity.org/evidence">
                                                          <div class="definition"
                                                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455960">
                                                             <div class="criteria">
                                                                <div class="criterion"
                                                                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455960"
                                                                     check="none satisfy"
                                                                     check_existence="at_least_one_exists">
                                                                   <table class="evidence-sep" width="100%">
                                                                      <tbody class="tbe">
                                                                         <tr>
                                                                            <td class="bold">Criterion:</td>
                                                                            <td>Ensure kernel module usb-storage is not loaded</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td class="bold">Existence Check:</td>
                                                                            <td>At Least One Exists</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td class="bold">Item Check:</td>
                                                                            <td>None satisfy</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td class="bold">Result:</td>
                                                                            <td class="pass">Pass</td>
                                                                         </tr>
                                                                      </tbody>
                                                                   </table>
                                                                   <table class="evidence" width="100%">
                                                                      <caption>Shellcommand Item</caption>
                                                                      <thead>
                                                                         <tr>
                                                                            <th scope="col">Name</th>
                                                                            <th scope="col">Type</th>
                                                                            <th scope="col">Status</th>
                                                                            <th scope="col">Value</th>
                                                                         </tr>
                                                                      </thead>
                                                                      <tbody class="tbe">
                                                                         <tr>
                                                                            <td>Command</td>
                                                                            <td>String</td>
                                                                            <td>Exists</td>
                                                                            <td>modprobe -n -v usb-storage</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td>Line Selection</td>
                                                                            <td>String</td>
                                                                            <td>Exists</td>
                                                                            <td>.+</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td>Exit Status</td>
                                                                            <td>Int</td>
                                                                            <td>Exists</td>
                                                                            <td>0</td>
                                                                         </tr>
                                                                         <tr class="evaluated">
                                                                            <td>Stdout Line</td>
                                                                            <td>String</td>
                                                                            <td>Exists</td>
                                                                            <td>install /bin/true </td>
                                                                         </tr>
                                                                      </tbody>
                                                                   </table>
                                                                </div>
                                                             </div>
                                                          </div>
                                                       </evidence>
                                                    </xccdf:check>
                                                    <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"
                                                                 negate="false"
                                                                 multi-check="false">
                                                       <xccdf:check-content-ref href="#OVAL-Results-1"
                                                                                name="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455961"/>
                                                       <evidence xmlns="http://cisecurity.org/evidence">
                                                          <div class="definition"
                                                               id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:def:1455961">
                                                             <div class="criteria">
                                                                <div class="criterion"
                                                                     id="oval:org.cisecurity.benchmarks.canonical_ubuntu_linux_20:tst:1455961"
                                                                     check="at least one"
                                                                     check_existence="at_least_one_exists">
                                                                   <table class="evidence-sep" width="100%">
                                                                      <tbody class="tbe">
                                                                         <tr>
                                                                            <td class="bold">Criterion:</td>
                                                                            <td>Ensure kernel module usb-storage is not loadable</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td class="bold">Existence Check:</td>
                                                                            <td>At Least One Exists</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td class="bold">Item Check:</td>
                                                                            <td>At least one</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td class="bold">Result:</td>
                                                                            <td class="pass">Pass</td>
                                                                         </tr>
                                                                      </tbody>
                                                                   </table>
                                                                   <table class="evidence" width="100%">
                                                                      <caption>Shellcommand Item</caption>
                                                                      <thead>
                                                                         <tr>
                                                                            <th scope="col">Name</th>
                                                                            <th scope="col">Type</th>
                                                                            <th scope="col">Status</th>
                                                                            <th scope="col">Value</th>
                                                                         </tr>
                                                                      </thead>
                                                                      <tbody class="tbe">
                                                                         <tr>
                                                                            <td>Command</td>
                                                                            <td>String</td>
                                                                            <td>Exists</td>
                                                                            <td>modprobe -n -v usb-storage</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td>Line Selection</td>
                                                                            <td>String</td>
                                                                            <td>Exists</td>
                                                                            <td>.+</td>
                                                                         </tr>
                                                                         <tr>
                                                                            <td>Exit Status</td>
                                                                            <td>Int</td>
                                                                            <td>Exists</td>
                                                                            <td>0</td>
                                                                         </tr>
                                                                         <tr class="evaluated">
                                                                            <td>Stdout Line</td>
                                                                            <td>String</td>
                                                                            <td>Exists</td>
                                                                            <td>install /bin/true </td>
                                                                         </tr>
                                                                      </tbody>
                                                                   </table>
                                                                </div>
                                                             </div>
                                                          </div>
                                                       </evidence>
                                                    </xccdf:check>
                                                 </xccdf:complex-check>
                                              </xccdf:rule-result>
                                              

                                              References:

                                                CIS Controls V7.0:

                                                • Control 8: Malware Defenses: -- More
                                                  CIS Control Information
                                                  Control: Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
                                                  Subcontrol: 8.4
                                                  Label: Configure Anti-Malware Scanning of Removable Devices
                                                  Description: Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.
                                                • Control 8: Malware Defenses: -- More
                                                  CIS Control Information
                                                  Control: Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
                                                  Subcontrol: 8.5
                                                  Label: Configure Devices Not To Auto-Run Content
                                                  Description: Configure devices to not auto-run content from removable media.

                                                1.2 Configure Software Updates

                                                Debian Family Linux distributions use apt to install and update software packages. Patch management procedures may vary widely between enterprises. Large enterprises may choose to install a local updates server that can be used in place of their distributions servers, whereas a single deployment of a system may prefer to get updates directly. Updates can be performed automatically or manually, depending on the site's policy for patch management. Many large enterprises prefer to test patches on a non-production system before rolling out to production.

                                                For the purpose of this benchmark, the requirement is to ensure that a patch management system is configured and maintained. The specifics on patch update procedures are left to the organization.

                                                Manual

                                                1.2.1 Ensure package manager repositories are configured

                                                Description:

                                                Systems need to have package manager repositories configured to ensure they receive the latest patches and updates.

                                                If a system's package repositories are misconfigured important patches may not be identified or a rogue repository could introduce compromised software.

                                                Configure your package manager repositories according to site policy.



                                                Show Rule Result XML
                                                <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                                   xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                                   xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                                   xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                                   xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                                   xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                                   xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                                   xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                                   xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                                   xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                                   xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                                   xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                                   xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                                   idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_Ensure_package_manager_repositories_are_configured"
                                                                   role="unscored"
                                                                   severity="unknown"
                                                                   time="2022-04-13T17:15:55.966Z"
                                                                   version="1"
                                                                   weight="0.0">
                                                   <xccdf:result>notchecked</xccdf:result>
                                                   <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/4"
                                                                system="http://cisecurity.org/20-cc/v7.0"/>
                                                   <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/5"
                                                                system="http://cisecurity.org/20-cc/v7.0"/>
                                                </xccdf:rule-result>
                                                

                                                References:

                                                  CIS Controls V7.0:

                                                  • Control 3: Continuous Vulnerability Management: -- More
                                                    CIS Control Information
                                                    Control: Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
                                                    Subcontrol: 3.4
                                                    Label: Deploy Automated Operating System Patch Management Tools
                                                    Description: Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
                                                  • Control 3: Continuous Vulnerability Management: -- More
                                                    CIS Control Information
                                                    Control: Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
                                                    Subcontrol: 3.5
                                                    Label: Deploy Automated Software Patch Management Tools
                                                    Description: Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

                                                  Manual

                                                  1.2.2 Ensure GPG keys are configured

                                                  Description:

                                                  Most packages managers implement GPG key signing to verify package integrity during installation.

                                                  It is important to ensure that updates are obtained from a valid source to protect against spoofing that could lead to the inadvertent installation of malware on the system.

                                                  Update your package manager GPG keys in accordance with site policy.



                                                  Show Rule Result XML
                                                  <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                                     xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                                     xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                                     xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                                     xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                                     xmlns:cc6="http://cisecurity.org/20-cc/v6.1"
                                                                     xmlns:ciscat-checklist="http://checklists.nist.gov/xccdf/1.2"
                                                                     xmlns="http://checklists.nist.gov/xccdf/1.2"
                                                                     xmlns:xhtml="http://www.w3.org/1999/xhtml"
                                                                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                                                                     xmlns:scap-con="http://scap.nist.gov/schema/scap/constructs/1.2"
                                                                     xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1"
                                                                     xmlns:dsc="http://scap.nist.gov/schema/scap/source/1.2"
                                                                     xmlns:ai="http://scap.nist.gov/schema/asset-identification/1.1"
                                                                     idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_Ensure_GPG_keys_are_configured"
                                                                     role="unscored"
                                                                     severity="unknown"
                                                                     time="2022-04-13T17:15:55.966Z"
                                                                     version="1"
                                                                     weight="0.0">
                                                     <xccdf:result>notchecked</xccdf:result>
                                                     <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/4"
                                                                  system="http://cisecurity.org/20-cc/v7.0"/>
                                                     <xccdf:ident cc7:controlURI="http://cisecurity.org/20-cc/v7.0/control/3/subcontrol/5"
                                                                  system="http://cisecurity.org/20-cc/v7.0"/>
                                                  </xccdf:rule-result>
                                                  

                                                  References:

                                                    CIS Controls V7.0:

                                                    • Control 3: Continuous Vulnerability Management: -- More
                                                      CIS Control Information
                                                      Control: Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
                                                      Subcontrol: 3.4
                                                      Label: Deploy Automated Operating System Patch Management Tools
                                                      Description: Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
                                                    • Control 3: Continuous Vulnerability Management: -- More
                                                      CIS Control Information
                                                      Control: Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
                                                      Subcontrol: 3.5
                                                      Label: Deploy Automated Software Patch Management Tools
                                                      Description: Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

                                                    1.3 Filesystem Integrity Checking

                                                    AIDE is a file integrity checking tool, similar in nature to Tripwire. While it cannot prevent intrusions, it can detect unauthorized changes to configuration files by alerting when the files are changed. When setting up AIDE, decide internally what the site policy will be concerning integrity checking. Review the AIDE quick start guide and AIDE documentation before proceeding.

                                                    Pass

                                                    1.3.1 Ensure AIDE is installed

                                                    Description:

                                                    AIDE takes a snapshot of filesystem state including modification times, permissions, and file hashes which can then be used to compare against the current state of the filesystem to detect modifications to the system.

                                                    By monitoring the filesystem state compromised files can be detected to prevent or limit the exposure of accidental or malicious misconfigurations or modified binaries.

                                                    Install AIDE using the appropriate package manager or manual installation:

                                                    # apt install aide aide-common

                                                    Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.

                                                    Run the following commands to initialize AIDE:

                                                    # aideinit

                                                    # mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

                                                    Show Assessment Evidence
                                                    Complex Check
                                                    AND
                                                    Criterion: Ensure package name equals 'aide' is installed
                                                    Existence Check: At Least One Exists
                                                    Item Check: All
                                                    Result: Pass
                                                    Dpkginfo Item
                                                    Name Type Status Value
                                                    Name String Exists aide
                                                    Arch String Exists amd64
                                                    Epoch String Exists (none)
                                                    Release String Exists 1ubuntu0.1
                                                    Version String Exists 0.16.1
                                                    Evr Evr String Exists 0:0.16.1-1ubuntu0.1
                                                    Criterion: Ensure package name equals 'aide-common' is installed
                                                    Existence Check: At Least One Exists
                                                    Item Check: All
                                                    Result: Pass
                                                    Dpkginfo Item
                                                    Name Type Status Value
                                                    Name String Exists aide-common
                                                    Arch String Exists all
                                                    Epoch String Exists (none)
                                                    Release String Exists 1ubuntu0.1
                                                    Version String Exists 0.16.1
                                                    Evr Evr String Exists 0:0.16.1-1ubuntu0.1


                                                    Show Rule Result XML
                                                    <xccdf:rule-result xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2"
                                                                       xmlns:notes="http://benchmarks.cisecurity.org/notes"
                                                                       xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5"
                                                                       xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0"
                                                                       xmlns:cc7="http://cisecurity.org/20-cc/v7.0"
                                                                       xmlns:cc6="http://cisecurity.org/20-cc/v6.1"