mondoo-linux-security.mql.yaml

# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1

policies:
  - uid: mondoo-linux-security
    name: Linux Security
    version: 2.4.1
    license: BUSL-1.1
    tags:
      mondoo.com/category: security
      mondoo.com/platform: linux
    authors:
      - name: Mondoo, Inc
        email: hello@mondoo.com
    docs:
      desc: |-
        ## Overview

        The Linux Security by Mondoo provides guidance for establishing a secure baseline configuration for Linux systems running on x86 and x64 platforms.

        This policy includes queries to help harden Linux systems by:
          - Identifying problematic services that may be running
          - Identifying loose permissions on sensitive system configuration files
          - Ensuring logging and auditing services are properly configured and running
          - Hardening SSH configurations
          - Ensure users and groups are securely configured
          - Identifying misconfigured Kernel networking configurations

        This policy has been developed for Red Hat (RHEL), Debian, Ubuntu, and SUSE (SLES) derivative distributions running on x86 and x64 architectures.
        Some queries may be skipped depending on your particular distribution, installation type, or underlying infrastructure.
        The overall guidance within this policy broadly assumes that operations are being performed as the root user.
        Operations performed using sudo instead of the root user may produce unexpected results or fail to make the intended changes to the system.
        Non-root users may not be able to access certain areas of the system, especially after remediation has been performed. It is advisable to verify
        root users path integrity and the integrity of any programs being run prior to execution of commands and scripts included in this benchmark.

        ### Intended Audience

        This benchmark is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel
        who plan to develop, deploy, assess, or secure solutions that incorporate Linux on x86 or x64 platforms.

        ## Local scan

        Local scan refer to scans of files and operating systems where cnspec is installed.

        To scan the `localhost` against this policy:

        ```bash
        cnspec scan local
        ```

        ## Remote scan

        Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.

        For a complete list of providers run:

        ```bash
        cnspec scan --help
        ```

        ### Prerequisites

        Remote scans of Linux hosts requires authentication such as SSH keys.

        ### Scan a remote Linux host (SSH authentication)

        ```bash
        cnspec scan ssh <user>@<IP_ADDRESS> -i /path/to/ssh_key
        ```

        ## Join the community!

        Our goal is to build policies that are simple to deploy, accurate, and actionable.

        If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
    groups:
      - title: Core
        filters: |
          asset.family.contains('linux')
        checks:
          - uid: mondoo-linux-security--window-system-is-not-installed
          - uid: mondoo-linux-security-address-space-layout-randomization-aslr-is-enabled
          - uid: mondoo-linux-security-aide-is-installed
          - uid: mondoo-linux-security-avahi-server-is-not-enabled
          - uid: mondoo-linux-security-bogus-icmp-responses-are-ignored
          - uid: mondoo-linux-security-broadcast-icmp-requests-are-ignored
          - uid: mondoo-linux-security-core-dumps-are-restricted
          - uid: mondoo-linux-security-cups-is-not-enabled
          - uid: mondoo-linux-security-dhcp-server-is-not-enabled
          - uid: mondoo-linux-security-dns-server-is-not-enabled
          - uid: mondoo-linux-security-filesystem-integrity-is-regularly-checked
          - uid: mondoo-linux-security-ftp-server-is-not-enabled
          - uid: mondoo-linux-security-http-proxy-server-is-not-enabled
          - uid: mondoo-linux-security-http-server-is-not-enabled
          - uid: mondoo-linux-security-icmp-redirects-are-not-accepted
          - uid: mondoo-linux-security-imap-and-pop3-server-is-not-enabled
          - uid: mondoo-linux-security-ip-forwarding-is-disabled
          - uid: mondoo-linux-security-ipv6-router-advertisements-are-not-accepted
          - uid: mondoo-linux-security-ldap-server-is-not-enabled
          - uid: mondoo-linux-security-mail-transfer-agent-is-configured-for-local-only-mode
          - uid: mondoo-linux-security-nfs-and-rpc-are-not-enabled
          - uid: mondoo-linux-security-nis-server-is-not-enabled
          - uid: mondoo-linux-security-packet-redirect-sending-is-disabled
          - uid: mondoo-linux-security-permissions-on-etcgroup--are-configured
          - uid: mondoo-linux-security-permissions-on-etcgroup-are-configured
          - uid: mondoo-linux-security-permissions-on-etcgshadow--are-configured
          - uid: mondoo-linux-security-permissions-on-etcgshadow-are-configured
          - uid: mondoo-linux-security-permissions-on-etcpasswd--are-configured
          - uid: mondoo-linux-security-permissions-on-etcpasswd-are-configured
          - uid: mondoo-linux-security-permissions-on-etcshadow--are-configured
          - uid: mondoo-linux-security-permissions-on-etcshadow-are-configured
          - uid: mondoo-linux-security-prelink-is-disabled
          - uid: mondoo-linux-security-reverse-path-filtering-is-enabled
          - uid: mondoo-linux-security-rsh-server-is-not-enabled
          - uid: mondoo-linux-security-rsync-service-is-not-enabled
          - uid: mondoo-linux-security-samba-is-not-enabled
          - uid: mondoo-linux-security-secure-icmp-redirects-are-not-accepted
          - uid: mondoo-linux-security-snmp-server-is-not-enabled
          - uid: mondoo-linux-security-source-routed-packets-are-not-accepted
          - uid: mondoo-linux-security-suspicious-packets-are-logged
          - uid: mondoo-linux-security-talk-server-is-not-enabled
          - uid: mondoo-linux-security-tcp-syn-cookies-is-enabled
          - uid: mondoo-linux-security-telnet-server-is-not-enabled
          - uid: mondoo-linux-security-tftp-server-is-not-enabled
      - title: Configure SSH Server
        filters: |
          asset.family.contains('linux')
          package('openssh-server').installed
        checks:
          - uid: mondoo-linux-security-only-strong-ciphers-are-used
          - uid: mondoo-linux-security-only-strong-kex-algorithms-are-used
          - uid: mondoo-linux-security-only-strong-mac-algorithms-are-used
          - uid: mondoo-linux-security-permissions-on-etcsshsshd-config-are-configured
          - uid: mondoo-linux-security-permissions-on-ssh-private-host-key-files-are-configured
          - uid: mondoo-linux-security-permissions-on-ssh-public-host-key-files-are-configured
          - uid: mondoo-linux-security-ssh-access-is-limited
          - uid: mondoo-linux-security-ssh-hostbasedauthentication-is-disabled
          - uid: mondoo-linux-security-ssh-idle-timeout-interval-is-configured
          - uid: mondoo-linux-security-ssh-ignorerhosts-is-enabled
          - uid: mondoo-linux-security-ssh-logingracetime-is-set-to-one-minute-or-less
          - uid: mondoo-linux-security-ssh-loglevel-is-appropriate
          - uid: mondoo-linux-security-ssh-maxauthtries-is-set-to-4-or-less
          - uid: mondoo-linux-security-ssh-permitemptypasswords-is-disabled
          - uid: mondoo-linux-security-ssh-permituserenvironment-is-disabled
          - uid: mondoo-linux-security-ssh-protocol-is-set-to-2
          - uid: mondoo-linux-security-ssh-root-login-is-disabled
          - uid: mondoo-linux-security-ssh-warning-banner-is-configured
          - uid: mondoo-linux-security-ssh-x11-forwarding-is-disabled
      - title: Logging
        filters: |
          asset.family.contains('linux')
          asset.kind != "container-image"
        checks:
          - uid: mondoo-linux-security-audit-log-storage-size-is-configured
          - uid: mondoo-linux-security-audit-logs-are-not-automatically-deleted
          - uid: mondoo-linux-security-auditd-is-installed
          - uid: mondoo-linux-security-auditd-service-is-enabled
          - uid: mondoo-linux-security-auditing-for-processes-that-start-prior-to-auditd-is-enabled
          - uid: mondoo-linux-security-changes-to-system-administration-scope-sudoers-is-collected
          - uid: mondoo-linux-security-discretionary-access-control-permission-modification-events-are-collected
          - uid: mondoo-linux-security-events-that-modify-date-and-time-information-are-collected
          - uid: mondoo-linux-security-events-that-modify-the-systems-mandatory-access-controls-are-collected
          - uid: mondoo-linux-security-events-that-modify-the-systems-network-environment-are-collected
          - uid: mondoo-linux-security-events-that-modify-usergroup-information-are-collected
          - uid: mondoo-linux-security-file-deletion-events-by-users-are-collected
          - uid: mondoo-linux-security-journald-is-configured-to-compress-large-log-files
          - uid: mondoo-linux-security-journald-is-configured-to-send-logs-to-rsyslog
          - uid: mondoo-linux-security-journald-is-configured-to-write-logfiles-to-persistent-disk
          - uid: mondoo-linux-security-kernel-module-loading-and-unloading-is-collected
          - uid: mondoo-linux-security-login-and-logout-events-are-collected
          - uid: mondoo-linux-security-permissions-on-all-logfiles-are-configured
          - uid: mondoo-linux-security-rsyslog-default-file-permissions-configured
          - uid: mondoo-linux-security-rsyslog-is-installed
          - uid: mondoo-linux-security-rsyslog-service-is-enabled
          - uid: mondoo-linux-security-session-initiation-information-is-collected
          - uid: mondoo-linux-security-successful-file-system-mounts-are-collected
          - uid: mondoo-linux-security-sudo-logging-is-enabled
          - uid: mondoo-linux-security-system-administrator-actions-sudolog-are-collected
          - uid: mondoo-linux-security-system-is-disabled-when-audit-logs-are-full
          - uid: mondoo-linux-security-the-audit-configuration-is-immutable
          - uid: mondoo-linux-security-unsuccessful-unauthorized-file-access-attempts-are-collected
      - title: Users and groups
        filters: |
          asset.family.contains('linux')
        checks:
          - uid: mondoo-linux-security-access-to-the-su-command-is-restricted
          - uid: mondoo-linux-security-default-group-for-the-root-account-is-gid-0
          - uid: mondoo-linux-security-each-user-member-of-a-group
          - uid: mondoo-linux-security-gid-in-passwd-exists-in-group
          - uid: mondoo-linux-security-no-duplicate-gids-exist
          - uid: mondoo-linux-security-no-duplicate-group-names-exist
          - uid: mondoo-linux-security-no-duplicate-uids-exist
          - uid: mondoo-linux-security-no-duplicate-user-names-exist
          - uid: mondoo-linux-security-root-group-is-empty
          - uid: mondoo-linux-security-shadow-group-is-empty
          - uid: mondoo-linux-security-system-accounts-are-non-login
          - uid: mondoo-linux-security-uid-min-is-set-to-1000
    scoring_system: highest impact
queries:
  - uid: mondoo-linux-security-aide-is-installed
    title: Ensure Advanced Intrusion Detection Environment (AIDE) is installed
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      package("aide").installed
    docs:
      desc: Advanced Intrusion Detection Environment (AIDE) takes a snapshot of the filesystem state, including modification times, permissions, and file hashes. Administrators can then use this to compare against the current state of the filesystem to detect modifications to the system.
      remediation: |-
        Run this command to install `aide` :

        # RHEL/Fedora/Amazon Linux and derivatives
        ```
        yum install aide
        ```

        # Ubuntu
        ```
        apt-get install aide
        ```

        # Debian
        ```
        apt install aide
        ```

        # SLES and openSUSE
        ```
        zypper install aide
        ```

        Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.

        Initialize AIDE:

        ```
        aide --init

        mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
        ```
  - uid: mondoo-linux-security-filesystem-integrity-is-regularly-checked
    title: Ensure filesystem integrity is regularly checked
    impact: 50
    filters: |
      asset.kind != "container-image"
    mql: |
      file("/etc/default/aide").exists && ["/etc/default/aide"].where(file(_).exists).all(parse.ini(_).params["CRON_DAILY_RUN"] == "yes") ||
      command("crontab -u root -l | grep aide").stdout.lines.where(/^[^#]/).any(_.contains("aide --check")) ||
      command("crontab -u root -l | grep aide").stdout.lines.where(/^[^#]/).any(_.contains("aide.conf --check")) ||
      service('aidecheck').enabled
    docs:
      desc: Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.
      remediation: |-
        _If cron will be used to schedule and run aide check_

        Run this command:

        ```
        crontab -u root -e
        ```

        Add the following line to the crontab:

        ```
        0 5 * * * /usr/sbin/aide --check
        ```

        _OR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:_

        Create or edit the file `/etc/systemd/system/aidecheck.service` and add the following lines:

        ```
        [Unit]
        Description=Aide Check

        [Service]
        Type=simple
        ExecStart=/usr/sbin/aide --check

        [Install]
        WantedBy=multi-user.target
        ```

        Create or edit the file `/etc/systemd/system/aidecheck.timer` and add the following lines:

        ```
        [Unit]
        Description=Aide check every day at 5AM

        [Timer]
        OnCalendar=*-*-* 05:00:00
        Unit=aidecheck.service

        [Install]
        WantedBy=multi-user.target
        ```

        Run these commands:

        ```
        chown root:root /etc/systemd/system/aidecheck.*
        chmod 0644 /etc/systemd/system/aidecheck.*

        systemctl daemon-reload

        systemctl enable aidecheck.service
        systemctl --now enable aidecheck.timer
        ```
  - uid: mondoo-linux-security-core-dumps-are-restricted
    title: Ensure core dumps are restricted
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    impact: 75
    mql: |
      file("/etc/security/limits.conf").content.lines.where( _ == /^[^#]/ ).where( _.contains("core") ) {
        _ == /\*\s+hard\s+core\s+0/
      }
      kernel.parameters['fs.suid_dumpable'] == 0
      if(service("coredump").enabled || service("coredump").running) {
        parse.ini("/etc/systemd/coredump.conf").sections['Coredump']['ProcessSizeMax'] == 0
        parse.ini("/etc/systemd/coredump.conf").sections['Coredump']['Storage'] == 'none'
      }
    docs:
      desc: A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.
      remediation: |-
        Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/\*` file:

        ```
        * hard core 0
        ```

        Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        fs.suid_dumpable = 0
        ```

        Run this command to set the active kernel parameter:

        ```
        sysctl -w fs.suid_dumpable=0
        ```

        If systemd-coredump is installed:

        edit `/etc/systemd/coredump.conf` and add/modify the following lines:

        ```
        Storage=none
        ProcessSizeMax=0
        ```

        Run the command:

        ```
        systemctl daemon-reload
        ```
  - uid: mondoo-linux-security-address-space-layout-randomization-aslr-is-enabled
    title: Ensure address space layout randomization (ASLR) is enabled
    impact: 90
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters["kernel.randomize_va_space"] == 2
    docs:
      desc: Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.
      remediation: |-
        Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        kernel.randomize_va_space = 2
        ```

        Run this command to set the active kernel parameter:

        ```
        sysctl -w kernel.randomize_va_space=2
        ```
  - uid: mondoo-linux-security-prelink-is-disabled
    title: Ensure prelink is disabled
    impact: 70
    mql: |
      package("prelink").installed == false
    docs:
      desc: The `prelink` command changes binaries in an attempt to decrease their startup time. Prelinking can interfere with the operation of AIDE, because it changes binaries. Prelinking can also increase the vulnerability of the system if a malicious user is able to compromise a common library such as libc.
      remediation: |-
        Run these commands to restore binaries to normal and uninstall `prelink`:

        ### RHEL/Fedora/Amazon Linux and derivatives
        ```
        prelink -ua

        yum remove prelink
        ```

        ### Ubuntu/Debian
        ```
        prelink -ua

        apt-get purge prelink
        ```
  - uid: mondoo-linux-security--window-system-is-not-installed
    title: Ensure X Window System is not installed
    impact: 100
    mql: |
      packages.none(name == /^xserver-xorg.*/ || name == /^xorg-x11/ || name == /^xserver/)
    docs:
      desc: The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows to run programs and various add-ons. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.
      remediation: |-
        Run this command to remove the X Windows System packages:

        ### RHEL/Fedora/Amazon Linux and derivatives
        ```
        yum remove xorg-x11*
        ```

        ### Debian/Ubuntu and derivatives
        ```
        apt-get purge xserver-xorg
        ```
  - uid: mondoo-linux-security-avahi-server-is-not-enabled
    title: Ensure Avahi server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("avahi-daemon").enabled == false
      service("avahi-daemon").running == false
    docs:
      desc: Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine.
      remediation: |-
        Run this command to stop and disable `avahi-daemon` :

        ```
        systemctl stop avahi-daemon
        systemctl disable avahi-daemon
        ```

        Note: Since the `avahi-daemon` service is often interdependent with other services, it might not be enough to disable the service because other services will likely restart the service automatically.
        To make the service `avahi-daemon` invisible to other services run this command :

        `systemctl mask avahi-daemon`
  - uid: mondoo-linux-security-cups-is-not-enabled
    title: Ensure CUPS is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("cups").enabled == false
      service("cups").running == false
    docs:
      desc: The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability.
      remediation: |-
        Run this command to stop and disable `cups` :

        ```
        systemctl stop cups
        systemctl disable cups
        ```

        Note: Since the `cups` service is often interdependent with other services, it might not be enough to disable the service because other services such as `cups-browsed` will likely restart the service automatically.
        To make the service `cups` invisible to other services run this command :

        `systemctl mask cups`

        **Impact:**

        Disabling CUPS will prevent printing from the system, a common task for workstation systems.
  - uid: mondoo-linux-security-dhcp-server-is-not-enabled
    title: Ensure DHCP server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("dhcpd").enabled == false
      service("dhcpd").running == false
    docs:
      desc: The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses.
      remediation: |-
        Run this command to stop and disable `dhcpd` :

        ```
        systemctl stop dhcpd
        systemctl disable dhcpd
        ```
  - uid: mondoo-linux-security-ldap-server-is-not-enabled
    title: Ensure LDAP server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("slapd").enabled == false
      service("slapd").running == false
    docs:
      desc: The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database.
      remediation: |-
        Run this command to stop and disable `slapd` :

        ```
        systemctl stop slapd
        systemctl disable slapd
        ```
  - uid: mondoo-linux-security-nfs-and-rpc-are-not-enabled
    title: Ensure NFS and RPC are stopped and not enabled
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      service("nfs").enabled == false
      service("nfs").running == false
      service("rpcbind").enabled == false
      service("rpcbind").running == false
    docs:
      desc: The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network.
      remediation: |-
        Run these commands to stop and disable `nfs`, `nfs-server`, and `rpcbind`:

        ```
        systemctl stop nfs
        systemctl stop rpcbind

        systemctl disable nfs
        systemctl disable rpcbind
        ```
  - uid: mondoo-linux-security-dns-server-is-not-enabled
    title: Ensure DNS server is stopped and not enabled
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      service("named").enabled == false
      service("named").running == false
    docs:
      desc: The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network.
      remediation: |-
        Run this command to stop and disable `named` :

        ```
        systemctl stop named
        systemctl disable named
        ```
  - uid: mondoo-linux-security-ftp-server-is-not-enabled
    title: Ensure FTP server is stopped and not enabled
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      service("vsftpd").enabled == false
      service("vsftpd").running == false
    docs:
      desc: The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.
      remediation: |-
        Run this command to stop and disable `vsftpd` :

        ```
        systemctl stop vsftpd
        systemctl disable vsftpd
        ```
  - uid: mondoo-linux-security-http-server-is-not-enabled
    title: Ensure HTTP servers are stopped and not enabled
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      service("httpd").enabled == false
      service("httpd").running == false
      service("apache2").enabled == false
      service("apache2").running == false
      service("nginx").enabled == false
      service("nginx").running == false
    docs:
      desc: HTTP or web servers provide the ability to host web site content.
      remediation: |-
        Run these commands to stop and disable web servers:

        ```
        systemctl stop httpd
        systemctl disable httpd

        systemctl stop apache2
        systemctl disable apache2

        systemctl stop nginx
        systemctl disable nginx
        ```
  - uid: mondoo-linux-security-imap-and-pop3-server-is-not-enabled
    title: Ensure IMAP and POP3 server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("dovecot").enabled == false
      service("dovecot").running == false
    docs:
      desc: '`dovecot` is an open source IMAP and POP3 server for Linux based systems.'
      remediation: |-
        Run this command to stop and disable `dovecot` :

        ```
        systemctl stop dovecot
        systemctl disable dovecot
        ```
  - uid: mondoo-linux-security-samba-is-not-enabled
    title: Ensure Samba is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("smb").enabled == false
      service("smbd").enabled == false
      service("smb").running == false
      service("smbd").running == false
    docs:
      desc: The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users can mount these directories and file systems as letter drives on their systems.
      remediation: |-
        Run this command to stop and disable `smb` and `smbd` services :

        ```
        systemctl stop smb
        systemctl stop smbd
        systemctl disable smb
        systemctl disable smbd
        ```
  - uid: mondoo-linux-security-http-proxy-server-is-not-enabled
    title: Ensure HTTP Proxy server is stopped and not enabled
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      service("squid").enabled == false
      service("squid").running == false
      service("tinyproxy").enabled == false
      service("tinyproxy").running == false
    docs:
      desc: Squid and Tinyproxy are HTTP proxy servers used to proxy and potentially anonymize HTTP traffic through other hosts.
      remediation: |-
        Run this command to stop and disable `squid` and `tinyproxy`:

        ```
        systemctl stop squid
        systemctl stop tinyproxy

        systemctl disable squid
        systemctl disable tinyproxy
        ```
  - uid: mondoo-linux-security-snmp-server-is-not-enabled
    title: Ensure SNMP server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("snmpd").enabled == false
      service("snmpd").running == false
    docs:
      desc: The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system.
      remediation: |-
        Run this command to stop and disable `snmpd`:

        ```
        systemctl stop snmpd
        systemctl disable snmpd
        ```
  - uid: mondoo-linux-security-mail-transfer-agent-is-configured-for-local-only-mode
    title: Ensure mail transfer agent is configured for local-only mode
    impact: 85
    filters: |
      asset.kind != "container-image"
    mql: |
      if( package("postfix").installed && service('postfix').running ) {
        parse.ini("/etc/postfix/main.cf").params["inet_interfaces"] == "localhost" || parse.ini("/etc/postfix/main.cf").params["inet_interfaces"] == "loopback-only"
      }
      if( package("exim4").installed && service('exim4').running ) {
        parse.ini("/etc/exim4/update-exim4.conf.conf").params["dc_local_interfaces"] == "'127.0.0.1 ; ::1'"
      }
      ports.listening.where(address != "127.0.0.1" && address != "::1").none(port == 25)
    docs:
      desc: Mail Transfer Agents (MTA), such as Sendmail and Postfix, listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.
      remediation: |-
        Edit `/etc/postfix/main.cf` and add the following line to the RECEIVING MAIL section. If the line already exists, change it to look like the line below:

        ```
        inet_interfaces = loopback-only
        ```

        Restart postfix:

        ```
        systemctl restart postfix
        ```
  - uid: mondoo-linux-security-nis-server-is-not-enabled
    title: Ensure NIS server is stopped and not enabled
    impact: 75
    filters: |
      asset.kind != "container-image"
    mql: |
      service("ypserv").enabled == false
      service("ypserv").running == false
    docs:
      desc: The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files.
      remediation: |-
        Run this command to stop and disable `ypserv` :

        ```
        systemctl stop ypserv
        systemctl disable ypserv
        ```
  - uid: mondoo-linux-security-rsh-server-is-not-enabled
    title: Ensure rsh server is stopped and not enabled
    impact: 75
    filters: |
      asset.kind != "container-image"
    mql: |
      service("rsh.socket").enabled == false
      service("rlogin.socket").enabled == false
      service("rexec.socket").enabled == false
      service("rsh.socket").running == false
      service("rlogin.socket").running == false
      service("rexec.socket").running == false
    docs:
      desc: The Berkeley `rsh-server` ( `rsh`, `rlogin`, `rexec` ) package contains legacy services that exchange credentials in clear-text.
      remediation: |-
        Run these commands to stop and disable `rsh`, `rlogin`, and `rexec` :

        ```
        systemctl stop rsh.socket
        systemctl stop rlogin.socket
        systemctl stop rexec.socket

        systemctl disable rsh.socket
        systemctl disable rlogin.socket
        systemctl disable rexec.socket
        ```
  - uid: mondoo-linux-security-telnet-server-is-not-enabled
    title: Ensure telnet server is stopped and not enabled
    impact: 90
    filters: |
      asset.kind != "container-image"
    mql: |
      service("telnet.socket").enabled == false
      service("telnet.socket").running == false
    docs:
      desc: The `telnet-server` package contains the `telnet` daemon, which accepts connections from users from other systems via the `telnet` protocol.
      remediation: |-
        Run this command to stop and disable telnet:

        ```
        systemctl stop telnet.socket
        systemctl disable telnet.socket
        ```
  - uid: mondoo-linux-security-tftp-server-is-not-enabled
    title: Ensure tftp server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("tftp.socket").enabled == false
      service("tftp.socket").running == false
    docs:
      desc: Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package `tftp-server` is used to define and support a TFTP server.
      remediation: |-
        Run this command to stop and disable tftp:

        ```
        systemctl stop tftp.socket
        systemctl disable tftp.socket
        ```
  - uid: mondoo-linux-security-rsync-service-is-not-enabled
    title: Ensure rsync service is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("rsyncd").enabled == false
      service("rsyncd").running == false
    docs:
      desc: The `rsyncd` service can be used to synchronize files between systems over network links.
      remediation: |-
        Run this command to stop and disable `rsync` :

        ```
        systemctl stop rsyncd
        systemctl disable rsyncd
        ```
  - uid: mondoo-linux-security-talk-server-is-not-enabled
    title: Ensure talk server is stopped and not enabled
    impact: 100
    filters: |
      asset.kind != "container-image"
    mql: |
      service("ntalk").enabled == false
      service("ntalk").running == false
    docs:
      desc: The talk software allows users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default.
      remediation: |-
        Run this command to stop and disable talk:

        ```
        systemctl stop ntalk
        systemctl disable ntalk
        ```
  - uid: mondoo-linux-security-ip-forwarding-is-disabled
    title: Ensure IP forwarding is disabled
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.ip_forward'] == 0
        || kernel.parameters['net.ipv4.ip_forward'] == null
      kernel.parameters['net.ipv6.conf.all.forwarding'] == 0
        || kernel.parameters['net.ipv6.conf.all.forwarding'] == null
    docs:
      desc: The `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` flags are used to tell the system whether it can forward packets or not.
      remediation: |-
        Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.ip_forward = 0

        net.ipv6.conf.all.forwarding = 0
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.ip_forward=0

        sysctl -w net.ipv6.conf.all.forwarding=0

        sysctl -w net.ipv4.route.flush=1

        sysctl -w net.ipv6.route.flush=1
        ```
  - uid: mondoo-linux-security-packet-redirect-sending-is-disabled
    title: Ensure packet redirect sending is disabled
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.conf.all.send_redirects'] == 0
        || kernel.parameters['net.ipv4.conf.all.send_redirects'] == null
      kernel.parameters['net.ipv4.conf.default.send_redirects'] == 0
        || kernel.parameters['net.ipv4.conf.default.send_redirects'] == null
    docs:
      desc: ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host-only configuration), there is no need to send redirects.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.conf.all.send_redirects = 0

        net.ipv4.conf.default.send_redirects = 0
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.conf.all.send_redirects=0

        sysctl -w net.ipv4.conf.default.send_redirects=0

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-source-routed-packets-are-not-accepted
    title: Ensure source routed packets are not accepted
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.conf.all.accept_source_route'] == 0
        || kernel.parameters['net.ipv4.conf.all.accept_source_route'] == null
      kernel.parameters['net.ipv4.conf.default.accept_source_route'] == 0
        || kernel.parameters['net.ipv4.conf.default.accept_source_route'] == null
      kernel.parameters['net.ipv6.conf.all.accept_source_route'] == 0
        || kernel.parameters['net.ipv6.conf.all.accept_source_route'] == null
      kernel.parameters['net.ipv6.conf.default.accept_source_route'] == 0
        || kernel.parameters['net.ipv6.conf.default.accept_source_route'] == null
    docs:
      desc: In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.conf.all.accept_source_route = 0

        net.ipv4.conf.default.accept_source_route = 0

        net.ipv6.conf.all.accept_source_route = 0

        net.ipv6.conf.default.accept_source_route = 0
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.conf.all.accept_source_route=0

        sysctl -w net.ipv4.conf.default.accept_source_route=0

        sysctl -w net.ipv6.conf.all.accept_source_route=0

        sysctl -w net.ipv6.conf.default.accept_source_route=0

        sysctl -w net.ipv4.route.flush=1

        sysctl -w net.ipv6.route.flush=1
        ```
  - uid: mondoo-linux-security-icmp-redirects-are-not-accepted
    title: Ensure ICMP redirects are not accepted
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.conf.all.accept_redirects'] == 0
        || kernel.parameters['net.ipv4.conf.all.accept_redirects'] == null
      kernel.parameters['net.ipv4.conf.default.accept_redirects'] == 0
        || kernel.parameters['net.ipv4.conf.default.accept_redirects'] == null
      kernel.parameters['net.ipv6.conf.all.accept_redirects'] == 0
        || kernel.parameters['net.ipv6.conf.all.accept_redirects'] == null
      kernel.parameters['net.ipv6.conf.default.accept_redirects'] == 0
        || kernel.parameters['net.ipv6.conf.default.accept_redirects'] == null
    docs:
      desc: ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting `net.ipv4.conf.all.accept_redirects` and `net.ipv6.conf.all.accept_redirects` to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.conf.all.accept_redirects = 0

        net.ipv4.conf.default.accept_redirects = 0

        net.ipv6.conf.all.accept_redirects = 0

        net.ipv6.conf.default.accept_redirects = 0
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.conf.all.accept_redirects=0

        sysctl -w net.ipv4.conf.default.accept_redirects=0

        sysctl -w net.ipv6.conf.all.accept_redirects=0

        sysctl -w net.ipv6.conf.default.accept_redirects=0

        sysctl -w net.ipv4.route.flush=1

        sysctl -w net.ipv6.route.flush=1
        ```
  - uid: mondoo-linux-security-secure-icmp-redirects-are-not-accepted
    title: Ensure secure ICMP redirects are not accepted
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.conf.all.secure_redirects'] == 0
        || kernel.parameters['net.ipv4.conf.all.secure_redirects'] == null
      kernel.parameters['net.ipv4.conf.default.secure_redirects'] == 0
        || kernel.parameters['net.ipv4.conf.default.secure_redirects'] == null
    docs:
      desc: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system and are likely to be secure.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.conf.all.secure_redirects = 0

        net.ipv4.conf.default.secure_redirects = 0
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.conf.all.secure_redirects=0

        sysctl -w net.ipv4.conf.default.secure_redirects=0

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-suspicious-packets-are-logged
    title: Ensure suspicious packets are logged
    impact: 60
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.conf.all.log_martians'] == 1
      kernel.parameters['net.ipv4.conf.default.log_martians'] == 1
    docs:
      desc: When enabled, this feature logs packets with un-routable source addresses to the kernel log.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` or in /etc/ufw/sysctl.conf file:

        ```
        net.ipv4.conf.all.log_martians = 1

        net.ipv4.conf.default.log_martians = 1
        ```
        Hint: If you're using Ubuntu's UFW, please check the for the above configuration in the file /etc/ufw/sysctl.conf in addition, because these settings will overwrite the kernel parameters on UFW startup.

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.conf.all.log_martians=1

        sysctl -w net.ipv4.conf.default.log_martians=1

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-broadcast-icmp-requests-are-ignored
    title: Ensure broadcast ICMP requests are ignored
    impact: 60
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.icmp_echo_ignore_broadcasts'] == 1
    docs:
      desc: Setting `net.ipv4.icmp_echo_ignore_broadcasts` to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.icmp_echo_ignore_broadcasts = 1
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-bogus-icmp-responses-are-ignored
    title: Ensure bogus ICMP responses are ignored
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.icmp_ignore_bogus_error_responses'] == 1
    docs:
      desc: Setting `icmp_ignore_bogus_error_responses` to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages.
      remediation: |-
        Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.icmp_ignore_bogus_error_responses = 1
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-reverse-path-filtering-is-enabled
    title: Ensure Reverse Path Filtering is enabled
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.conf.all.rp_filter'] == 1
      kernel.parameters['net.ipv4.conf.default.rp_filter'] == 1
    docs:
      desc: Setting `net.ipv4.conf.all.rp_filter`and `net.ipv4.conf.default.rp_filter` to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if `log_martians` is set).
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.conf.all.rp_filter = 1

        net.ipv4.conf.default.rp_filter = 1
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.conf.all.rp_filter=1

        sysctl -w net.ipv4.conf.default.rp_filter=1

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-tcp-syn-cookies-is-enabled
    title: Ensure TCP SYN Cookies is enabled
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv4.tcp_syncookies'] == 1
    docs:
      desc: When `tcp_syncookies` is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN\|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the system to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv4.tcp_syncookies = 1
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv4.tcp_syncookies=1

        sysctl -w net.ipv4.route.flush=1
        ```
  - uid: mondoo-linux-security-ipv6-router-advertisements-are-not-accepted
    title: Ensure IPv6 router advertisements are not accepted
    impact: 75
    filters: |
      asset.kind != "container-image"
      asset.runtime != "docker-container"
    mql: |
      kernel.parameters['net.ipv6.conf.all.accept_ra'] == 0
        || kernel.parameters['net.ipv6.conf.all.accept_ra'] == null
      kernel.parameters['net.ipv6.conf.default.accept_ra'] == 0
        || kernel.parameters['net.ipv6.conf.default.accept_ra'] == null
    docs:
      desc: This setting disables the system's ability to accept IPv6 router advertisements.
      remediation: |-
        Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/\*` file:

        ```
        net.ipv6.conf.all.accept_ra = 0

        net.ipv6.conf.default.accept_ra = 0
        ```

        Run these commands to set the active kernel parameters:

        ```
        sysctl -w net.ipv6.conf.all.accept_ra=0

        sysctl -w net.ipv6.conf.default.accept_ra=0

        sysctl -w net.ipv6.route.flush=1
        ```
  - uid: mondoo-linux-security-auditd-is-installed
    title: Ensure auditd is installed
    impact: 50
    mql: |
      package("auditd").installed && package("audispd-plugins").installed
      || package("audit").installed || package("audit-libs").installed
    docs:
      desc: auditd is the user space component to the Linux Auditing System. It's responsible for writing audit records to the disk
      remediation: |-
        Run this command to install auditd with dnf

        ```
        dnf install audit audit-libs
        ```

        Run this command to install auditd with apt

        ```
        apt install auditd audispd-plugins
        ```
  - uid: mondoo-linux-security-auditd-service-is-enabled
    title: Ensure auditd service is enabled
    impact: 50
    mql: |
      service("auditd").enabled
    docs:
      desc: |-
        Turn on the `auditd`
        daemon to record system events.
      remediation: |-
        Run this command to enable `auditd`
        :

        ```
        systemctl --now enable auditd
        ```
  - uid: mondoo-linux-security-auditing-for-processes-that-start-prior-to-auditd-is-enabled
    title: Ensure auditing for processes that start prior to auditd is enabled
    impact: 50
    mql: |
      switch {
        case file("/boot/grub2/grubenv").exists:
          file("/boot/grub2/grubenv").content.lines.where( _ == /^[^#]/ )
            .any(_ == /audit(\s+)?\=(\s+)?1/);
        case file("/boot/grub2/grub.cfg").exists:
          file("/boot/grub2/grub.cfg").content.lines.where( _ == /^[^#]/ )
            .any(_ == /audit(\s+)?\=(\s+)?1/);
        case file("/boot/grub/grub.cfg").exists:
          file("/boot/grub/grub.cfg").content.lines.where( _ == /^[^#]/ )
            .any(_ == /audit(\s+)?\=(\s+)?1/);
        case file("/boot/grub/grub.conf").exists:
          file("/boot/grub/grub.conf").content.lines.where( _ == /^[^#]/ )
            .any(_ == /audit(\s+)?\=(\s+)?1/);
        case file("/etc/secboot/config.json").exists:
          parse.json('/etc/secboot/config.json')
            .params['kernel-params'] == /audit(\s+)?\=(\s+)?1/;
        default: false
      }
    docs:
      desc: |-
        Configure `grub2`
        so that processes that are capable of being audited can be audited even if they start up prior to `auditd`
        startup.
      remediation: |-
        Edit `/etc/default/grub` and add `audit=1`
        to `GRUB_CMDLINE_LINUX`:

        ```
        GRUB_CMDLINE_LINUX="audit=1"
        ```

        Run this command to update the `grub2`
        configuration:

        ### RHEL/Fedora/Amazon Linux and derivatives
        ```
        sudo grub2-mkconfig -o /boot/grub2/grub.cfg
        ```
        **Note:**
        The path looks different for UEFI systems.

        ### Debian/Ubuntu and derivatives
        ```
        sudo update-grub
        ```
  - uid: mondoo-linux-security-audit-log-storage-size-is-configured
    title: Ensure audit log storage size is configured
    impact: 40
    mql: |
      file("/etc/audit/auditd.conf").exists;
      ["/etc/audit/auditd.conf"].where(file(_).exists) {
        parse.ini(_).params["max_log_file"] > 0
      }
    docs:
      desc: Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.
      remediation: |-
        Set the following parameter in `/etc/audit/auditd.conf`
        in accordance with site policy:

        ```
        max_log_file = <MB>
        ```
  - uid: mondoo-linux-security-audit-logs-are-not-automatically-deleted
    title: Ensure audit logs are not automatically deleted
    impact: 40
    mql: |
      file("/etc/audit/auditd.conf").exists;
      ["/etc/audit/auditd.conf"].where(file(_).exists) {
        parse.ini(_).params["max_log_file_action"].downcase == "keep_logs"
      }
    docs:
      desc: |-
        The `max_log_file_action`
        setting determines how to handle the audit log file reaching the max file size. A value of `keep_logs`
        will rotate the logs but never delete old logs.
      remediation: |-
        Set the following parameter in `/etc/audit/auditd.conf:`

        ```
        max_log_file_action = keep_logs
        ```
  - uid: mondoo-linux-security-system-is-disabled-when-audit-logs-are-full
    title: Ensure system is disabled when audit logs are full
    impact: 40
    filters: |
      asset.kind != "container-image"
    mql: |
      file("/etc/audit/auditd.conf").exists;
      ["/etc/audit/auditd.conf"].where(file(_).exists) {
        parse.ini(_) {
          params["space_left_action"].downcase == /email|exec|single|halt/
          params["action_mail_acct"].downcase == "root"
          params["admin_space_left_action"].downcase == /halt|single/
        }
      }
    docs:
      desc: |-
        The `auditd`
        daemon can be configured to halt the system when the audit logs are full.
      remediation: |-
        Set the following parameters in `/etc/audit/auditd.conf:`

        ```
        space_left_action = email

        action_mail_acct = root

        admin_space_left_action = halt
        ```
  - uid: mondoo-linux-security-changes-to-system-administration-scope-sudoers-is-collected
    title: Ensure changes to system administration scope (sudoers) is collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/sudoers\.d(\/?)\s+\-p\s+wa\s+\-k\s+scope(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/sudoers(\/?)\s+\-p\s+wa\s+\-k\s+scope(\s+)?$/))
    docs:
      desc: |-
        Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the `sudo`
        command to execute privileged commands, it is possible to monitor changes in scope. The file `/etc/sudoers`
        will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope."
      remediation: |-
        Edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-scope.rules`

        Add the following lines:

        ```
        -w /etc/sudoers -p wa -k scope

        -w /etc/sudoers.d -p wa -k scope
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.

        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-login-and-logout-events-are-collected
    title: Ensure login and logout events are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/run\/faillock\s+\-p\s+wa\s+\-k\s+logins(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/lastlog\s+\-p\s+wa\s+\-k\s+logins(\s+)?$/))
    docs:
      desc: |-
        Monitor login and logout events. The parameters below track changes to files associated with login/logout events.

        - The file `/var/log/lastlog` maintain records of the last time a user successfully logged in.
        - The `/var/run/faillog/` directory maintains records of login failures via the `pam_faillog` module.
      remediation: |-
        Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-logins.rules`

        Add the following lines:

        ```
        -w /var/log/lastlog -p wa -k logins

        -w /var/log/tallylog -p wa -k logins
        ```

        ### Add the following additional line for Debian/Ubuntu based systems:

        ```
        -w /var/log/faillog -p wa -k logins
        ```

        ### Add the following additional line for Red Hat/Fedora/Amazon Linux based systems:

        ```
        -w /var/run/faillock -p wa -k logins
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-session-initiation-information-is-collected
    title: Ensure session initiation information is collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/run\/utmp\s+\-p\s+wa\s+\-k\s+session(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/wtmp\s+\-p\s+wa\s+\-k\s+(logins|session)(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/btmp\s+\-p\s+wa\s+\-k\s+(logins|session)(\s+)?$/))
    docs:
      desc: |-
        Monitor session initiation events. The parameters in this section track changes to the files associated with session events.
        The file `/var/run/utmp` tracks all currently logged in users. All audit records will be tagged with the identifier "session."
        The `/var/log/wtmp` file tracks logins, logouts, shutdown, and reboot events. The file `/var/log/btmp` keeps track of failed
        login attempts and can be read by entering the command `/usr/bin/last -f /var/log/btmp`. All audit records will be tagged with
        the identifier "logins."
      remediation: |-
        Edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-session.rules`

        Add the following lines:

        ```
        -w /var/run/utmp -p wa -k session

        -w /var/log/wtmp -p wa -k logins

        -w /var/log/btmp -p wa -k logins
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-events-that-modify-date-and-time-information-are-collected
    title: Ensure events that modify date and time information are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+adjtimex(\s+\-S\s+|,)settimeofday(\s+\-S\s+|,)?(clock_settime)?\s+\-k\s+time-change(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+adjtimex(\s+\-S\s+|,)settimeofday(\s+\-S\s+|,)?(clock_settime)?(stime)?\s+\-k\s+time-change(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+clock\_settime\s+\-k\s+time-change(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+clock\_settime\s+\-k\s+time-change(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/localtime\s+\-p\s+wa\s+\-k\s+time-change(\s+)?$/))
    docs:
      desc: |-
        Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the `adjtimex`
        (tune kernel clock), `settimeofday`
        (Set time, using timeval and timezone structures) `stime`
        (using seconds since 1/1/1970) or `clock_settime`
        (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the `/var/log/audit.log`
        file upon exit, tagging the records with the identifier "time-change"
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`_

        Example: `vi /etc/audit/rules.d/50-time_change.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

        -a always,exit -F arch=b32 -S clock_settime -k time-change

        -w /etc/localtime -p wa -k time-change
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-time_change.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change

        -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change

        -a always,exit -F arch=b64 -S clock_settime -k time-change

        -a always,exit -F arch=b32 -S clock_settime -k time-change

        -w /etc/localtime -p wa -k time-change
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-events-that-modify-the-systems-mandatory-access-controls-are-collected
    title: Ensure events that modify the system's Mandatory Access Controls are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      appArmorSys = props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/apparmor(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/))
        && props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/apparmor.d(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/))
      seLinuxSys = props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/selinux(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/))
       && props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/usr\/share\/selinux(\/?)\s+\-p\s+wa\s+\-k\s+MAC-policy(\s+)?$/))
      appArmorSys || seLinuxSys
    docs:
      desc: |-
        Monitor SELinux/AppArmor mandatory access controls. The parameters below monitor any write access (potential additional,
        deletion or modification of files in the directory) or attribute changes to the /etc/selinux or /etc/apparmor and /etc/apparmor.d directories.
      remediation: |-
        Edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-MAC_policy.rules`

        Add the following lines, for SELinux:

        ```
        -w /etc/selinux/ -p wa -k MAC-policy

        -w /usr/share/selinux/ -p wa -k MAC-policy
        ```

        Add the following lines, for AppArmor:

        ```
        -w /etc/apparmor/ -p wa -k MAC-policy

        -w /etc/apparmor.d/ -p wa -k MAC-policy
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-events-that-modify-the-systems-network-environment-are-collected
    title: Ensure events that modify the system's network environment are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+system-locale(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+sethostname\s+\-S\s+setdomainname\s+\-k\s+system-locale(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/issue\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/issue.net\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/hosts\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/sysconfig\/network\s+\-p\s+wa\s+\-k\s+system-locale(\s+)?$/))
    docs:
      desc: |-
        Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name)
        or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the `/etc/issue`
        and `/etc/issue.net` files (messages displayed pre-login), `/etc/hosts` (file containing host names and associated IP addresses) and `/etc/sysconfig/network`
        (directory containing network interface scripts and configurations) files.
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-system_local.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale

        -w /etc/issue -p wa -k system-locale

        -w /etc/issue.net -p wa -k system-locale

        -w /etc/hosts -p wa -k system-locale
        ```

        Add the following line on Red Hat based systems:

        ```
        -w /etc/sysconfig/network -p wa -k system-locale
        ```

        Add the following line for Debian/Ubuntu based systems:

        ```
        -w /etc/network -p wa -k system-locale
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-system_local.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
        -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale

        -w /etc/issue -p wa -k system-locale

        -w /etc/issue.net -p wa -k system-locale

        -w /etc/hosts -p wa -k system-locale
        ```

        Add the following line for Red Hat based systems:

        ```
        -w /etc/sysconfig/network -p wa -k system-locale
        ```

        Add the following line for Debian/Ubuntu based systems:

        ```
        -w /etc/network -p wa -k system-locale
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-discretionary-access-control-permission-modification-events-are-collected
    title: Ensure discretionary access control permission modification events are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+chmod(\s+\-S\s+|,)fchmod(\s+\-S\s+|,)fchmodat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+\-k\s+perm\_mod(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+chown(\s+\-S\s+|,)fchown(\s+\-S\s+|,)lchown(\s+\-S\s+|,)fchownat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+\-k\s+perm\_mod(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+chmod(\s+\-S\s+|,)fchmod(\s+\-S\s+|,)fchmodat\s+\-F+\s+auid\>\=1000\s+\-F\s+auid\!=(4294967295|unset|-1)\s+\-F\s+\-k\s+perm_mod$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+lchown(\s+\-S\s+|,)fchown(\s+\-S\s+|,)chown(\s+\-S\s+|,)fchownat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+\-k\s+perm\_mod(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+setxattr(\s+\-S\s+|,)lsetxattr(\s+\-S\s+|,)fsetxattr(\s+\-S\s+|,)removexattr(\s+\-S\s+|,)lremovexattr(\s+\-S\s+|,)fremovexattr\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+\-k\s+perm\_mod(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+setxattr(\s+\-S\s+|,)lsetxattr(\s+\-S\s+|,)fsetxattr(\s+\-S\s+|,)removexattr(\s+\-S\s+|,)lremovexattr(\s+\-S\s+|,)fremovexattr\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-F\s+\-k\s+perm\_mod(\s+)?$/))
    docs:
      desc: |-
        Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes.
        The `chmod`, `fchmod` and `fchmodat` system calls affect the permissions associated with a file. The `chown`, `fchown`, `fchownat` and `lchown`
        system calls affect owner and group attributes on a file. The `setxattr`, `lsetxattr`, `fsetxattr` (set extended file attributes) and `removexattr`,
        `lremovexattr`, `fremovexattr` (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written
        for non-system user ids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier "perm_mod."

        **Note:**
        Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run this command:

        ```
        awk '/^\s*UID_MIN/{print $2}' /etc/login.defs
        ```

        If your systems' UID_MIN is not `1000`, replace `audit>=1000` with `audit>=<UID_MIN for your system>` in the Audit and Remediation procedures.
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-perm_mod.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-perm_mod.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

        -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-unsuccessful-unauthorized-file-access-attempts-are-collected
    title: Ensure unsuccessful unauthorized file access attempts are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EACCES\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EACCES\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EPERM\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+creat\s+\-S\s+open\s+\-S\s+openat\s+\-S\s+truncate\s+\-S\s+ftruncate\s+\-F\s+exit\=\-EPERM\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+access(\s+)?$/))
    docs:
      desc: |-
        Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation ( `creat` ), opening ( `open`, `openat` ) and
        truncation ( `truncate`, `ftruncate` ) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event
        (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call).
        All audit records will be tagged with the identifier "access."

        **Note:**
        Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run this command:

        ```
        awk '/^\s*UID_MIN/{print $2}' /etc/login.defs
        ```

        If your systems' UID_MIN is not `1000`, replace `audit>=1000` with `audit>=<UID_MIN for your system>` in the Audit and Remediation procedures.
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-access.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

        -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/`
        directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-access.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

        -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

        -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

        -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-events-that-modify-usergroup-information-are-collected
    title: Ensure events that modify user/group information are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+identity(\s+)?$/))
    docs:
      desc: |-
        Record events affecting the `group`, `passwd` (user IDs), `shadow` and `gshadow` (passwords) or `/etc/security/opasswd`
        (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch
        the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.
      remediation: |-
        Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-identity.rules`

        Add the following lines:

        ```
        -w /etc/group -p wa -k identity

        -w /etc/passwd -p wa -k identity

        -w /etc/gshadow -p wa -k identity

        -w /etc/shadow -p wa -k identity

        -w /etc/security/opasswd -p wa -k identity
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-successful-file-system-mounts-are-collected
    title: Ensure successful file system mounts are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+mount\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+mounts(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+mount\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+mounts(\s+)?$/))
    docs:
      desc: |-
        Monitor the use of the `mount`
        system call. The `mount`
        (and `umount`
        ) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-mounts.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-mounts.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts

        -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-file-deletion-events-by-users-are-collected
    title: Ensure file deletion events by users are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+rename\,unlink\,unlinkat\,renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=unset\s+\-F\s+key\=delete(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b64\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+delete(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+rename\,unlink\,unlinkat\,renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=unset\s+\-F\s+key\=delete(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always\,exit\s+\-F\s+arch\=b32\s+\-S\s+unlink\s+\-S\s+unlinkat\s+\-S\s+rename\s+\-S\s+renameat\s+\-F\s+auid\>\=1000\s+\-F\s+auid\!\=(4294967295|unset|-1)\s+\-k\s+delete(\s+)?$/))
    docs:
      desc: |-
        Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the `unlink`
        (remove a file), `unlinkat` (remove a file attribute), `rename` (rename a file) and `renameat` (rename a file attribute) system calls and tags them with the identifier "delete".

        **Note:**
        Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run this command:

        ```
        awk '/^\s*UID_MIN/{print $2}' /etc/login.defs
        ```

        If your systems' UID_MIN is not `1000`, replace `audit>=1000` with `audit>=<UID_MIN for your system>` in the Audit and Remediation procedures.
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-deletion.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-deletion.rules`

        Add the following lines:

        ```
        -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

        -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-kernel-module-loading-and-unloading-is-collected
    title: Ensure kernel module loading and unloading is collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/sbin\/insmod\s+\-p\s+x\s+\-k\s+modules(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/sbin\/rmmod\s+\-p\s+x\s+\-k\s+modules(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/sbin\/modprobe\s+\-p\s+x\s+\-k\s+modules(\s+)?$/))
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always,exit\s+\-F\s+arch\=b64\s+\-S\s+init\_module\s+\-S\s+delete\_module\s+\-k\s+modules(\s+)?$/)) || props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-a\s+always,exit\s+\-F\s+arch\=b32\s+\-S\s+init\_module\s+\-S\s+delete\_module\s+\-k\s+modules(\s+)?$/))
    docs:
      desc: |-
        Monitor the loading and unloading of kernel modules. The programs `insmod`
        (install a kernel module), `rmmod`
        (remove a kernel module), and `modprobe`
        (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The `init_module`
        (load a module) and `delete_module`
        (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of "modules".
      remediation: |-
        For 32-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-modules.rules`

        Add the following lines:

        ```
        -w /sbin/insmod -p x -k modules

        -w /sbin/rmmod -p x -k modules

        -w /sbin/modprobe -p x -k modules

        -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
        ```

        For 64-bit systems edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules`

        Example: `vi /etc/audit/rules.d/50-modules.rules`

        Add the following lines:

        ```
        -w /sbin/insmod -p x -k modules

        -w /sbin/rmmod -p x -k modules

        -w /sbin/modprobe -p x -k modules

        -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-system-administrator-actions-sudolog-are-collected
    title: Ensure system administrator actions (sudolog) are collected
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/^(\s+)?\-w\s+\/var\/log\/sudo\.log\s+\-p\s+wa\s+\-k\s+actions(\s+)?$/))
    docs:
      desc: |-
        Monitor the `sudo` log file. If the system has been properly configured to disable the use of the `su`
        command and force all administrators to have to log in first and then use `sudo`
        to execute privileged commands, then all administrator commands will be logged to `/var/log/sudo.log`
        . Any time a command is executed, an audit event will be triggered as the `/var/log/sudo.log`
        file will be opened for write and the executed administration command will be written to the log.
      remediation: |
        Edit or create a file in the `/etc/audit/rules.d/` directory ending in `.rules` and add the following line:

        ```
        -w <Path to sudo log file> -p wa -k actions
        ```

        Example: `vi /etc/audit/rules.d/actions.rules`

        and add the following line:

        ```
        -w /var/log/sudo.log -p wa -k actions
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-the-audit-configuration-is-immutable
    title: Ensure the audit configuration is immutable
    impact: 50
    props:
      - uid: mondooLinuxSecurityAuditFiles
        title: Return the content from all /etc/audit/rules.d and /etc/audit/audit.rules
        mql: |
          mondooLinuxSecurityAuditFiles = files.find(from: "/etc/audit/rules.d",regex:'.*\.rules$' , type: "file").list.map(path) + ["/etc/audit/audit.rules"]
          return mondooLinuxSecurityAuditFiles.map(file(_).content.lines.where( _ == /^[^#]/ ))
    mql: |
      props.mondooLinuxSecurityAuditFiles.any(_.contains(/(\s+)?\-e\s+2(\s+)?$/))
    docs:
      desc: |-
        Set system audit so that audit rules cannot be modified with `auditctl`
        . Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot.
      remediation: |-
        Edit or create the file `/etc/audit/audit.rules` and add the following line at the end of the file:

        ```
        -e 2
        ```

        To load the newly added rules into the running configuration:

        ```
        augenrules --load
        ```
        This command will generate a new `/etc/audit/audit.rules` file containing the newly added rules.


        Check if a reboot is required, in case the running configuration is set to be immutable:

        ```
        if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi
        ```
  - uid: mondoo-linux-security-sudo-logging-is-enabled
    title: Ensure sudo logging is enabled
    impact: 80
    props:
      - uid: mondooLinuxSecuritySudoersFiles
        title: Return the files from /etc/sudoers.d
        mql: |
          sudoersFiles = files.find(from: "/etc/sudoers.d/", type: 'file').list.map(path) + ["/etc/sudoers"]
          return sudoersFiles.map(file(_).content.lines.where(_ == /^[^#]/)).flat
    mql: |
      props.mondooLinuxSecuritySudoersFiles
        .where(_ == /Defaults/)
        .any(_ == /logfile=\"\/var\/log\/sudo\.log\"/)
    docs:
      desc: By default, sudo logs all events in the /var/log/auth.log file. This log file contains all authentication events system-wide, making it difficult to audit sudo failures. To reduce the chances of sudo failures going unnoticed, administrations should configure sudo to log to a dedicated log file location.
      remediation: |-
        Using the `visudo` command, add the following line to the `/etc/sudoers` configuration file.

        ```
        Defaults log_host, log_year, logfile="/var/log/sudo.log"
        ```
  - uid: mondoo-linux-security-permissions-on-etcsshsshd-config-are-configured
    title: Ensure secure permissions on /etc/ssh/sshd_config are set
    impact: 100
    mql: |
      file("/etc/ssh/sshd_config") {
        user.name == "root"
        group.name == "root"
        permissions.user_executable == false
        permissions.group_readable == false
        permissions.group_writeable == false
        permissions.group_executable == false
        permissions.other_readable == false
        permissions.other_writeable == false
        permissions.other_executable == false
      }
    docs:
      desc: The `/etc/ssh/sshd_config` file contains configuration specifications for `sshd`. The command below sets the owner and group of the file to root.
      remediation: |-
        Run these commands to set ownership and permissions on `/etc/ssh/sshd_config`:

        ```
        chown root:root /etc/ssh/sshd_config

        chmod og-rwx /etc/ssh/sshd_config
        ```
  - uid: mondoo-linux-security-rsyslog-is-installed
    title: Ensure rsyslog is installed
    impact: 50
    mql: |
      package("rsyslog").installed
    docs:
      desc: |-
        The `rsyslog`
        software is a recommended replacement to the original `syslogd`
        daemon which provide improvements over `syslogd`
        , such as connection-oriented (i.e. TCP) transmission of logs, the option to log to database formats, and the encryption of log data en route to a central logging server.
      remediation: |-
        Run this command to install rsyslog:

        ```
        dnf install rsyslog
        ```
  - uid: mondoo-linux-security-rsyslog-service-is-enabled
    title: Ensure rsyslog Service is enabled
    impact: 50
    mql: |
      service("rsyslog").enabled
    docs:
      desc: Once the `rsyslog` package is installed it needs to be enabled.
      remediation: |-
        Run this command to enable `rsyslog`:

        ```
        systemctl --now enable rsyslog
        ```
  - uid: mondoo-linux-security-rsyslog-default-file-permissions-configured
    title: Ensure rsyslog default file permissions configured
    impact: 60
    mql: |
      rsyslog.conf.settings.contains("$FileCreateMode 0640")
    docs:
      desc: rsyslog will create log files that do not already exist on the system. This setting controls what permissions will be applied to these newly created files.
      remediation: |-
        Edit the `/etc/rsyslog.conf` and `/etc/rsyslog.d/*.conf`
        files and set `$FileCreateMode` to `0640` or more restrictive:

        ```
        $FileCreateMode 0640
        ```
  - uid: mondoo-linux-security-journald-is-configured-to-send-logs-to-rsyslog
    title: Ensure journald is configured to send logs to rsyslog
    impact: 50
    mql: |
      ["/etc/systemd/journald.conf"].where(file(_).exists) {
        file(_) {
          parse.ini("/etc/systemd/journald.conf").sections["Journal"]["ForwardToSyslog"].downcase == "yes"
        }
      }
    docs:
      desc: |-
        Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs,
        however, use of the rsyslog service provides a consistent means of log collection and export.
      remediation: |-
        Edit the `/etc/systemd/journald.conf` file and add the following line:

        ```
        ForwardToSyslog=yes
        ```
  - uid: mondoo-linux-security-journald-is-configured-to-compress-large-log-files
    title: Ensure journald is configured to compress large log files
    impact: 50
    mql: |
      ["/etc/systemd/journald.conf"].where(file(_).exists) {
        file(_) {
          parse.ini("/etc/systemd/journald.conf").sections["Journal"]["Compress"] == "yes"
        }
      }
    docs:
      desc: The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large.
      remediation: |-
        Edit the `/etc/systemd/journald.conf` file and add the following line:

        ```
        Compress=yes
        ```
  - uid: mondoo-linux-security-journald-is-configured-to-write-logfiles-to-persistent-disk
    title: Ensure journald is configured to write logfiles to persistent disk
    impact: 50
    mql: |
      ["/etc/systemd/journald.conf"].where(file(_).exists) {
        file(_) {
          parse.ini("/etc/systemd/journald.conf").sections["Journal"]["Storage"] == "persistent"
        }
      }
    docs:
      desc: Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. Persisting logs to a local disk on the server protects logs loss.
      remediation: |-
        Edit the `/etc/systemd/journald.conf` file and add the following line:

        ```
        Storage=persistent
        ```
  - uid: mondoo-linux-security-permissions-on-all-logfiles-are-configured
    title: Ensure secure permissions on all log files are set
    impact: 80
    mql: |
      files.find(from: "/var/log", type: "file").list {
        path
        permissions.group_writeable == false
        permissions.group_executable == false
        permissions.other_readable == false
        permissions.other_writeable == false
        permissions.other_executable == false
      }
    docs:
      desc: Log files stored in /var/log/ contain logged information from many services on the system. If the host is a log aggregation server, these logs may collect sensitive data from large numbers of systems in your environment.
      remediation: |-
        Run these commands to set permissions on all existing log files:

        ```
        find /var/log/ -type f -perm /g+wx,o+rwx -exec chmod g-wx,o-rwx "{}" +
        ```

        _Note: The configuration for your logging software or services may need to also be modified for any logs that had incorrect permissions, otherwise, the permissions may be reverted to the incorrect permissions_

        _rsyslog.conf_

        ```
        vi /etc/rsyslog.conf
        ..
        $FileCreateMode 0640
        $umask 0077
        ```

        Configuration for creation, deletion and cleaning of volatile and temporary files:

        ```
        vi /etc/tmpfiles.d/var.conf
        ..
        f /var/log/faillog 0640 root root -
        f /var/log/wtmp 0640 root utmp -
        f /var/log/btmp 0640 root utmp -
        f /var/log/lastlog 0640 root utmp -
        ```
  - uid: mondoo-linux-security-permissions-on-ssh-private-host-key-files-are-configured
    title: Ensure secure permissions on SSH private host key files are set
    impact: 100
    mql: |
      files.
        find(from: "/etc/ssh", type: "file").
        where(path == /ssh_host_.*key$/).list {
          permissions.user_executable == false
          permissions.group_readable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
    docs:
      desc: An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key corresponding to a public key can authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.
      remediation: |-
        Run these commands to set ownership and permissions on the private SSH host key files

        ```
        find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chown root:ssh_keys {} \;
        ```

        ```
        find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec chmod 0600 {} \;
        ```
  - uid: mondoo-linux-security-permissions-on-ssh-public-host-key-files-are-configured
    title: Ensure secure permissions on SSH public host key files are set
    impact: 80
    mql: |
      files.
        find(from: "/etc/ssh", type: "file").
        where(path == /ssh_host_.*key.pub$/).list {
          permissions.user_executable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
    docs:
      desc: An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key corresponding to a private key can authenticate successfully.
      remediation: |-
        Run these commands to set permissions and ownership on the SSH host public key files

        ```
        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chmod 0644 {} \;
        ```

        ```
        find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec chown root:root {} \;
        ```
  - uid: mondoo-linux-security-ssh-protocol-is-set-to-2
    title: Ensure SSH Protocol is set to 2
    impact: 80
    filters: package('openssh-server').version == /6./ || package('openssh-server').version == /7\.[0|1|2|3|4|5]/
    mql: |
      sshd.config.params["Protocol"] == 2
    docs:
      desc: 'SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure.'
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `Protocol`parameter as follows:

        ```
        Protocol 2
        ```
  - uid: mondoo-linux-security-ssh-loglevel-is-appropriate
    title: Ensure SSH LogLevel is appropriate
    impact: 60
    mql: |
      sshd.config.params["LogLevel"] == /INFO|VERBOSE/
    docs:
      desc: |-
        `INFO` level is the basic level that only records the login activity of SSH users. In many situations, such as incident response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.

        `VERBOSE` level specifies that login and logout activity as well as the key fingerprint for any SSH key used for login will be logged. This information is important for SSH key management, especially in legacy environments.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `LogLevel` parameter as follows:

        ```
        LogLevel VERBOSE
        ```

        or

        ```
        LogLevel INFO
        ```
  - uid: mondoo-linux-security-ssh-x11-forwarding-is-disabled
    title: Ensure SSH X11 forwarding is disabled
    impact: 50
    mql: |
      sshd.config.params["X11Forwarding"] == "no"
    docs:
      desc: The X11Forwarding parameter allows tunneling X11 traffic through the connection to enable remote graphic connections.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `X11Forwarding` parameter as follows:

        ```
        X11Forwarding no
        ```
  - uid: mondoo-linux-security-ssh-maxauthtries-is-set-to-4-or-less
    title: Ensure SSH MaxAuthTries is set to 4 or less
    impact: 75
    mql: |
      sshd.config.params["MaxAuthTries"] <= 4
    docs:
      desc: The `MaxAuthTries` parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half this maximum value, error messages will be written to the `syslog` file detailing the login failure.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `MaxAuthTries` parameter as follows:

        ```
        MaxAuthTries 4
        ```
  - uid: mondoo-linux-security-ssh-ignorerhosts-is-enabled
    title: Ensure SSH IgnoreRhosts is enabled
    impact: 60
    mql: |
      sshd.config.params["IgnoreRhosts"] == "yes"
    docs:
      desc: The `IgnoreRhosts` parameter specifies that `.rhosts` and `.shosts` files will not be used in `RhostsRSAAuthentication` or `HostbasedAuthentication` .
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `IgnoreRhosts` parameter as follows:

        ```
        IgnoreRhosts yes
        ```
  - uid: mondoo-linux-security-ssh-hostbasedauthentication-is-disabled
    title: Ensure SSH HostbasedAuthentication is disabled
    impact: 70
    mql: |
      sshd.config.params["HostbasedAuthentication"] == "no"
    docs:
      desc: The `HostbasedAuthentication` parameter specifies if authentication is allowed through trusted hosts via the user of `.rhosts`, or `/etc/hosts.equiv`, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `HostbasedAuthentication` parameter as follows:

        ```
        HostbasedAuthentication no
        ```
  - uid: mondoo-linux-security-ssh-root-login-is-disabled
    title: Ensure SSH root login is disabled or set to prohibit-password
    impact: 100
    mql: |
      sshd.config.params["PermitRootLogin"] == "no" || sshd.config.params["PermitRootLogin"] == "prohibit-password" || sshd.config.params["PermitRootLogin"] == "without-password"
    docs:
      desc: The `PermitRootLogin` parameter specifies if the root user can log in using ssh(1). The default is no.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `PermitRootLogin` parameter as follows:

        ```
        PermitRootLogin no
        ```
  - uid: mondoo-linux-security-ssh-permitemptypasswords-is-disabled
    title: Ensure SSH PermitEmptyPasswords is disabled
    impact: 70
    mql: |
      sshd.config.params["PermitEmptyPasswords"] == "no"
    docs:
      desc: The `PermitEmptyPasswords` parameter specifies if the SSH server allows login to accounts with empty password strings.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `PermitEmptyPasswords` parameter as follows:

        ```
        PermitEmptyPasswords no
        ```
  - uid: mondoo-linux-security-ssh-permituserenvironment-is-disabled
    title: Ensure SSH PermitUserEnvironment is disabled
    impact: 70
    mql: |
      sshd.config.params["PermitUserEnvironment"] == "no"
    docs:
      desc: The `PermitUserEnvironment` option allows users to present environment options to the `ssh` daemon.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `PermitUserEnvironment` parameter as follows:

        ```
        PermitUserEnvironment no
        ```
  - uid: mondoo-linux-security-only-strong-ciphers-are-used
    title: Ensure only strong ciphers are used
    impact: 100
    props:
      - uid: mondooLinuxSecuritySshdCiphers
        title: Define the hardened ciphers for all SSH configurations
        mql: |
          if( package('openssh-server').version == /6./ ) {
            return ["aes256-ctr", "aes192-ctr", "aes128-ctr"]
          }
          return ["chacha20-poly1305@openssh.com","aes256-gcm@openssh.com","aes128-gcm@openssh.com","aes256-ctr","aes192-ctr","aes128-ctr"]
    mql: |
      sshd.config.ciphers != empty
      sshd.config.ciphers.containsOnly(props.mondooLinuxSecuritySshdCiphers)
    docs:
      desc: This variable limits the ciphers that SSH can use during communication.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to add or modify the `Ciphers` parameter so that it contains a comma-separated list of the site approved ciphers

        Example:

        ```
        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
        ```
  - uid: mondoo-linux-security-only-strong-mac-algorithms-are-used
    title: Ensure only strong MAC algorithms are used
    impact: 80
    props:
      - uid: mondooLinuxSecurityMacAlgos
        title: Define the accepted MAC algorithms
        mql: |
          return ["umac-128-etm@openssh.com","hmac-sha2-256-etm@openssh.com","hmac-sha2-512-etm@openssh.com",
                  "umac-128@openssh.com","hmac-sha2-256","hmac-sha2-512"]
    mql: |
      sshd.config.macs != empty
      sshd.config.macs.containsOnly(props.mondooLinuxSecurityMacAlgos)
    docs:
      desc: This variable limits the types of MAC algorithms that SSH can use during communication.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to add or modify the `MACs` parameter so that it contains a comma-separated list of the site approved MACs

        Example:

        ```
        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
        ```
  - uid: mondoo-linux-security-only-strong-kex-algorithms-are-used
    title: Ensure that strong Key Exchange algorithms are used
    impact: 100
    props:
      - uid: mondooLinuxSecurityKexAlgos
        title: Define the hardened key exchange algorithms for all SSH configurations
        mql: |
          if( package('openssh-server').version == /6./) {
            return ["curve25519-sha256@libssh.org"]
          }
          if( package('openssh-server').version == /7./) {
            return ["curve25519-sha256@libssh.org","diffie-hellman-group18-sha512"]
          }
          if( package('openssh-server').version == /8\.[0|1|2|3|4|5]/ ) {
            return ["sntrup4591761x25519-sha512@tinyssh.org","curve25519-sha256@libssh.org","diffie-hellman-group18-sha512"]
          }
          return ["sntrup761x25519-sha512@openssh.com","curve25519-sha256@libssh.org","diffie-hellman-group18-sha512"]
    mql: |
      sshd.config.kexs != empty
      sshd.config.kexs.containsOnly(props.mondooLinuxSecurityKexAlgos)
    docs:
      desc: Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to add or modify the `KexAlgorithms` parameter so that it contains a comma-separated list of the site approved key exchange algorithms

        openssh-server version 6.x

        ```
        KexAlgorithms curve25519-sha256@libssh.org
        ```

        openssh-server version 7.x:

        ```
        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
        ```

        openssh-server version 8.0 to 8.5:

        ```
        KexAlgorithms sntrup4591761x25519-sha512@tinyssh.org,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
        ```

        openssh-server version 8.6 to 9:

        ```
        KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512
        ```

        NOTE:
        To quickly find out what openssh-server version you are using, run this command:

        ```bash
        cnquery run -c "package('openssh-server').version"
        ```
  - uid: mondoo-linux-security-ssh-idle-timeout-interval-is-configured
    title: Ensure SSH Idle Timeout Interval is configured
    impact: 60
    mql: |
      sshd.config.params["ClientAliveInterval"] >= 1
      sshd.config.params["ClientAliveInterval"] <= 300
      sshd.config.params["ClientAliveCountMax"] = 0
    docs:
      desc: The two options `ClientAliveInterval` and `ClientAliveCountMax` control the timeout of ssh sessions. When the `ClientAliveInterval` variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the `ClientAliveCountMax` variable is set, `sshd` will send client alive messages at every `ClientAliveInterval` interval. When the number of consecutive client alive messages are sent with no response from the client, the `ssh` session is terminated. For example, if the `ClientAliveInterval` is set to 15 seconds and the `ClientAliveCountMax` is set to 3, the client `ssh` session will be terminated after 45 seconds of idle time.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `ClientAliveInterval` and `ClientAliveCountMax` parameters according to site policy:

        ```
        ClientAliveInterval 300
        ClientAliveCountMax 0
        ```
  - uid: mondoo-linux-security-ssh-logingracetime-is-set-to-one-minute-or-less
    title: Ensure SSH LoginGraceTime is set to one minute or less
    impact: 80
    mql: |
      sshd.config.params["LoginGraceTime"] >= 1
      sshd.config.params["LoginGraceTime"] <= 60
    docs:
      desc: The `LoginGraceTime` parameter specifies the time allowed for successful authentication to the SSH server. The longer the grace period is, the more open unauthenticated connections can exist. Like other session controls, the grace period should be limited to appropriate organizational limits to ensure the service is available for needed access.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `LoginGraceTime` parameter as follows:

        ```
        LoginGraceTime 60
        ```
  - uid: mondoo-linux-security-ssh-access-is-limited
    title: Ensure SSH access is limited
    impact: 60
    mql: |
      sshd.config.params["AllowUsers"] != empty || sshd.config.params["AllowGroups"] != empty || sshd.config.params["DenyUsers"] != empty || sshd.config.params["DenyGroups"] != empty

      if (sshd.config.params["AllowUsers"] != empty) { sshd.config.params["AllowUsers"] != "" }
      if (sshd.config.params["AllowGroups"] != empty) { sshd.config.params["AllowGroups"] != "" }
      if (sshd.config.params["DenyUsers"] != empty) { sshd.config.params["DenyUsers"] != "" }
      if (sshd.config.params["DenyGroups"] != empty) { sshd.config.params["DenyGroups"] != "" }
    docs:
      desc: |-
        There are several options available to limit which users and groups can access the system via SSH. It is recommended that at least one of the following options be leveraged: `AllowUsers`

        The `AllowUsers` variable gives the system administrator the option of allowing specific users to `ssh` into the system. The list consists of space-separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host. `AllowGroups`

        The `AllowGroups` variable gives the system administrator the option of allowing specific groups of users to `ssh` into the system. The list consists of space-separated group names. Numeric group IDs are not recognized with this variable. `DenyUsers`

        The `DenyUsers` variable gives the system administrator the option of denying specific users to `ssh` into the system. The list consists of space-separated user names. Numeric user IDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying user access from a particular host, the entry can be specified in the form of user@host. `DenyGroups`

        The `DenyGroups` variable gives the system administrator the option of denying specific groups of users to `ssh` into the system. The list consists of space-separated group names. Numeric group IDs are not recognized with this variable.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file and add one or more of these parameters:

        ```
        AllowUsers <userlist>
        AllowGroups <grouplist>

        DenyUsers <userlist>
        DenyGroups <grouplist>
        ```
  - uid: mondoo-linux-security-ssh-warning-banner-is-configured
    title: Ensure SSH warning banner is configured
    impact: 30
    mql: |
      sshd.config.params["Banner"] == "/etc/issue.net"
    docs:
      desc: The `Banner` parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.
      remediation: |-
        Edit the `/etc/ssh/sshd_config` file to set the `Banner` parameter as follows:

        ```
        Banner /etc/issue.net
        ```
  - uid: mondoo-linux-security-permissions-on-etcpasswd-are-configured
    title: Ensure secure permissions on /etc/passwd are set
    impact: 100
    mql: |
      file("/etc/passwd") {
        permissions.user_executable == false
        permissions.group_writeable == false
        permissions.group_executable == false
        permissions.other_writeable == false
        permissions.other_executable == false
      }
    docs:
      desc: The `/etc/passwd` file contains user account information used by many system utilities and therefore must be readable for these utilities to operate.
      remediation: |-
        Run this command to set permissions on `/etc/passwd`:

        ```
        chown root:root /etc/passwd

        chmod 644 /etc/passwd
        ```
  - uid: mondoo-linux-security-permissions-on-etcshadow-are-configured
    title: Ensure secure permissions on /etc/shadow are set
    impact: 100
    mql: |
      if (file("/etc/shadow").exists) {
        file("/etc/shadow") {
          permissions.user_executable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
      }
    docs:
      desc: The `/etc/shadow` file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information.
      remediation: |-
        Run these commands to set permissions on `/etc/shadow` :

        ```
        chown root:root /etc/shadow

        chmod 640 /etc/shadow
        ```
  - uid: mondoo-linux-security-permissions-on-etcgroup-are-configured
    title: Ensure secure permissions on /etc/group are set
    impact: 100
    mql: |
      file("/etc/group") {
        permissions.user_executable == false
        permissions.group_writeable == false
        permissions.group_executable == false
        permissions.other_writeable == false
        permissions.other_executable == false
      }
    docs:
      desc: The `/etc/group` file contains a list of all the valid groups defined in the system. This file should have read/write access for root and read access for all other users to prevent non-administrative users from modifying groups.
      remediation: |-
        Run this command to set permissions on `/etc/group` :

        ```
        chown root:root /etc/group

        chmod 644 /etc/group
        ```
  - uid: mondoo-linux-security-permissions-on-etcgshadow-are-configured
    title: Ensure secure permissions on /etc/gshadow are set
    impact: 100
    mql: |
      if (file("/etc/gshadow").exists) {
        file("/etc/gshadow") {
          permissions.user_executable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
      }
    docs:
      desc: The `/etc/gshadow` file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information.
      remediation: |-
        Run the following chown to set permissions on `/etc/gshadow` :

        ```
        chown root:root /etc/gshadow

        chmod 640 /etc/gshadow
        ```
  - uid: mondoo-linux-security-permissions-on-etcpasswd--are-configured
    title: Ensure secure permissions on /etc/passwd- are set
    impact: 100
    mql: |
      if (file("/etc/passwd-").exists) {
        file("/etc/passwd-") {
          permissions.user_executable == false
          permissions.group_readable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
      }
    docs:
      desc: The `/etc/passwd-` file contains backup user account information.
      remediation: |-
        Run this command to set permissions on `/etc/passwd-` :

        ```
        chown root:root /etc/passwd-

        chmod 600 /etc/passwd-
        ```

        Configuration for creation, deletion and cleaning of volatile and temporary `/etc/tmpfiles.d/etc.conf`:

        ```
        f /etc/passwd- 0600 root root -
        ```
  - uid: mondoo-linux-security-permissions-on-etcshadow--are-configured
    title: Ensure secure permissions on /etc/shadow- are set
    impact: 100
    mql: |
      if (file("/etc/shadow-").exists) {
        file("/etc/shadow-") {
          permissions.user_executable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
      }
    docs:
      desc: The `/etc/shadow-` file is used to store backup information about user accounts, such as the hashed password and other security information. Only the root user should have read and write permissions on this file so that sensitive user information is not available to non-administrative users on the system.
      remediation: |-
        Run these commands to set permissions on `/etc/shadow-`:

        ```
        chown root:root /etc/shadow-

        chmod 640 /etc/shadow-
        ```

        Configuration for creation, deletion and cleaning of volatile and temporary `/etc/tmpfiles.d/etc.conf`:

        ```
        f /etc/shadow- 0600 root root -
        ```
  - uid: mondoo-linux-security-permissions-on-etcgroup--are-configured
    title: Ensure secure permissions on /etc/group- are set
    impact: 100
    mql: |
      if (file("/etc/group-").exists) {
        file("/etc/group-") {
          permissions.user_executable == false
          permissions.group_readable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
      }
    docs:
      desc: The `/etc/group-` file contains a backup list of all the valid groups defined in the system. Only the root user should have read and write permissions on this file so that group names an user membership is not available to non-administrative users on the system.
      remediation: |-
        Run this command to set permissions on `/etc/group-` :

        ```
        chown root:root /etc/group-

        chmod 600 /etc/group-
        ```

        Configuration for creation, deletion and cleaning of volatile and temporary `/etc/tmpfiles.d/etc.conf`:

        ```
        f /etc/group- 0600 root root -
        ```
  - uid: mondoo-linux-security-permissions-on-etcgshadow--are-configured
    title: Ensure secure permissions on /etc/gshadow- are set
    impact: 100
    mql: |
      if (file("/etc/gshadow-").exists) {
        file("/etc/gshadow-") {
          permissions.user_executable == false
          permissions.group_writeable == false
          permissions.group_executable == false
          permissions.other_readable == false
          permissions.other_writeable == false
          permissions.other_executable == false
        }
      }
    docs:
      desc: The `/etc/gshadow-` file is used to store backup information about groups that is critical to the security of those accounts, such as the hashed password and other security information.
      remediation: |-
        Run these commands to set permissions on `/etc/gshadow-` :

        ```
        chown root:root /etc/gshadow-

        chmod 640 /etc/gshadow-
        ```

        Configuration for creation, deletion and cleaning of volatile and temporary `/etc/tmpfiles.d/etc.conf`:

        ```
        f /etc/gshadow- 0600 root root -
        ```
  - uid: mondoo-linux-security-no-duplicate-uids-exist
    title: Ensure no duplicate UIDs exist
    impact: 80
    mql: |
      users.list.duplicates(uid).none()
    docs:
      desc: |
        Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.

        The `useradd` program does not let you create duplicate user IDs (UID), but for an administrator it is possible to manually edit the `/etc/passwd` and create a duplicate UID entry.
      remediation: |
        Based on the results of the query output, establish unique UIDs and review all files owned by the shared UIDs to determine which UID they are supposed to belong to.

        Run this command to set the new UID of a user:

        ```
        usermod -u <new uid> <user>
        ```
  - uid: mondoo-linux-security-no-duplicate-user-names-exist
    title: Ensure no duplicate user names exist
    impact: 80
    mql: |
      users.list.duplicates(name).none()
    docs:
      desc: |
        Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.

        The `useradd` program does not let you create a duplicate user name, but for an administrator it is possible to manually edit the `/etc/passwd` file and create a duplicated username entry.
      remediation: |
        Based on the results of the query output, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.

        Run this command to set the new user name:

        ```
        usermod -l <new login-name> <old username>
        ```
  - uid: mondoo-linux-security-no-duplicate-gids-exist
    title: Ensure no duplicate GIDs exist
    impact: 80
    mql: |
      groups.list.duplicates(gid).none()
    docs:
      desc: |
        Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.

        The `groupadd` program does not let you create a duplicate group ID (GID), but for an administrator it is possible to manually edit the `/etc/group` file and create a duplicated GID entry.
      remediation: |
        Based on the results of the query output, establish unique GIDs and review all files owned by the shared GID to determine which group they are supposed to belong to.
  - uid: mondoo-linux-security-no-duplicate-group-names-exist
    title: Ensure no duplicate group names exist
    impact: 80
    mql: |
      groups.list.duplicates(name).none()
    docs:
      desc: |
        Each login name, each user ID (UID), and each group ID (GID) MUST ONLY be used once. Every user MUST be a member of at least one group. Every GID mentioned in the /etc/passwd file MUST be defined in the /etc/group file. Every group SHOULD only contain the users that are absolutely necessary. In networked systems, care MUST also be taken to ensure that user and group names (UIDs and GIDs) are assigned consistently in the system network if there is a possibility that the same UIDs or GIDs could be assigned to different user or group names on the systems during cross-system access.

        The `groupadd` program does not let you create a duplicate group name, but for an administrator it is possible to manually edit the `/etc/group` file and create a duplicated group name entry.
      remediation: |
        Based on the results of the query output, establish unique names for the user groups. File group ownerships will automatically reflect the change as long as the groups have unique GIDs.

        Run this command to set the new group name:

        ```
        groupmod -n <new group name> <old groupname>
        ```
  - uid: mondoo-linux-security-default-group-for-the-root-account-is-gid-0
    title: Ensure default group for the root account is GID 0
    impact: 80
    mql: |
      users.where(name == "root").list.all(gid == 0)
    docs:
      desc: |
        The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user.
      remediation: |
        Run this command to set the `root` user default group to GID `0` :

        ```
        usermod -g 0 root
        ```
  - uid: mondoo-linux-security-each-user-member-of-a-group
    title: Ensure each user is a member of a group
    impact: 70
    mql: |
      users.list.all(gid != empty)
    docs:
      desc: |
        Each user MUST be a member of at least one group.
      remediation: |
        Based on the results of the query output, add the user to a primary group.

        Run this command to set the primary group of a user:

        ```
        usermod -G <primary group>
        ```
  - uid: mondoo-linux-security-gid-in-passwd-exists-in-group
    title: Ensure all GIDs in /etc/passwd exist in /etc/group
    impact: 80
    mql: |
      users.list.all(group != empty)
    docs:
      desc: |
        Every GID mentioned in the /etc/passwd file must be defined in the /etc/group file.
      remediation: |
        Based on the results of the query output, correct the GIDs in `/etc/passwd` and `/etc/group`.
  - uid: mondoo-linux-security-uid-min-is-set-to-1000
    title: Ensure UID_MIN is set to 1000
    impact: 60
    filters: |
      asset.kind != "container-image"
    mql: |
      logindefs.params{ _['UID_MIN'] == 1000 }
    docs:
      desc: |
        User ID or UID is used to identify a Linux user with an ID or number. The start number for newly created users can be set with this configuration.
      remediation: |
        Edit the `login.defs` file and set UID_MIN.

        ```
        sudo vim /etc/login.defs


        UID_MIN                  1000
        ```
  - uid: mondoo-linux-security-shadow-group-is-empty
    title: Ensure shadow group is empty
    impact: 80
    mql: |
      groups.where(name == "shadow").all(members.length == 0)
    docs:
      desc: The shadow group allows system programs or defined users the ability to read the `/etc/shadow` file. No users should be assigned to the shadow group.
      remediation: Remove all users from the shadow group in `/etc/group`, and change the primary group of any users with shadow as their primary group.
  - uid: mondoo-linux-security-root-group-is-empty
    title: Ensure root group is empty
    impact: 100
    mql: |
      groups.where(name == "root").all(members.length == 0)
    docs:
      desc: The root group allows system programs or defined users the ability to read and write configurations and files on the system. No users should be assigned to the root group.
      remediation: Remove all users from the shadow group in `/etc/group`, and change the primary group of any users with root as their primary group, except the root user.
  - uid: mondoo-linux-security-system-accounts-are-non-login
    title: Ensure system accounts are non-login
    impact: 70
    mql: |
      users.where( name != "root" && name != "sync" && name != "shutdown" && name != "halt" ).where( uid < 1000 ).list {
        shell == "/usr/bin/nologin" || shell == "/sbin/nologin" || shell == "/usr/sbin/nologin"
      }
    docs:
      desc: |
        There are a number of accounts on Linux systems that are used to manage applications and services. These accounts are not intended for interactive use and do not require a shell.
      remediation: |
        Set the shell for any accounts returned by the audit script to `/sbin/nologin`:

        ```
        usermod -s /sbin/nologin <em><user></em>
        ```

        The following script will automatically set all user shells required to `/sbin/nologin` and lock the `sync`, `shutdown`, and `halt` users:

        ```
        #!/bin/bash

        for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do
        if [ $user != "root" ]; then
          if [ "$(passwd -S $user| cut -d ' ' -f 2)" = "P" ]; then
            echo "Lock $user account"
            usermod -L $user
          fi
          if [ $user != "sync" ] && [ $user != "shutdown" ] && [ $user != "halt" ]; then
            echo "Set /sbin/nologin shell for user $user"
            usermod -s /sbin/nologin $user
          fi
        fi
        done
        ```

        nologin is a per-user method of disabling interactive logins (usually used for system accounts like http or ftp). nologin uses /etc/nologin.txt as an optional source for a non-default message, the login access is always refused independently of the file.
  - uid: mondoo-linux-security-access-to-the-su-command-is-restricted
    title: Ensure access to the su command is restricted
    impact: 80
    filters: | 
      asset.kind != "container-image"
    props:
      - uid: mondooLinuxSecuritySudoGroup
        title: Define the members of the sudo or wheel group
        mql: |
          return /root|ec2-user|centos|ubuntu|admin|mondoo/
    mql: |
      pam.conf.entries["/etc/pam.d/su"].where(pamType == "auth" && module == "pam_wheel.so").any(options.contains("use_uid"))
      groups.any(name == "wheel" || name == "sudo")
      groups.where(name == "wheel" || name == "sudo") {
        members {
          name
          name == props.mondooLinuxSecuritySudoGroup
        }
      }
    docs:
      desc: |
        The `su` command allows a user to run a command or shell as another user. Typically, the `su` command can be executed by any user, which is a security concern. Users should instead rely on the`sudo` command, which allows for more granular control over privileged access.
      audit: |
        Run this command and verify output includes matching line:

        ```
        # grep pam_wheel.so /etc/pam.d/su
        auth required pam_wheel.so use_uid
        ```

        Run this command and verify users in wheel group match site policy:

        ```
        # grep wheel /etc/group
        wheel:x:10:root,<user list>
        ```
      remediation: |
        Add the following line to the `/etc/pam.d/su` file:

        ```
        auth required pam_wheel.so use_uid
        ```

        If users need su access, add their username to the comma-separated list of users in the `wheel` group within the `/etc/group` file:

        ```
        wheel:x:10:root,<user list>
        ```
        NOTE: The users allowed in the wheel group are defined in the properties `props.mondooLinuxSecuritySudoGroup` field of this policy. By default the users "root", "ec2-user", "centos" and "ubuntu" are included. To include custom users you need to manually modify this policy. Otherwise the check will fail.

        If you want to lock down the use of the command `su` entirely instead, you need to create an empty group, for example `sugroup`:

        ```
        groupadd sugroup
        ```

        Then add the following line to the `/etc/pam.d/su` file:

        ```
        auth required pam_wheel.so use_uid group=sugroup
        ```