diff --git a/.gitignore b/.gitignore index b512c09d4..1440f7b43 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,55 @@ -node_modules \ No newline at end of file +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] + +# C extensions +*.so + +# Distribution / packaging +bin/ +build/ +develop-eggs/ +dist/ +eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +*.egg-info/ +.installed.cfg +*.egg + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +.tox/ +.coverage +.cache +nosetests.xml +coverage.xml + +# Translations +*.mo + +# Mr Developer +.mr.developer.cfg +.project +.pydevproject + +# Rope +.ropeproject + +# Django stuff: +*.log +*.pot + +# Sphinx documentation +docs/_build/ + +node_modules +venv +.DS_Store +*.DS_Store** diff --git a/SecurityGuidance.py b/SecurityGuidance.py new file mode 100644 index 000000000..0e9c34c54 --- /dev/null +++ b/SecurityGuidance.py @@ -0,0 +1,470 @@ +from sqlalchemy import Column, Integer, String, Date, ForeignKey, Boolean, Float, Text +from sqlalchemy.orm import relationship +from sqlalchemy.ext.declarative import declarative_base +from sqlalchemy.orm import Session + +Base = declarative_base() + +class Artifact(Base): + """ + SQLAlchemy model class that represents the Artifact table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + artifact_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + type_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the artifact_types table. + owner_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + name (sqlalchemy.sql.schema.Column): Column for the name of the artifact. + location (sqlalchemy.sql.schema.Column): Column for the primary location of the artifact. + secondary_location (sqlalchemy.sql.schema.Column): Column for the secondary location of the artifact. + created_at (sqlalchemy.sql.schema.Column): Column for the creation date of the artifact. + raw_data (sqlalchemy.sql.schema.Column): Column for the raw data of the artifact. + """ + __tablename__ = "Artifact" + + artifact_id = Column(Integer, primary_key=True) + type_id = Column(Integer, ForeignKey("artifact_types.artifact_type_id")) + owner_id = Column(Integer, ForeignKey("Organization.organization_id")) + name = Column(String) + location = Column(String) + secondary_location = Column(String) + created_at = Column(Date) + raw_data = Column(Text) + +class Benchmarks(Base): + """ + SQLAlchemy model class that represents the Benchmarks table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + benchmark_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + version (sqlalchemy.sql.schema.Column): Column for the version of the benchmark. + release (sqlalchemy.sql.schema.Column): Column for the release of the benchmark. + release_date (sqlalchemy.sql.schema.Column): Column for the release date of the benchmark. + type_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the benchmark_type table. + product_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Products table. + author_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + sponsor_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + status_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Statuses table. + """ + __tablename__ = "Benchmarks" + + benchmark_id = Column(Integer, primary_key=True) + version = Column(Integer) + release = Column(Integer) + release_date = Column(Date) + type_id = Column(Integer, ForeignKey("benchmark_type.benchmark_type_id")) + product_id = Column(Integer, ForeignKey("Products.product_id")) + author_id = Column(Integer, ForeignKey("Organization.organization_id")) + sponsor_id = Column(Integer, ForeignKey("Organization.organization_id")) + status_id = Column(Integer, ForeignKey("Statuses.status_id")) + + +class Organization(Base): + """ + SQLAlchemy model class that represents the Organization table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + organization_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + long_name (sqlalchemy.sql.schema.Column): Column for the long name of the organization. + short_name (sqlalchemy.sql.schema.Column): Column for the short name of the organization. + uri (sqlalchemy.sql.schema.Column): Column for the URI of the organization. + """ + + __tablename__ = "Organization" + + organization_id = Column(Integer, primary_key=True) + long_name = Column(String) + short_name = Column(String) + uri = Column(String) + email = Column(String) + + +class Products(Base): + """ + SQLAlchemy model class that represents the Products table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + product_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + long_name (sqlalchemy.sql.schema.Column): Column for the long name of the product. + short_name (sqlalchemy.sql.schema.Column): Column for the short name of the product. + version (sqlalchemy.sql.schema.Column): Column for the version of the product. + release (sqlalchemy.sql.schema.Column): Column for the release of the product. + owner_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + """ + + __tablename__ = "Products" + + product_id = Column(Integer, primary_key=True) + long_name = Column(String) + short_name = Column(String) + version = Column(Float) + release = Column(Integer) + owner_id = Column(Integer, ForeignKey("Organization.organization_id")) + + +class ArtifactTypes(Base): + """ + SQLAlchemy model class that represents the artifact_types table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + artifact_type_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + type_name (sqlalchemy.sql.schema.Column): Column for the name of the artifact type. + description (sqlalchemy.sql.schema.Column): Column for the description of the artifact type. + """ + + __tablename__ = "artifact_types" + + artifact_type_id = Column(Integer, primary_key=True) + type_name = Column(String) + description = Column(Text) + + +class BenchmarkArtifacts(Base): + """ + SQLAlchemy model class that represents the benchmark_artifacts table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + benchmark_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Benchmarks table, part of the composite primary key. + artifact_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Artifact table, part of the composite primary key. + is_default (sqlalchemy.sql.schema.Column): Column indicating if the artifact is the default one for the benchmark. + """ + + __tablename__ = "benchmark_artifacts" + + benchmark_id = Column( + Integer, ForeignKey("Benchmarks.benchmark_id"), primary_key=True + ) + artifact_id = Column(Integer, ForeignKey("Artifact.artifact_id"), primary_key=True) + is_default = Column(Boolean) + + def add_benchmark_artifact: + + def update_benchmark_artifact: + + + +class BenchmarkType(Base): + """ + SQLAlchemy model class that represents the benchmark_type table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + benchmark_type_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + long_name (sqlalchemy.sql.schema.Column): Column for the long name of the benchmark type. + short_name (sqlalchemy.sql.schema.Column): Column for the short name of the benchmark type. + description (sqlalchemy.sql.schema.Column): Column for the description of the benchmark type. + """ + + __tablename__ = "benchmark_type" + + benchmark_type_id = Column(Integer, primary_key=True) + long_name = Column(String) + short_name = Column(String) + description = Column(Text) + + +class SecurityGuidance: + @staticmethod + def get_column_by_id(session, Table, Column, id): + """ + This function retrieves a specific column value for a record in a table, given the record's ID. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + Table (sqlalchemy.ext.declarative.api.DeclarativeMeta): The SQLAlchemy model class representing the table. + Column (sqlalchemy.sql.schema.Column): The column in the table that you want to retrieve. + id (int): The ID of the record you want to retrieve. + + Returns: + Any: The value of the specified column for the record with the given ID. If no such record exists, returns None. + + Usage: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get the name of the status with ID 1 + name = SecurityGuidanceUtils.get_column_by_id(session, Statuses, Statuses.name, 1) + print(name) + """ + result = session.query(Column).filter(Table.status_id == id).first() + if result is not None: + return result[0] + else: + return None + + @staticmethod + def add_benchmark_artifact(session, benchmark_id, artifact_id, is_default): + """ + Adds a new benchmark artifact to the benchmark_artifacts table. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + new_benchmark_artifact = BenchmarkArtifacts(benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default) + session.add(new_benchmark_artifact) + session.commit() + + @staticmethod + def update_benchmark_artifact(session, benchmark_id, artifact_id, is_default): + """ + Updates an existing benchmark artifact in the benchmark_artifacts table. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + benchmark_artifact = session.query(BenchmarkArtifacts).filter_by(benchmark_id=benchmark_id, artifact_id=artifact_id).first() + if benchmark_artifact is not None: + benchmark_artifact.is_default = is_default + session.commit() + + @staticmethod + def create_artifact(session: Session, type_id: int, owner_id: int, name: str, location: str, secondary_location: str, created_at: date, raw_data: str): + """ + Creates a new Artifact and adds it to the database. + + Args: + session (Session): The session to use for database operations. + type_id (int): The ID of the artifact type. + owner_id (int): The ID of the owner of the artifact. + name (str): The name of the artifact. + location (str): The primary location of the artifact. + secondary_location (str): The secondary location of the artifact. + created_at (date): The date the artifact was created. + raw_data (str): The raw data of the artifact. + + Returns: + None + """ + artifact = Artifact(type_id=type_id, owner_id=owner_id, name=name, location=location, secondary_location=secondary_location, created_at=created_at, raw_data=raw_data) + session.add(artifact) + session.commit() + + def get_artifact_by_id(session: Session, artifact_id: int): + """ + Retrieves an Artifact from the database by its ID. + + Args: + session (Session): The session to use for database operations. + artifact_id (int): The ID of the artifact to retrieve. + + Returns: + Artifact: The retrieved Artifact, or None if no Artifact with the given ID exists. + """ + return session.query(Artifact).filter(Artifact.artifact_id == artifact_id).first() + + def create_benchmark(session: Session, version: int, release: int, release_date: date, type_id: int, product_id: int, author_id: int, sponsor_id: int, status_id: int): + """ + Creates a new Benchmark and adds it to the database. + + Args: + session (Session): The session to use for database operations. + version (int): The version of the benchmark. + release (int): The release of the benchmark. + release_date (date): The release date of the benchmark. + type_id (int): The ID of the benchmark type. + product_id (int): The ID of the product associated with the benchmark. + author_id (int): The ID of the author of the benchmark. + sponsor_id (int): The ID of the sponsor of the benchmark. + status_id (int): The ID of the status of the benchmark. + + Returns: + None + """ + benchmark = Benchmarks(version=version, release=release, release_date=release_date, type_id=type_id, product_id=product_id, author_id=author_id, sponsor_id=sponsor_id, status_id=status_id) + session.add(benchmark) + session.commit() + + def get_benchmark_by_id(session: Session, benchmark_id: int): + """ + Retrieves a Benchmark from the database by its ID. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark to retrieve. + + Returns: + Benchmarks: The retrieved Benchmark, or None if no Benchmark with the given ID exists. + """ + return session.query(Benchmarks).filter(Benchmarks.benchmark_id == benchmark_id).first() + + def create_organization(session: Session, long_name: str, short_name: str, uri: str, email: str): + """ + Creates a new Organization and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the organization. + short_name (str): The short name of the organization. + uri (str): The URI of the organization. + email (str): The email of the organization. + + Returns: + None + """ + organization = Organization(long_name=long_name, short_name=short_name, uri=uri, email=email) + session.add(organization) + session.commit() + + def get_organization_by_id(session: Session, organization_id: int): + """ + Retrieves an Organization from the database by its ID. + + Args: + session (Session): The session to use for database operations. + organization_id (int): The ID of the organization to retrieve. + + Returns: + Organization: The retrieved Organization, or None if no Organization with the given ID exists. + """ + return session.query(Organization).filter(Organization.organization_id == organization_id).first() + + def create_product(session: Session, long_name: str, short_name: str, version: float, release: int, owner_id: int): + """ + Creates a new Product and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the product. + short_name (str): The short name of the product. + version (float): The version of the product. + release (int): The release of the product. + owner_id (int): The ID of the owner of the product. + + Returns: + None + """ + product = Products(long_name=long_name, short_name=short_name, version=version, release=release, owner_id=owner_id) + session.add(product) + session.commit() + + def get_product_by_id(session: Session, product_id: int): + """ + Retrieves a Product from the database by its ID. + + Args: + session (Session): The session to use for database operations. + product_id (int): The ID of the product to retrieve. + + Returns: + Products: The retrieved Product, or None if no Product with the given ID exists. + """ + return session.query(Products).filter(Products.product_id == product_id).first() + + def create_artifact_type(session: Session, type_name: str, description: str): + """ + Creates a new ArtifactType and adds it to the database. + + Args: + session (Session): The session to use for database operations. + type_name (str): The name of the artifact type. + description (str): The description of the artifact type. + + Returns: + None + """ + artifact_type = ArtifactTypes(type_name=type_name, description=description) + session.add(artifact_type) + session.commit() + + def get_artifact_type_by_id(session: Session, artifact_type_id: int): + """ + Retrieves an ArtifactType from the database by its ID. + + Args: + session (Session): The session to use for database operations. + artifact_type_id (int): The ID of the artifact type to retrieve. + + Returns: + ArtifactTypes: The retrieved ArtifactType, or None if no ArtifactType with the given ID exists. + """ + return session.query(ArtifactTypes).filter(ArtifactTypes.artifact_type_id == artifact_type_id).first() + + def create_benchmark_artifact(session: Session, benchmark_id: int, artifact_id: int, is_default: bool): + """ + Creates a new BenchmarkArtifact and adds it to the database. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + benchmark_artifact = BenchmarkArtifacts(benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default) + session.add(benchmark_artifact) + session.commit() + + def get_benchmark_artifact_by_ids(session: Session, benchmark_id: int, artifact_id: int): + """ + Retrieves a BenchmarkArtifact from the database by its benchmark and artifact IDs. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + + Returns: + BenchmarkArtifacts: The retrieved BenchmarkArtifact, or None if no BenchmarkArtifact with the given IDs exists. + """ + return session.query(BenchmarkArtifacts).filter(BenchmarkArtifacts.benchmark_id == benchmark_id, BenchmarkArtifacts.artifact_id == artifact_id).first() + + def create_benchmark_type(session: Session, long_name: str, short_name: str, description: str): + """ + Creates a new BenchmarkType and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the benchmark type. + short_name (str): The short name of the benchmark type. + description (str): The description of the benchmark type. + + Returns: + None + """ + benchmark_type = BenchmarkType(long_name=long_name, short_name=short_name, description=description) + session.add(benchmark_type) + session.commit() + + def get_benchmark_type_by_id(session: Session, benchmark_type_id: int): + """ + Retrieves a BenchmarkType from the database by its ID. + + Args: + session (Session): The session to use for database operations. + benchmark_type_id (int): The ID of the benchmark type to retrieve. + + Returns: + BenchmarkType: The retrieved BenchmarkType, or None if no BenchmarkType with the given ID exists. + + Usage: + from sqlalchemy.orm import Session + from models import BenchmarkType + + session = Session() + benchmark_type_id = 1 + benchmark_type = get_benchmark_type_by_id(session, benchmark_type_id) + if benchmark_type is not None: + print(f"Retrieved benchmark type: {benchmark_type.long_name}") + else: + print("No benchmark type found with the given ID.") + """ + return session.query(BenchmarkType).filter(BenchmarkType.benchmark_type_id == benchmark_type_id).first() diff --git a/benchmarks/DISA/U_CAN_Ubuntu_20-04_LTS_STIG_V1R6_Manual-xccdf.xml b/benchmarks/DISA/U_CAN_Ubuntu_20-04_LTS_STIG_V1R6_Manual-xccdf.xml index cda96ea9c..84d0f8066 100644 --- a/benchmarks/DISA/U_CAN_Ubuntu_20-04_LTS_STIG_V1R6_Manual-xccdf.xml +++ b/benchmarks/DISA/U_CAN_Ubuntu_20-04_LTS_STIG_V1R6_Manual-xccdf.xml @@ -1,14 +1,1593 @@ -acceptedCanonical Ubuntu 20.04 LTS Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 6 Benchmark Date: 27 Oct 20223.4.0.342221.10.01I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + I - Mission Critical Public + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Classified + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + II - Mission Support Sensitive + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + III - Administrative Public + <ProfileDescription></ProfileDescription> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SRG-OS-000002-GPOS-00002 + <GroupDescription></GroupDescription> + + UBTU-20-010000 + The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less. + <VulnDiscussion>If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation. Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. If temporary accounts are used, the operating system must be configured to automatically terminate these types of accounts after a DoD-defined time period of 72 hours. -To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000016If a temporary account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. +To address access requirements, many operating systems may be integrated with enterprise-level authentication/access mechanisms that meet or exceed access control policy requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000016 + If a temporary account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created. -$ sudo chage -E $(date -d "+3 days" +%F) system_account_nameVerify that the Ubuntu operating system expires temporary user accounts within 72 hours or less. +$ sudo chage -E $(date -d "+3 days" +%F) system_account_name + + + + Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or less. For every existing temporary account, run the following command to obtain its account expiration information: @@ -19,7 +1598,17 @@ Account expires : Aug 07, 2019 Verify that each of these accounts has an expiration date set within 72 hours of account creation. -If any temporary account does not expire within 72 hours of that account's creation, this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>UBTU-20-010002The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If any temporary account does not expire within 72 hours of that account's creation, this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + <GroupDescription></GroupDescription> + + UBTU-20-010002 + The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. + <VulnDiscussion>Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -41,30 +1630,49 @@ By using this IS (which includes any device attached to this IS), you consent to Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: -"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000048Edit the "/etc/gdm3/greeter.dconf-defaults" file. +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000048 + Edit the "/etc/gdm3/greeter.dconf-defaults" file. Look for the "banner-message-enable" parameter under the "[org/gnome/login-screen]" section and uncomment it (remove the leading "#" characters): Note: The lines are all near the bottom of the file but not adjacent to each other. -[org/gnome/login-screen] - -banner-message-enable=true +[org/gnome/login-screen] banner-message-enable=true Update the GDM with the new configuration: $ sudo dconf update -$ sudo systemctl restart gdm3Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. +$ sudo systemctl restart gdm3 + + + + Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Check that the operating banner message for the graphical user logon is enabled with the following command: -$ grep ^banner-message-enable /etc/gdm3/greeter.dconf-defaults - -banner-message-enable=true +$ grep ^banner-message-enable /etc/gdm3/greeter.dconf-defaults banner-message-enable=true -If the line is commented out or set to "false", this is a finding.SRG-OS-000023-GPOS-00006<GroupDescription></GroupDescription>UBTU-20-010003The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If the line is commented out or set to "false", this is a finding. + + + + + SRG-OS-000023-GPOS-00006 + <GroupDescription></GroupDescription> + + UBTU-20-010003 + The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon. + <VulnDiscussion>Display of a standardized and approved use notification before granting access to the Ubuntu operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -86,38 +1694,71 @@ By using this IS (which includes any device attached to this IS), you consent to Use the following verbiage for operating systems that have severe limitations on the number of characters that can be displayed in the banner: -"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000048Edit the "/etc/gdm3/greeter.dconf-defaults" file. - -Set the "banner-message-text" line to contain the appropriate banner message text as shown below: +"I've read & consent to terms in IS user agreem't."</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000048 + Edit the "/etc/gdm3/greeter.dconf-defaults" file. -banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' +Set the "banner-message-text" line to contain the appropriate banner message text as shown below: banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\n\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n\n-At any time, the USG may inspect and seize data stored on this IS.\n\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.' Update the GDM with the new configuration: $ sudo dconf update -$ sudo systemctl restart gdm3Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. +$ sudo systemctl restart gdm3 + + + + Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Verify the operating system displays the exact approved Standard Mandatory DoD Notice and Consent Banner text with the command: -$ grep ^banner-message-text /etc/gdm3/greeter.dconf-defaults +$ grep ^banner-message-text /etc/gdm3/greeter.dconf-defaults banner-message-text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only.\s+By using this IS \(which includes any device attached to this IS\), you consent to the following conditions:\s+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\s+-At any time, the USG may inspect and seize data stored on this IS.\s+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\s+-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\s+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." -banner-message-text="You are accessing a U.S. Government \(USG\) Information System \(IS\) that is provided for USG-authorized use only.\s+By using this IS \(which includes any device attached to this IS\), you consent to the following conditions:\s+-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct \(PM\), law enforcement \(LE\), and counterintelligence \(CI\) investigations.\s+-At any time, the USG may inspect and seize data stored on this IS.\s+-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\s+-This IS includes security measures \(e.g., authentication and access controls\) to protect USG interests--not for your personal benefit or privacy.\s+-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." - -If the banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.SRG-OS-000028-GPOS-00009<GroupDescription></GroupDescription>UBTU-20-010004The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If the banner-message-text is missing, commented out, or does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. + + + + + SRG-OS-000028-GPOS-00009 + <GroupDescription></GroupDescription> + + UBTU-20-010004 + The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures. + <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Regardless of where the session lock is determined and implemented, once invoked, a session lock of the Ubuntu operating system must remain in place until the user reauthenticates. No other activity aside from reauthentication must unlock the system. -Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000056CCI-000057Configure the Ubuntu operating system to allow a user to lock the current graphical user interface session. +Satisfies: SRG-OS-000028-GPOS-00009, SRG-OS-000029-GPOS-00010</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000056 + CCI-000057 + Configure the Ubuntu operating system to allow a user to lock the current graphical user interface session. Note: If the Ubuntu operating system does not have a graphical user interface installed, this requirement is Not Applicable. Set the "lock-enabled" setting to allow graphical user interface session locks with the following command: -$ sudo gsettings set org.gnome.desktop.screensaver lock-enabled trueVerify the Ubuntu operation system has a graphical user interface session lock enabled. +$ sudo gsettings set org.gnome.desktop.screensaver lock-enabled true + + + + Verify the Ubuntu operation system has a graphical user interface session lock enabled. Note: If the Ubuntu operating system does not have a graphical user interface installed, this requirement is Not Applicable. @@ -127,47 +1768,159 @@ $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled true -If "lock-enabled" is not set to "true", this is a finding.SRG-OS-000030-GPOS-00011<GroupDescription></GroupDescription>UBTU-20-010005The Ubuntu operating system must allow users to directly initiate a session lock for all connection types.<VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. +If "lock-enabled" is not set to "true", this is a finding. + + + + + SRG-OS-000030-GPOS-00011 + <GroupDescription></GroupDescription> + + UBTU-20-010005 + The Ubuntu operating system must allow users to directly initiate a session lock for all connection types. + <VulnDiscussion>A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, the Ubuntu operating systems need to provide users with the ability to manually invoke a session lock so users may secure their session if they need to temporarily vacate the immediate physical vicinity. -Satisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000058CCI-000060Install the "vlock" package (if it is not already installed) by running the following command: - -$ sudo apt-get install vlockVerify the Ubuntu operating system has the "vlock" package installed by running the following command: +Satisfies: SRG-OS-000030-GPOS-00011, SRG-OS-000031-GPOS-00012</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000058 + CCI-000060 + Install the "vlock" package (if it is not already installed) by running the following command: + +$ sudo apt-get install vlock + + + + Verify the Ubuntu operating system has the "vlock" package installed by running the following command: $ dpkg -l | grep vlock -If "vlock" is not installed, this is a finding.SRG-OS-000068-GPOS-00036<GroupDescription></GroupDescription>UBTU-20-010006The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.<VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000187Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper. - -If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".Verify that "use_mappers" is set to "pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" file: +If "vlock" is not installed, this is a finding. + + + + + SRG-OS-000068-GPOS-00036 + <GroupDescription></GroupDescription> + + UBTU-20-010006 + The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication. + <VulnDiscussion>Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000187 + Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper. + +If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz". + + + + Verify that "use_mappers" is set to "pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" file: $ grep use_mappers /etc/pam_pkcs11/pam_pkcs11.conf use_mappers = pwent -If "use_mappers" is not found or the list does not contain "pwent" this is a finding.SRG-OS-000075-GPOS-00043<GroupDescription></GroupDescription>UBTU-20-010007The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction.<VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000198Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. +If "use_mappers" is not found or the list does not contain "pwent" this is a finding. + + + + + SRG-OS-000075-GPOS-00043 + <GroupDescription></GroupDescription> + + UBTU-20-010007 + The Ubuntu operating system must enforce 24 hours/1 day as the minimum password lifetime. Passwords for new users must have a 24 hours/1 day minimum password lifetime restriction. + <VulnDiscussion>Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000198 + Configure the Ubuntu operating system to enforce a 24 hours/1 day minimum password lifetime. Add or modify the following line in the "/etc/login.defs" file: -PASS_MIN_DAYS 1Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for new user accounts by running the following command: +PASS_MIN_DAYS 1 + + + + Verify the Ubuntu operating system enforces a 24 hours/1 day minimum password lifetime for new user accounts by running the following command: $ grep -i ^pass_min_days /etc/login.defs PASS_MIN_DAYS 1 -If the "PASS_MIN_DAYS" parameter value is less than "1" or is commented out, this is a finding.SRG-OS-000076-GPOS-00044<GroupDescription></GroupDescription>UBTU-20-010008The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction.<VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000199Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. +If the "PASS_MIN_DAYS" parameter value is less than "1" or is commented out, this is a finding. + + + + + SRG-OS-000076-GPOS-00044 + <GroupDescription></GroupDescription> + + UBTU-20-010008 + The Ubuntu operating system must enforce a 60-day maximum password lifetime restriction. Passwords for new users must have a 60-day maximum password lifetime restriction. + <VulnDiscussion>Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000199 + Configure the Ubuntu operating system to enforce a 60-day maximum password lifetime. Add or modify the following line in the "/etc/login.defs" file: -PASS_MAX_DAYS 60Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user accounts by running the following command: +PASS_MAX_DAYS 60 + + + + Verify the Ubuntu operating system enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ grep -i ^pass_max_days /etc/login.defs PASS_MAX_DAYS 60 -If the "PASS_MAX_DAYS" parameter value is less than "60" or is commented out, this is a finding.SRG-OS-000080-GPOS-00048<GroupDescription></GroupDescription>UBTU-20-010009Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. +If the "PASS_MAX_DAYS" parameter value is less than "60" or is commented out, this is a finding. + + + + + SRG-OS-000080-GPOS-00048 + <GroupDescription></GroupDescription> + + UBTU-20-010009 + Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes. + <VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. -Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000213Configure the system to require a password for authentication upon booting into single-user and maintenance modes. +Access control policies include identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000213 + Configure the system to require a password for authentication upon booting into single-user and maintenance modes. Generate an encrypted (grub) password for root with the following command: @@ -184,13 +1937,27 @@ where <hash> is the hash generated by grub-mkpasswd-pbkdf2 command. Generate an updated "grub.conf" file with the new password by using the following command: -$ sudo update-grubRun the following command to verify the encrypted password is set: +$ sudo update-grub + + + + Run the following command to verify the encrypted password is set: $ sudo grep -i password /boot/grub/grub.cfg password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG -If the root password entry does not begin with "password_pbkdf2", this is a finding.SRG-OS-000104-GPOS-00051<GroupDescription></GroupDescription>UBTU-20-010010The Ubuntu operating system must uniquely identify interactive users.<VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. +If the root password entry does not begin with "password_pbkdf2", this is a finding. + + + + + SRG-OS-000104-GPOS-00051 + <GroupDescription></GroupDescription> + + UBTU-20-010010 + The Ubuntu operating system must uniquely identify interactive users. + <VulnDiscussion>To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system. Organizational users include organizational employees or individuals the organization deems to have equivalent status of employees (e.g., contractors). Organizational users (and processes acting on behalf of users) must be uniquely identified and authenticated to all accesses, except for the following: @@ -198,65 +1965,167 @@ Organizational users include organizational employees or individuals the organiz 2) Accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. -Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000764CCI-000804Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: +Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000764 + CCI-000804 + Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID. + + + + Verify the Ubuntu operating system contains no duplicate User IDs (UIDs) for interactive users with the following command: $ awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd -If output is produced and the accounts listed are interactive user accounts, this is a finding.SRG-OS-000134-GPOS-00068<GroupDescription></GroupDescription>UBTU-20-010012The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group.<VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. +If output is produced and the accounts listed are interactive user accounts, this is a finding. + + + + + SRG-OS-000134-GPOS-00068 + <GroupDescription></GroupDescription> + + UBTU-20-010012 + The Ubuntu operating system must ensure only users who need access to security functions are part of sudo group. + <VulnDiscussion>An isolation boundary provides access control and protects the integrity of the hardware, software, and firmware that perform security functions. Security functions are the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Operating systems implement code separation (i.e., separation of security functions from nonsecurity functions) in a number of ways, including through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that serve to protect the code on disk and address space protections that protect executing code. Developers and implementers can increase the assurance in security functions by employing well-defined security policy models; structured, disciplined, and rigorous hardware and software development techniques; and sound system/security engineering principles. Implementation may include isolation of memory space and libraries. -The Ubuntu operating system restricts access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001084Configure the sudo group with only members requiring access to security functions. +The Ubuntu operating system restricts access to security functions through the use of access control mechanisms and by implementing least privilege capabilities.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001084 + Configure the sudo group with only members requiring access to security functions. To remove a user from the sudo group, run: -$ sudo gpasswd -d <username> sudoVerify the sudo group has only members who should have access to security functions. +$ sudo gpasswd -d <username> sudo + + + + Verify the sudo group has only members who should have access to security functions. $ grep sudo /etc/group sudo:x:27:foo -If the sudo group contains users not needing access to security functions, this is a finding.SRG-OS-000279-GPOS-00109<GroupDescription></GroupDescription>UBTU-20-010013The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. +If the sudo group contains users not needing access to security functions, this is a finding. + + + + + SRG-OS-000279-GPOS-00109 + <GroupDescription></GroupDescription> + + UBTU-20-010013 + The Ubuntu operating system must automatically terminate a user session after inactivity timeouts have expired. + <VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. -This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002361Configure the operating system to automatically terminate a user session after inactivity timeouts have expired or at shutdown. +This capability is typically reserved for specific operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002361 + Configure the operating system to automatically terminate a user session after inactivity timeouts have expired or at shutdown. Create the file "/etc/profile.d/99-terminal_tmout.sh" file if it does not exist. -Modify or append the following line in the "/etc/profile.d/99-terminal_tmout.sh " file: - -TMOUT=600 +Modify or append the following line in the "/etc/profile.d/99-terminal_tmout.sh " file: TMOUT=600 This will set a timeout value of 10 minutes for all future sessions. To set the timeout for the current sessions, execute the following command over the terminal session: -$ export TMOUT=600Verify the operating system automatically terminates a user session after inactivity timeouts have expired. +$ export TMOUT=600 + + + + Verify the operating system automatically terminates a user session after inactivity timeouts have expired. Check that "TMOUT" environment variable is set in the "/etc/bash.bashrc" file or in any file inside the "/etc/profile.d/" directory by performing the following command: -$ grep -E "\bTMOUT=[0-9]+" /etc/bash.bashrc /etc/profile.d/* - -TMOUT=600 +$ grep -E "\bTMOUT=[0-9]+" /etc/bash.bashrc /etc/profile.d/* TMOUT=600 -If "TMOUT" is not set, or if the value is "0" or is commented out, this is a finding.SRG-OS-000373-GPOS-00156<GroupDescription></GroupDescription>UBTU-20-010014The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. +If "TMOUT" is not set, or if the value is "0" or is commented out, this is a finding. + + + + + SRG-OS-000373-GPOS-00156 + <GroupDescription></GroupDescription> + + UBTU-20-010014 + The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles. + <VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. -Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002038Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.Verify the "/etc/sudoers" file has no occurrences of "NOPASSWD" or "!authenticate" by running the following command: +Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002038 + Remove any occurrence of "NOPASSWD" or "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory. + + + + Verify the "/etc/sudoers" file has no occurrences of "NOPASSWD" or "!authenticate" by running the following command: $ sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers /etc/sudoers.d/* -If any occurrences of "NOPASSWD" or "!authenticate" return from the command, this is a finding.SRG-OS-000480-GPOS-00228<GroupDescription></GroupDescription>UBTU-20-010016The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files.<VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the system to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files. +If any occurrences of "NOPASSWD" or "!authenticate" return from the command, this is a finding. + + + + + SRG-OS-000480-GPOS-00228 + <GroupDescription></GroupDescription> + + UBTU-20-010016 + The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files. + <VulnDiscussion>Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the system to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files. Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: -UMASK 077Verify the Ubuntu operating system defines default permissions for all authenticated users in such a way that the user can read and modify only their own files. +UMASK 077 + + + + Verify the Ubuntu operating system defines default permissions for all authenticated users in such a way that the user can read and modify only their own files. Verify the Ubuntu operating system defines default permissions for all authenticated users with the following command: @@ -266,7 +2135,17 @@ UMASK 077 If the "UMASK" variable is set to "000", this is a finding with the severity raised to a CAT I. -If the value of "UMASK" is not set to "077", is commented out, or is missing completely, this is a finding.SRG-OS-000105-GPOS-00052<GroupDescription></GroupDescription>UBTU-20-010033The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts.<VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. +If the value of "UMASK" is not set to "077", is commented out, or is missing completely, this is a finding. + + + + + SRG-OS-000105-GPOS-00052 + <GroupDescription></GroupDescription> + + UBTU-20-010033 + The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts. + <VulnDiscussion>Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. @@ -281,13 +2160,29 @@ Network access is defined as access to an information system by a user (or a pro The DoD CAC with DoD-approved PKI is an example of multifactor authentication. -Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000765CCI-000766CCI-000767CCI-000768Configure the Ubuntu operating system to use multifactor authentication for network access to accounts. +Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000765 + CCI-000766 + CCI-000767 + CCI-000768 + Configure the Ubuntu operating system to use multifactor authentication for network access to accounts. Add or update "pam_pkcs11.so" in "/etc/pam.d/common-auth" to match the following line: -auth [success=2 default=ignore] pam_pkcs11.so +auth [success=2 default=ignore] pam_pkcs11.so -Set the sshd option "PubkeyAuthentication yes" in the "/etc/ssh/sshd_config" file.Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: +Set the sshd option "PubkeyAuthentication yes" in the "/etc/ssh/sshd_config" file. + + + + Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: $ dpkg -l | grep libpam-pkcs11 @@ -302,11 +2197,34 @@ $ grep -r ^Pubkeyauthentication /etc/ssh/sshd_config* PubkeyAuthentication yes If this option is set to "no" or is missing, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000125-GPOS-00065<GroupDescription></GroupDescription>UBTU-20-010035The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.<VulnDiscussion>Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000877Configure the Ubuntu operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000125-GPOS-00065 + <GroupDescription></GroupDescription> + + UBTU-20-010035 + The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions. + <VulnDiscussion>Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000877 + Configure the Ubuntu operating system to use strong authentication when establishing nonlocal maintenance and diagnostic sessions. Add or modify the following line to /etc/ssh/sshd_config: -UsePAM yesVerify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance. +UsePAM yes + + + + Verify the Ubuntu operating system is configured to use strong authenticators in the establishment of nonlocal maintenance and diagnostic maintenance. Verify that "UsePAM" is set to "yes" in "/etc/ssh/sshd_config: @@ -315,13 +2233,32 @@ $ grep -r ^UsePAM /etc/ssh/sshd_config* UsePAM yes If "UsePAM" is not set to "yes", this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000126-GPOS-00066<GroupDescription></GroupDescription>UBTU-20-010036The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity.<VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000126-GPOS-00066 + <GroupDescription></GroupDescription> + + UBTU-20-010036 + The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity. + <VulnDiscussion>Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. -This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000879Configure the Ubuntu operating system to automatically terminate inactive SSH sessions after a period of inactivity. +This capability is typically reserved for specific Ubuntu operating system functionality where the system owner, data owner, or organization requires additional assurance.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000879 + Configure the Ubuntu operating system to automatically terminate inactive SSH sessions after a period of inactivity. Modify or append the following line in the "/etc/ssh/sshd_config" file, replacing "[Count]" with a value of 1: @@ -329,7 +2266,11 @@ ClientAliveCountMax 1 Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.serviceVerify that all network connections associated with SSH traffic automatically terminate after a period of inactivity. +$ sudo systemctl restart sshd.service + + + + Verify that all network connections associated with SSH traffic automatically terminate after a period of inactivity. Verify the "ClientAliveCountMax" variable is set in the "/etc/ssh/sshd_config" file by performing the following command: @@ -338,9 +2279,28 @@ $ sudo grep -ir clientalivecountmax /etc/ssh/sshd_config* ClientAliveCountMax 1 If "ClientAliveCountMax" is not set, is not set to "1", or is commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000163-GPOS-00072<GroupDescription></GroupDescription>UBTU-20-010037The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity.<VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. - -Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001133Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000163-GPOS-00072 + <GroupDescription></GroupDescription> + + UBTU-20-010037 + The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic at the end of the session or after 10 minutes of inactivity. + <VulnDiscussion>Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended. In addition, quickly terminating an idle session will also free up resources committed by the managed network element. + +Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at the operating system level, and de-allocating networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. This does not mean that the operating system terminates all sessions or network access; it only ends the inactive session and releases the resources associated with that session.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001133 + Configure the Ubuntu operating system to automatically terminate all network connections associated with SSH traffic at the end of a session or after a 10-minute period of inactivity. Modify or append the following line in the "/etc/ssh/sshd_config" file replacing "[Interval]" with a value of "600" or less: @@ -348,7 +2308,11 @@ ClientAliveInterval 600 Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.serviceVerify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. +$ sudo systemctl restart sshd.service + + + + Verify that all network connections associated with SSH traffic are automatically terminated at the end of the session or after 10 minutes of inactivity. Verify the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command: @@ -357,7 +2321,17 @@ $ sudo grep -ir clientalive /etc/ssh/sshd_config* ClientAliveInterval 600 If "ClientAliveInterval" does not exist, is not set to a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000228-GPOS-00088<GroupDescription></GroupDescription>UBTU-20-010038The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system.<VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000228-GPOS-00088 + <GroupDescription></GroupDescription> + + UBTU-20-010038 + The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting any local or remote connection to the system. + <VulnDiscussion>Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via logon interfaces with human users and are not required when such human interfaces do not exist. @@ -381,7 +2355,21 @@ Use the following verbiage for operating systems that have severe limitations on "I've read & consent to terms in IS user agreem't." -Satisfies: SRG-OS-000228-GPOS-00088, SRG-OS-000023-GPOS-00006</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000048CCI-001384CCI-001385CCI-001386CCI-001387CCI-001388Set the parameter Banner in "/etc/ssh/sshd_config" to point to the "/etc/issue.net" file: +Satisfies: SRG-OS-000228-GPOS-00088, SRG-OS-000023-GPOS-00006</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000048 + CCI-001384 + CCI-001385 + CCI-001386 + CCI-001387 + CCI-001388 + Set the parameter Banner in "/etc/ssh/sshd_config" to point to the "/etc/issue.net" file: $ sudo sed -i '/^Banner/d' /etc/ssh/sshd_config $ sudo sed -i '$aBanner /etc/issue.net' /etc/ssh/sshd_config @@ -404,7 +2392,11 @@ By using this IS (which includes any device attached to this IS), you consent to Restart the SSH daemon for the changes to take effect and then signal the SSH server to reload the configuration file: -$ sudo systemctl -s SIGHUP kill sshdVerify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via an SSH logon with the following command: +$ sudo systemctl -s SIGHUP kill sshd + + + + Verify the Ubuntu operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the Ubuntu operating system via an SSH logon with the following command: $ grep -ir banner /etc/ssh/sshd_config* @@ -432,13 +2424,34 @@ By using this IS (which includes any device attached to this IS), you consent to -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." -If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.SRG-OS-000423-GPOS-00187<GroupDescription></GroupDescription>UBTU-20-010042The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information.<VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. +If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding. + + + + + SRG-OS-000423-GPOS-00187 + <GroupDescription></GroupDescription> + + UBTU-20-010042 + The Ubuntu operating system must use SSH to protect the confidentiality and integrity of transmitted information. + <VulnDiscussion>Without protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. This requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. -Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002418CCI-002420CCI-002422Install the "ssh" meta-package on the system with the following command: +Satisfies: SRG-OS-000423-GPOS-00187, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002418 + CCI-002420 + CCI-002422 + Install the "ssh" meta-package on the system with the following command: $ sudo apt install ssh @@ -448,7 +2461,11 @@ $ sudo systemctl enable sshd.service ensure the "ssh" service is running -$ sudo systemctl start sshd.serviceVerify the SSH package is installed with the following command: +$ sudo systemctl start sshd.service + + + + Verify the SSH package is installed with the following command: $ sudo dpkg -l | grep openssh ii openssh-client 1:7.6p1-4ubuntu0.1 amd64 secure shell (SSH) client, for secure access to remote machines @@ -463,7 +2480,17 @@ $ sudo systemctl status sshd.service | egrep -i "(active|loaded)" Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2019-01-24 22:52:58 UTC; 1 weeks 3 days ago -If "sshd.service" is not active or loaded, this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>UBTU-20-010043The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If "sshd.service" is not active or loaded, this is a finding. + + + + + SRG-OS-000424-GPOS-00188 + <GroupDescription></GroupDescription> + + UBTU-20-010043 + The Ubuntu operating system must configure the SSH daemon to use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hashes to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. + <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. @@ -471,7 +2498,18 @@ Local maintenance and diagnostic activities are those activities carried out by Encrypting information for transmission protects information from unauthorized disclosure and modification. Cryptographic mechanisms implemented to protect information integrity include, for example, cryptographic hash functions which have common application in digital signatures, checksums, and message authentication codes. -Satisfies: SRG-OS-000424-GPOS-00188, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001453CCI-002421CCI-002890Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers. +Satisfies: SRG-OS-000424-GPOS-00188, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001453 + CCI-002421 + CCI-002890 + Configure the Ubuntu operating system to allow the SSH daemon to only use MACs that employ FIPS 140-2 approved ciphers. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -479,14 +2517,28 @@ MACs hmac-sha2-512,hmac-sha2-256 Restart the SSH daemon for the changes to take effect: -$ sudo systemctl reload sshd.serviceVerify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command: +$ sudo systemctl reload sshd.service + + + + Verify the SSH daemon is configured to only use MACs that employ FIPS 140-2 approved ciphers with the following command: $ grep -ir macs /etc/ssh/sshd_config* MACs hmac-sha2-512,hmac-sha2-256 If any ciphers other than "hmac-sha2-512" or "hmac-sha2-256" are listed, the order differs from the example above, or the returned line is commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000424-GPOS-00188<GroupDescription></GroupDescription>UBTU-20-010044The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission.<VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000424-GPOS-00188 + <GroupDescription></GroupDescription> + + UBTU-20-010044 + The Ubuntu operating system must configure the SSH daemon to use FIPS 140-2 approved ciphers to prevent the unauthorized disclosure of information and/or detect changes to information during transmission. + <VulnDiscussion>Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Remote access (e.g., RDP) is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. @@ -498,7 +2550,18 @@ Encrypting information for transmission protects information from unauthorized d By specifying a cipher list with the order of ciphers being in a "strongest to weakest" orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. -Satisfies: SRG-OS-000424-GPOS-00188, SRG-OS-000033-GPOS-00014, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000068CCI-002421CCI-003123Configure the Ubuntu operating system to allow the SSH daemon to only implement FIPS-approved algorithms. +Satisfies: SRG-OS-000424-GPOS-00188, SRG-OS-000033-GPOS-00014, SRG-OS-000394-GPOS-00174</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000068 + CCI-002421 + CCI-003123 + Configure the Ubuntu operating system to allow the SSH daemon to only implement FIPS-approved algorithms. Add the following line (or modify the line to have the required value) to the "/etc/ssh/sshd_config" file (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -506,14 +2569,37 @@ Ciphers aes256-ctr,aes192-ctr,aes128-ctr Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.serviceVerify the SSH daemon is configured to only implement FIPS-approved algorithms by running the following command: +$ sudo systemctl restart sshd.service + + + + Verify the SSH daemon is configured to only implement FIPS-approved algorithms by running the following command: $ grep -r 'Ciphers' /etc/ssh/sshd_config* Ciphers aes256-ctr,aes192-ctr,aes128-ctr If any ciphers other than "aes256-ctr", "aes192-ctr", or "aes128-ctr" are listed, the order differs from the example above, the "Ciphers" keyword is missing, or the returned line is commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00229<GroupDescription></GroupDescription>UBTU-20-010047The Ubuntu operating system must not allow unattended or automatic login via SSH.<VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000480-GPOS-00229 + <GroupDescription></GroupDescription> + + UBTU-20-010047 + The Ubuntu operating system must not allow unattended or automatic login via SSH. + <VulnDiscussion>Failure to restrict system access to authenticated users negatively impacts Ubuntu operating system security.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the Ubuntu operating system to allow the SSH daemon to not allow unattended or automatic login to the system. Add or edit the following lines in the "/etc/ssh/sshd_config" file: @@ -522,7 +2608,11 @@ PermitUserEnvironment no Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.serviceVerify that unattended or automatic login via SSH is disabled with the following command: +$ sudo systemctl restart sshd.service + + + + Verify that unattended or automatic login via SSH is disabled with the following command: $ egrep -r '(Permit(.*?)(Passwords|Environment))' /etc/ssh/sshd_config @@ -530,24 +2620,66 @@ PermitEmptyPasswords no PermitUserEnvironment no If "PermitEmptyPasswords" or "PermitUserEnvironment" keywords are not set to "no", are missing completely, or are commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010048The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.<VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A System Administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010048 + The Ubuntu operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements. + <VulnDiscussion>The security risk of using X11 forwarding is that the client's X11 display server may be exposed to attack when the SSH client requests forwarding. A System Administrator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting X11 forwarding, which can warrant a ''no'' setting. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user's X11 authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring if the ForwardX11Trusted option is also enabled. -If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): +If X11 services are not required for the system's intended function, they should be disabled or restricted as appropriate to the system’s needs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding no Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.serviceVerify that X11Forwarding is disabled with the following command: +$ sudo systemctl restart sshd.service + + + + Verify that X11Forwarding is disabled with the following command: $ grep -ir x11forwarding /etc/ssh/sshd_config* | grep -v "^#" X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the Information System Security Officer (ISSO) as an operational requirement or is missing, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010049The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display.<VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010049 + The Ubuntu operating system SSH daemon must prevent remote hosts from connecting to the proxy display. + <VulnDiscussion>When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): @@ -555,7 +2687,11 @@ X11UseLocalhost yes Restart the SSH daemon for the changes to take effect: -$ sudo systemctl restart sshd.serviceVerify the SSH daemon prevents remote hosts from connecting to the proxy display. +$ sudo systemctl restart sshd.service + + + + Verify the SSH daemon prevents remote hosts from connecting to the proxy display. Check the SSH X11UseLocalhost setting with the following command: @@ -563,91 +2699,249 @@ $ sudo grep -ir x11uselocalhost /etc/ssh/sshd_config* X11UseLocalhost yes If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding. -If conflicting results are returned, this is a finding.SRG-OS-000069-GPOS-00037<GroupDescription></GroupDescription>UBTU-20-010050The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000192Add or update the "/etc/security/pwquality.conf" file to contain the "ucredit" parameter: - -ucredit=-1Verify the Ubuntu operating system enforces password complexity by requiring that at least one upper-case character be used. +If conflicting results are returned, this is a finding. + + + + + SRG-OS-000069-GPOS-00037 + <GroupDescription></GroupDescription> + + UBTU-20-010050 + The Ubuntu operating system must enforce password complexity by requiring that at least one upper-case character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000192 + Add or update the "/etc/security/pwquality.conf" file to contain the "ucredit" parameter: ucredit=-1 + + + + Verify the Ubuntu operating system enforces password complexity by requiring that at least one upper-case character be used. Determine if the field "ucredit" is set in the "/etc/security/pwquality.conf" file with the following command: -$ grep -i "ucredit" /etc/security/pwquality.conf -ucredit=-1 - -If the "ucredit" parameter is greater than "-1" or is commented out, this is a finding.SRG-OS-000070-GPOS-00038<GroupDescription></GroupDescription>UBTU-20-010051The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000193Add or update the "/etc/security/pwquality.conf" file to contain the "lcredit" parameter: - -lcredit=-1Verify the Ubuntu operating system enforces password complexity by requiring that at least one lower-case character be used. +$ grep -i "ucredit" /etc/security/pwquality.conf ucredit=-1 + +If the "ucredit" parameter is greater than "-1" or is commented out, this is a finding. + + + + + SRG-OS-000070-GPOS-00038 + <GroupDescription></GroupDescription> + + UBTU-20-010051 + The Ubuntu operating system must enforce password complexity by requiring that at least one lower-case character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000193 + Add or update the "/etc/security/pwquality.conf" file to contain the "lcredit" parameter: lcredit=-1 + + + + Verify the Ubuntu operating system enforces password complexity by requiring that at least one lower-case character be used. Determine if the field "lcredit" is set in the "/etc/security/pwquality.conf" file with the following command: -$ grep -i "lcredit" /etc/security/pwquality.conf -lcredit=-1 - -If the "lcredit" parameter is greater than "-1" or is commented out, this is a finding.SRG-OS-000071-GPOS-00039<GroupDescription></GroupDescription>UBTU-20-010052The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. - -Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000194Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used. - -Add or update the "/etc/security/pwquality.conf" file to contain the "dcredit" parameter: - -dcredit=-1Verify the Ubuntu operating system enforces password complexity by requiring that at least one numeric character be used. +$ grep -i "lcredit" /etc/security/pwquality.conf lcredit=-1 + +If the "lcredit" parameter is greater than "-1" or is commented out, this is a finding. + + + + + SRG-OS-000071-GPOS-00039 + <GroupDescription></GroupDescription> + + UBTU-20-010052 + The Ubuntu operating system must enforce password complexity by requiring that at least one numeric character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. + +Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000194 + Configure the Ubuntu operating system to enforce password complexity by requiring that at least one numeric character be used. + +Add or update the "/etc/security/pwquality.conf" file to contain the "dcredit" parameter: dcredit=-1 + + + + Verify the Ubuntu operating system enforces password complexity by requiring that at least one numeric character be used. Determine if the field "dcredit" is set in the "/etc/security/pwquality.conf" file with the following command: -$ grep -i "dcredit" /etc/security/pwquality.conf -dcredit=-1 +$ grep -i "dcredit" /etc/security/pwquality.conf dcredit=-1 -If the "dcredit" parameter is greater than "-1" or is commented out, this is a finding.SRG-OS-000072-GPOS-00040<GroupDescription></GroupDescription>UBTU-20-010053The Ubuntu operating system must require the change of at least 8 characters when passwords are changed.<VulnDiscussion> If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. +If the "dcredit" parameter is greater than "-1" or is commented out, this is a finding. + + + + + SRG-OS-000072-GPOS-00040 + <GroupDescription></GroupDescription> + + UBTU-20-010053 + The Ubuntu operating system must require the change of at least 8 characters when passwords are changed. + <VulnDiscussion> If the operating system allows the user to consecutively reuse extensive portions of passwords, this increases the chances of password compromise by increasing the window of opportunity for attempts at guessing and brute-force attacks. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. In other words, characters may be the same within the two passwords; however, the positions of the like characters must be different. -If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000195Configure the Ubuntu operating system to require the change of at least eight characters when passwords are changed. - -Add or update the "/etc/security/pwquality.conf" file to include the "difok=8" parameter: - -difok=8Verify the Ubuntu operating system requires the change of at least eight characters when passwords are changed. +If the password length is an odd number then number of changed characters must be rounded up. For example, a password length of 15 characters must require the change of at least 8 characters.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000195 + Configure the Ubuntu operating system to require the change of at least eight characters when passwords are changed. + +Add or update the "/etc/security/pwquality.conf" file to include the "difok=8" parameter: difok=8 + + + + Verify the Ubuntu operating system requires the change of at least eight characters when passwords are changed. Determine if the field "difok" is set in the "/etc/security/pwquality.conf" file with the following command: -$ grep -i "difok" /etc/security/pwquality.conf -difok=8 - -If the "difok" parameter is less than "8" or is commented out, this is a finding.SRG-OS-000078-GPOS-00046<GroupDescription></GroupDescription>UBTU-20-010054The Ubuntu operating system must enforce a minimum 15-character password length.<VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. - -Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000205Configure the Ubuntu operating system to enforce a minimum 15-character password length. - -Add or modify the "minlen" parameter value to the "/etc/security/pwquality.conf" file: - -minlen=15Verify the pwquality configuration file enforces a minimum 15-character password length by running the following command: - -$ grep -i minlen /etc/security/pwquality.conf -minlen=15 - -If "minlen" parameter value is not "15" or higher or is commented out, this is a finding.SRG-OS-000266-GPOS-00101<GroupDescription></GroupDescription>UBTU-20-010055The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. +$ grep -i "difok" /etc/security/pwquality.conf difok=8 + +If the "difok" parameter is less than "8" or is commented out, this is a finding. + + + + + SRG-OS-000078-GPOS-00046 + <GroupDescription></GroupDescription> + + UBTU-20-010054 + The Ubuntu operating system must enforce a minimum 15-character password length. + <VulnDiscussion>The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. + +Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000205 + Configure the Ubuntu operating system to enforce a minimum 15-character password length. + +Add or modify the "minlen" parameter value to the "/etc/security/pwquality.conf" file: minlen=15 + + + + Verify the pwquality configuration file enforces a minimum 15-character password length by running the following command: + +$ grep -i minlen /etc/security/pwquality.conf minlen=15 + +If "minlen" parameter value is not "15" or higher or is commented out, this is a finding. + + + + + SRG-OS-000266-GPOS-00101 + <GroupDescription></GroupDescription> + + UBTU-20-010055 + The Ubuntu operating system must enforce password complexity by requiring that at least one special character be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity or strength is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. -Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001619Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used. - -Add or update the following line in the "/etc/security/pwquality.conf" file to include the "ocredit=-1" parameter: - -ocredit=-1Determine if the field "ocredit" is set in the "/etc/security/pwquality.conf" file with the following command: - -$ grep -i "ocredit" /etc/security/pwquality.conf -ocredit=-1 - -If the "ocredit" parameter is greater than "-1" or is commented out, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>UBTU-20-010056The Ubuntu operating system must prevent the use of dictionary words for passwords.<VulnDiscussion>If the Ubuntu operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. - -Add or update the following line in the "/etc/security/pwquality.conf" file to include the "dictcheck=1" parameter: - -dictcheck=1Verify the Ubuntu operating system uses the "cracklib" library to prevent the use of dictionary words with the following command: - -$ grep dictcheck /etc/security/pwquality.conf - -dictcheck=1 - -If the "dictcheck" parameter is not set to "1" or is commented out, this is a finding.SRG-OS-000480-GPOS-00225<GroupDescription></GroupDescription>UBTU-20-010057The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.<VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the operating system to use "pwquality" to enforce password complexity rules. +Special characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001619 + Configure the Ubuntu operating system to enforce password complexity by requiring that at least one special character be used. + +Add or update the following line in the "/etc/security/pwquality.conf" file to include the "ocredit=-1" parameter: ocredit=-1 + + + + Determine if the field "ocredit" is set in the "/etc/security/pwquality.conf" file with the following command: + +$ grep -i "ocredit" /etc/security/pwquality.conf ocredit=-1 + +If the "ocredit" parameter is greater than "-1" or is commented out, this is a finding. + + + + + SRG-OS-000480-GPOS-00225 + <GroupDescription></GroupDescription> + + UBTU-20-010056 + The Ubuntu operating system must prevent the use of dictionary words for passwords. + <VulnDiscussion>If the Ubuntu operating system allows the user to select passwords based on dictionary words, then this increases the chances of password compromise by increasing the opportunity for successful guesses and brute-force attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the Ubuntu operating system to prevent the use of dictionary words for passwords. + +Add or update the following line in the "/etc/security/pwquality.conf" file to include the "dictcheck=1" parameter: dictcheck=1 + + + + Verify the Ubuntu operating system uses the "cracklib" library to prevent the use of dictionary words with the following command: + +$ grep dictcheck /etc/security/pwquality.conf dictcheck=1 + +If the "dictcheck" parameter is not set to "1" or is commented out, this is a finding. + + + + + SRG-OS-000480-GPOS-00225 + <GroupDescription></GroupDescription> + + UBTU-20-010057 + The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. + <VulnDiscussion>Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. "pwquality" enforces complex password construction configuration and has the ability to limit brute-force attacks on the system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the operating system to use "pwquality" to enforce password complexity rules. Install the "pam_pwquality" package by using the following command: @@ -661,7 +2955,11 @@ Add the following line to "/etc/pam.d/common-password" (or modify the line to ha password requisite pam_pwquality.so retry=3 -Note: The value of "retry" should be between "1" and "3".Verify the Ubuntu operating system has the "libpam-pwquality" package installed by running the following command: +Note: The value of "retry" should be between "1" and "3". + + + + Verify the Ubuntu operating system has the "libpam-pwquality" package installed by running the following command: $ dpkg -l libpam-pwquality @@ -687,13 +2985,32 @@ password requisite pam_pwquality.so retry=3 If no output is returned or the line is commented out, this is a finding. -If the value of "retry" is set to "0" or greater than "3", this is a finding.SRG-OS-000066-GPOS-00034<GroupDescription></GroupDescription>UBTU-20-010060The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.<VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. +If the value of "retry" is set to "0" or greater than "3", this is a finding. + + + + + SRG-OS-000066-GPOS-00034 + <GroupDescription></GroupDescription> + + UBTU-20-010060 + The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. + <VulnDiscussion>Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. -This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000185Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor. +This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000185 + Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor. Determine which pkcs11 module is being used via the "use_pkcs11_module" in "/etc/pam_pkcs11/pam_pkcs11.conf" and ensure "ca" is enabled in "cert_policy". @@ -701,7 +3018,11 @@ Add or update the "cert_policy" to ensure "ca" is enabled: cert_policy = ca,signature,ocsp_on; -If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates by constructing a certification path to an accepted trust anchor. +If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz". + + + + Verify the Ubuntu operating system, for PKI-based authentication, has valid certificates by constructing a certification path to an accepted trust anchor. Determine which pkcs11 module is being used via the "use_pkcs11_module" in "/etc/pam_pkcs11/pam_pkcs11.conf" and then ensure "ca" is enabled in "cert_policy" with the following command: @@ -709,7 +3030,17 @@ $ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_mod cert_policy = ca,signature,ocsp_on; -If "cert_policy" is not set to "ca" or the line is commented out, this is a finding.SRG-OS-000375-GPOS-00160<GroupDescription></GroupDescription>UBTU-20-010063The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.<VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. +If "cert_policy" is not set to "ca" or the line is commented out, this is a finding. + + + + + SRG-OS-000375-GPOS-00160 + <GroupDescription></GroupDescription> + + UBTU-20-010063 + The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access. + <VulnDiscussion>Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. @@ -717,23 +3048,59 @@ A privileged account is defined as an information system account with authorizat Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. -This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001948Configure the Ubuntu operating system to implement multifactor authentication by installing the required packages. +This requirement only applies to components where this is specific to the function of the device or has the concept of an organizational user (e.g., VPN, proxy capability). This does not apply to authentication for the purpose of configuring the device itself (management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001948 + Configure the Ubuntu operating system to implement multifactor authentication by installing the required packages. Install the "libpam-pkcs11" package on the system with the following command: -$ sudo apt install libpam-pkcs11Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: +$ sudo apt install libpam-pkcs11 + + + + Verify the Ubuntu operating system has the packages required for multifactor authentication installed with the following commands: $ dpkg -l | grep libpam-pkcs11 ii libpam-pkcs11 0.6.8-4 amd64 Fully featured PAM module for using PKCS#11 smart cards -If the "libpam-pkcs11" package is not installed, this is a finding.SRG-OS-000376-GPOS-00161<GroupDescription></GroupDescription>UBTU-20-010064The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. - -DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001953Configure the Ubuntu operating system to accept PIV credentials. +If the "libpam-pkcs11" package is not installed, this is a finding. + + + + + SRG-OS-000376-GPOS-00161 + <GroupDescription></GroupDescription> + + UBTU-20-010064 + The Ubuntu operating system must accept Personal Identity Verification (PIV) credentials. + <VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001953 + Configure the Ubuntu operating system to accept PIV credentials. Install the "opensc-pkcs11" package using the following command: -$ sudo apt-get install opensc-pkcs11Verify the Ubuntu operating system accepts PIV credentials. +$ sudo apt-get install opensc-pkcs11 + + + + Verify the Ubuntu operating system accepts PIV credentials. Verify the "opensc-pcks11" package is installed on the system with the following command: @@ -741,11 +3108,34 @@ $ dpkg -l | grep opensc-pkcs11 ii opensc-pkcs11:amd64 0.15.0-1Ubuntu1 amd64 Smart card utilities with support for PKCS#15 compatible cards -If the "opensc-pcks11" package is not installed, this is a finding.SRG-OS-000377-GPOS-00162<GroupDescription></GroupDescription>UBTU-20-010065The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.<VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. - -DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001954Configure the Ubuntu operating system to do certificate status checking for multifactor authentication. - -Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".Verify the Ubuntu operating system electronically verifies PIV credentials. +If the "opensc-pcks11" package is not installed, this is a finding. + + + + + SRG-OS-000377-GPOS-00162 + <GroupDescription></GroupDescription> + + UBTU-20-010065 + The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials. + <VulnDiscussion>The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. + +DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001954 + Configure the Ubuntu operating system to do certificate status checking for multifactor authentication. + +Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on". + + + + Verify the Ubuntu operating system electronically verifies PIV credentials. Verify that certificate status checking for multifactor authentication is implemented with the following command: @@ -753,13 +3143,36 @@ $ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_mod cert_policy = ca,signature,ocsp_on; -If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.SRG-OS-000384-GPOS-00167<GroupDescription></GroupDescription>UBTU-20-010066The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.<VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001991Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. +If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding. + + + + + SRG-OS-000384-GPOS-00167 + <GroupDescription></GroupDescription> + + UBTU-20-010066 + The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network. + <VulnDiscussion>Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001991 + Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add or update the "cert_policy" option in "/etc/pam/_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline". cert_policy = ca,signature,ocsp_on, crl_auto; -If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network. +If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz". + + + + Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network. Verify that "crl_offline" or "crl_auto" is part of the "cert_policy" definition in "/etc/pam_pkcs11/pam_pkcs11.conf" using the following command: @@ -767,26 +3180,70 @@ Verify that "crl_offline" or "crl_auto" is part of the "cert_policy" definition cert_policy = ca,signature,ocsp_on,crl_auto; -If "cert_policy" is not set to include "crl_auto" or "crl_offline", this is a finding.SRG-OS-000077-GPOS-00045<GroupDescription></GroupDescription>UBTU-20-010070The Ubuntu operating system must prohibit password reuse for a minimum of five generations.<VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. - -Satisfies: SRG-OS-000077-GPOS-00045, SRG-OS-000073-GPOS-00041</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000196CCI-000200Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of five generations. +If "cert_policy" is not set to include "crl_auto" or "crl_offline", this is a finding. + + + + + SRG-OS-000077-GPOS-00045 + <GroupDescription></GroupDescription> + + UBTU-20-010070 + The Ubuntu operating system must prohibit password reuse for a minimum of five generations. + <VulnDiscussion>Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements. + +Satisfies: SRG-OS-000077-GPOS-00045, SRG-OS-000073-GPOS-00041</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000196 + CCI-000200 + Configure the Ubuntu operating system to prevent passwords from being reused for a minimum of five generations. Add or modify the "remember" parameter value to the following line in "/etc/pam.d/common-password" file: -password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command: +password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000 + + + + Verify the Ubuntu operating system prevents passwords from being reused for a minimum of five generations by running the following command: $ grep -i remember /etc/pam.d/common-password password [success=1 default=ignore] pam_unix.so obscure sha512 shadow remember=5 rounds=5000 -If the "remember" parameter value is not greater than or equal to "5", is commented out, or is not set at all, this is a finding.SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>UBTU-20-010072The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. - -Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000044CCI-002238Configure the Ubuntu operating system to utilize the "pam_faillock" module. +If the "remember" parameter value is not greater than or equal to "5", is commented out, or is not set at all, this is a finding. + + + + + SRG-OS-000329-GPOS-00128 + <GroupDescription></GroupDescription> + + UBTU-20-010072 + The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made. + <VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. + +Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000044 + CCI-002238 + Configure the Ubuntu operating system to utilize the "pam_faillock" module. Edit the /etc/pam.d/common-auth file. Add the following lines below the "auth" definition for pam_unix.so: -auth [default=die] pam_faillock.so authfail +auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options: @@ -796,10 +3253,14 @@ audit silent deny = 3 fail_interval = 900 -unlock_time = 0Verify that the Ubuntu operating system utilizes the "pam_faillock" module with the following command: +unlock_time = 0 + + + + Verify that the Ubuntu operating system utilizes the "pam_faillock" module with the following command: $ grep faillock /etc/pam.d/common-auth -auth [default=die] pam_faillock.so authfail +auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc If the pam_faillock.so module is not present in the "/etc/pam.d/common-auth" file, this is a finding. @@ -817,11 +3278,30 @@ If the "silent" keyword is missing or commented out, this is a finding. If the "audit" keyword is missing or commented out, this is a finding. If the "deny" keyword is missing, commented out, or set to a value greater than 3, this is a finding. If the "fail_interval" keyword is missing, commented out, or set to a value greater than 900, this is a finding. -If the "unlock_time" keyword is missing, commented out, or not set to 0, this is a finding.SRG-OS-000446-GPOS-00200<GroupDescription></GroupDescription>UBTU-20-010074The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. +If the "unlock_time" keyword is missing, commented out, or not set to 0, this is a finding. + + + + + SRG-OS-000446-GPOS-00200 + <GroupDescription></GroupDescription> + + UBTU-20-010074 + The Ubuntu operating system must be configured so that the script which runs each 30 days or less to check file integrity is the default one. + <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Notifications provided by information systems include, for example, electronic alerts to System Administrators, messages to local computer consoles, and/or hardware indications, such as lights. -This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002699The cron file for AIDE is fairly complex as it creates the report. This file is installed with the "aide-common" package, and the default can be restored by copying it from the package: +This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002699 + The cron file for AIDE is fairly complex as it creates the report. This file is installed with the "aide-common" package, and the default can be restored by copying it from the package: Download the original package to the /tmp dir: @@ -833,7 +3313,11 @@ $ dpkg-deb --fsys-tarfile /tmp/aide-common_*.deb | sudo tar -x ./usr/share/aide/ Copy it to the cron.daily directory: -$ sudo cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aideVerify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged. +$ sudo cp -f /usr/share/aide/config/cron.daily/aide /etc/cron.daily/aide + + + + Verify that the Advanced Intrusion Detection Environment (AIDE) default script used to check file integrity each 30 days or less is unchanged. Download the original aide-common package in the /tmp directory: @@ -849,21 +3333,68 @@ Compare with the SHA1 of the file in the daily or monthly cron directory: $ sha1sum /etc/cron.{daily,monthly}/aide 2>/dev/null 32958374f18871e3f7dda27a58d721f471843e26 /etc/cron.daily/aide -If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding.SRG-OS-000480-GPOS-00226<GroupDescription></GroupDescription>UBTU-20-010075The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt.<VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. +If there is no AIDE script file in the cron directories, or the SHA1 value of at least one file in the daily or monthly cron directory does not match the SHA1 of the original, this is a finding. + + + + + SRG-OS-000480-GPOS-00226 + <GroupDescription></GroupDescription> + + UBTU-20-010075 + The Ubuntu operating system must enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. + <VulnDiscussion>Limiting the number of logon attempts over a certain time interval reduces the chances that an unauthorized user may gain access to an account.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the Ubuntu operating system to enforce a delay of at least 4 seconds between logon prompts following a failed logon attempt. Edit the file "/etc/pam.d/common-auth" and set the parameter "pam_faildelay" to a value of 4000000 or greater: -auth required pam_faildelay.so delay=4000000Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts following a failed logon attempt with the following command: +auth required pam_faildelay.so delay=4000000 + + + + Verify the Ubuntu operating system enforces a delay of at least 4 seconds between logon prompts following a failed logon attempt with the following command: $ grep pam_faildelay /etc/pam.d/common-auth -auth required pam_faildelay.so delay=4000000 +auth required pam_faildelay.so delay=4000000 -If the line is not present or is commented out, this is a finding.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>UBTU-20-010100The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. +If the line is not present or is commented out, this is a finding. + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + UBTU-20-010100 + The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. + <VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000463-GPOS-00207, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-002130 + Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following rule to "/etc/audit/rules.d/stig.rules": @@ -871,7 +3402,11 @@ Add or update the following rule to "/etc/audit/rules.d/stig.rules": To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Check the currently configured audit rules with the following command: @@ -881,11 +3416,35 @@ $ sudo auditctl -l | grep passwd If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>UBTU-20-010101The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + UBTU-20-010101 + The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. + <VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-002130 + Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following rule to "/etc/audit/rules.d/stig.rules": @@ -893,7 +3452,11 @@ Add or update the following rule to "/etc/audit/rules.d/stig.rules": To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Check the currently configured audit rules with the following command: @@ -903,11 +3466,35 @@ $ sudo auditctl -l | grep group If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>UBTU-20-010102The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + UBTU-20-010102 + The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. + <VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-002130 + Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or update the following rule to "/etc/audit/rules.d/stig.rules": @@ -915,7 +3502,11 @@ Add or update the following rule to "/etc/audit/rules.d/stig.rules": To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Check the currently configured audit rules with the following command: @@ -925,11 +3516,34 @@ $ sudo auditctl -l | grep shadow If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>UBTU-20-010103The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + UBTU-20-010103 + The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. + <VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-002130 + Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following rule to "/etc/audit/rules.d/stig.rules": @@ -937,7 +3551,11 @@ Add or update the following rule to "/etc/audit/rules.d/stig.rules": To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Check the currently configured audit rules with the following command: @@ -947,11 +3565,35 @@ $ sudo auditctl -l | grep gshadow If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000004-GPOS-00004<GroupDescription></GroupDescription>UBTU-20-010104The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.<VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000004-GPOS-00004 + <GroupDescription></GroupDescription> + + UBTU-20-010104 + The Ubuntu operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. + <VulnDiscussion>Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. -Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000018CCI-000172CCI-001403CCI-001404CCI-001405CCI-002130Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". +Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000458-GPOS-00203, SRG-OS-000476-GPOS-00221</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000018 + CCI-000172 + CCI-001403 + CCI-001404 + CCI-001405 + CCI-002130 + Configure the Ubuntu operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or update the following rule to "/etc/audit/rules.d/stig.rules": @@ -959,7 +3601,11 @@ Add or update the following rule to "/etc/audit/rules.d/stig.rules": To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Check the currently configured audit rules with the following command: @@ -969,11 +3615,30 @@ $ sudo auditctl -l | grep opasswd If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000046-GPOS-00022<GroupDescription></GroupDescription>UBTU-20-010117The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.<VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000046-GPOS-00022 + <GroupDescription></GroupDescription> + + UBTU-20-010117 + The Ubuntu operating system must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. + <VulnDiscussion>It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. -This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000139Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. +This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000139 + Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure administrators are notified via email for those situations: @@ -983,19 +3648,42 @@ Note: Change "administrator_account" to an account for security personnel. Restart the "auditd" service so the changes take effect: -$ sudo systemctl restart auditd.serviceVerify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command: +$ sudo systemctl restart auditd.service + + + + Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure with the following command: $ sudo grep '^action_mail_acct = root' /etc/audit/auditd.conf action_mail_acct = <administrator_account> -If the value of the "action_mail_acct" keyword is not set to an accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding.SRG-OS-000047-GPOS-00023<GroupDescription></GroupDescription>UBTU-20-010118The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).<VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. +If the value of the "action_mail_acct" keyword is not set to an accounts for security personnel, the "action_mail_acct" keyword is missing, or the returned line is commented out, this is a finding. + + + + + SRG-OS-000047-GPOS-00023 + <GroupDescription></GroupDescription> + + UBTU-20-010118 + The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern). + <VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When availability is an overriding concern, other approved actions in response to an audit failure are as follows: 1) If the failure was caused by the lack of audit record storage capacity, the operating system must continue generating audit records if possible (automatically restarting the audit service if necessary), overwriting the oldest audit records in a first-in-first-out manner. -2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000140Configure the Ubuntu operating system to shut down by default upon audit failure (unless availability is an overriding concern). +2) If audit records are sent to a centralized collection server and communication with this server is lost or the server fails, the operating system must queue audit records locally until communication is restored or until the audit records are retrieved manually. Upon restoration of the connection to the centralized collection server, action should be taken to synchronize the local audit data with the collection server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000140 + Configure the Ubuntu operating system to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on configuration, "disk_full_action" can be set to "SYSLOG", "HALT" or "SINGLE") in "/etc/audit/auditd.conf" file: @@ -1003,17 +3691,41 @@ disk_full_action = HALT Restart the "auditd" service so the changes take effect: -$ sudo systemctl restart auditd.serviceVerify the Ubuntu operating system takes the appropriate action when the audit storage volume is full with the following command: +$ sudo systemctl restart auditd.service + + + + Verify the Ubuntu operating system takes the appropriate action when the audit storage volume is full with the following command: $ sudo grep '^disk_full_action' /etc/audit/auditd.conf disk_full_action = HALT -If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>UBTU-20-010122The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users.<VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. +If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. + + + + + SRG-OS-000057-GPOS-00027 + <GroupDescription></GroupDescription> + + UBTU-20-010122 + The Ubuntu operating system must be configured so that audit log files are not read or write-accessible by unauthorized users. + <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000162CCI-000163Configure the audit log files to have a mode of "0600" or less permissive. +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000162 + CCI-000163 + Configure the audit log files to have a mode of "0600" or less permissive. Determine where the audit logs are stored with the following command: @@ -1022,7 +3734,11 @@ log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, configure the audit log files to have a mode of "0600" or less permissive by using the following command: -$ sudo chmod 0600 /var/log/audit/*Verify that the audit log files have a mode of "0600" or less permissive. +$ sudo chmod 0600 /var/log/audit/* + + + + Verify that the audit log files have a mode of "0600" or less permissive. Determine where the audit logs are stored with the following command: @@ -1034,11 +3750,30 @@ Using the path of the directory containing the audit logs, determine if the audi $ sudo stat -c "%n %a" /var/log/audit/* /var/log/audit/audit.log 600 -If the audit log files have a mode more permissive than "0600", this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>UBTU-20-010123The Ubuntu operating system must be configured to permit only authorized users ownership of the audit log files.<VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. +If the audit log files have a mode more permissive than "0600", this is a finding. + + + + + SRG-OS-000057-GPOS-00027 + <GroupDescription></GroupDescription> + + UBTU-20-010123 + The Ubuntu operating system must be configured to permit only authorized users ownership of the audit log files. + <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000162Configure the audit log directory and its underlying files to be owned by "root" user. +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000162 + Configure the audit log directory and its underlying files to be owned by "root" user. Determine where the audit logs are stored with the following command: @@ -1047,7 +3782,11 @@ log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, configure the audit log files to be owned by "root" user by using the following command: -$ sudo chown root /var/log/audit/*Verify the audit log files are owned by "root" account. +$ sudo chown root /var/log/audit/* + + + + Verify the audit log files are owned by "root" account. Determine where the audit logs are stored with the following command: @@ -1059,18 +3798,41 @@ Using the path of the directory containing the audit logs, determine if the audi $ sudo stat -c "%n %U" /var/log/audit/* /var/log/audit/audit.log root -If the audit log files are owned by an user other than "root", this is a finding.SRG-OS-000057-GPOS-00027<GroupDescription></GroupDescription>UBTU-20-010124The Ubuntu operating system must permit only authorized groups ownership of the audit log files.<VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. +If the audit log files are owned by an user other than "root", this is a finding. + + + + + SRG-OS-000057-GPOS-00027 + <GroupDescription></GroupDescription> + + UBTU-20-010124 + The Ubuntu operating system must permit only authorized groups ownership of the audit log files. + <VulnDiscussion>Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit operating system activity. -Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000162Configure the audit log directory and its underlying files to be owned by "root" group. +Satisfies: SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000162 + Configure the audit log directory and its underlying files to be owned by "root" group. Set the "log_group" parameter of the audit configuration file to the "root" value so when a new log file is created, its group owner is properly set: $ sudo sed -i '/^log_group/D' /etc/audit/auditd.conf $ sudo sed -i /^log_file/a'log_group = root' /etc/audit/auditd.conf Last, signal the audit daemon to reload the configuration file to update the group owners of existing files: -$ sudo systemctl kill auditd -s SIGHUPVerify the group owner is set to own newly created audit logs in the audit configuration file with the following command: +$ sudo systemctl kill auditd -s SIGHUP + + + + Verify the group owner is set to own newly created audit logs in the audit configuration file with the following command: $ sudo grep -iw log_group /etc/audit/auditd.conf log_group = root @@ -1084,11 +3846,30 @@ Using the path of the directory containing the audit logs, determine if the audi $ sudo stat -c "%n %G" /var/log/audit/* /var/log/audit/audit.log root -If the audit log files are owned by a group other than "root", this is a finding.SRG-OS-000059-GPOS-00029<GroupDescription></GroupDescription>UBTU-20-010128The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users.<VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. +If the audit log files are owned by a group other than "root", this is a finding. + + + + + SRG-OS-000059-GPOS-00029 + <GroupDescription></GroupDescription> + + UBTU-20-010128 + The Ubuntu operating system must be configured so that the audit log directory is not write-accessible by unauthorized users. + <VulnDiscussion>If audit information were to become compromised, then forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. To ensure the veracity of audit information, the operating system must protect audit information from unauthorized deletion. This requirement can be achieved through multiple methods, which will depend upon system architecture and design. -Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000164Configure the audit log directory to have a mode of "0750" or less permissive. +Audit information includes all information (e.g., audit records, audit settings, audit reports) needed to successfully audit information system activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000164 + Configure the audit log directory to have a mode of "0750" or less permissive. Determine where the audit logs are stored with the following command: @@ -1098,7 +3879,11 @@ log_file = /var/log/audit/audit.log Using the path of the directory containing the audit logs, configure the audit log directory to have a mode of "0750" or less permissive by using the following command: -$ sudo chmod -R g-w,o-rwx /var/log/auditVerify that the audit log directory has a mode of "0750" or less permissive. +$ sudo chmod -R g-w,o-rwx /var/log/audit + + + + Verify that the audit log directory has a mode of "0750" or less permissive. Determine where the audit logs are stored with the following command: @@ -1111,11 +3896,34 @@ $ sudo stat -c "%n %a" /var/log/audit /var/log/audit/* /var/log/audit 750 /var/log/audit/audit.log 600 -If the audit log directory has a mode more permissive than "0750", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>UBTU-20-010133The Ubuntu operating system must be configured so that audit configuration files are not write-accessible by unauthorized users.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. - -Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000171Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to have a mode of "0640" by using the following command: - -$ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files have a mode of "0640" or less permissive by using the following command: +If the audit log directory has a mode more permissive than "0750", this is a finding. + + + + + SRG-OS-000063-GPOS-00032 + <GroupDescription></GroupDescription> + + UBTU-20-010133 + The Ubuntu operating system must be configured so that audit configuration files are not write-accessible by unauthorized users. + <VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000171 + Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to have a mode of "0640" by using the following command: + +$ sudo chmod -R 0640 /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* + + + + Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files have a mode of "0640" or less permissive by using the following command: $ sudo ls -al /etc/audit/ /etc/audit/rules.d/ @@ -1135,11 +3943,34 @@ drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d -rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules -If "/etc/audit/audit.rule","/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>UBTU-20-010134The Ubuntu operating system must permit only authorized accounts to own the audit configuration files.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. - -Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000171Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files to be owned by root user by using the following command: - -$ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files are owned by root account by using the following command: +If "/etc/audit/audit.rule","/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding. + + + + + SRG-OS-000063-GPOS-00032 + <GroupDescription></GroupDescription> + + UBTU-20-010134 + The Ubuntu operating system must permit only authorized accounts to own the audit configuration files. + <VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000171 + Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files to be owned by root user by using the following command: + +$ sudo chown root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* + + + + Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*" and "/etc/audit/auditd.conf" files are owned by root account by using the following command: $ sudo ls -al /etc/audit/ /etc/audit/rules.d/ @@ -1167,11 +3998,34 @@ drwxr-x--- 3 root root 4096 Nov 25 11:02 .. -rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules -If the "/etc/audit/audit.rules", "/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file is owned by a user other than "root", this is a finding.SRG-OS-000063-GPOS-00032<GroupDescription></GroupDescription>UBTU-20-010135The Ubuntu operating system must permit only authorized groups to own the audit configuration files.<VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. - -Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000171Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root group by using the following command: - -$ sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files are owned by root group by using the following command: +If the "/etc/audit/audit.rules", "/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file is owned by a user other than "root", this is a finding. + + + + + SRG-OS-000063-GPOS-00032 + <GroupDescription></GroupDescription> + + UBTU-20-010135 + The Ubuntu operating system must permit only authorized groups to own the audit configuration files. + <VulnDiscussion>Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. + +Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000171 + Configure "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files to be owned by root group by using the following command: + +$ sudo chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/* + + + + Verify that "/etc/audit/audit.rules", "/etc/audit/rules.d/*", and "/etc/audit/auditd.conf" files are owned by root group by using the following command: $ sudo ls -al /etc/audit/ /etc/audit/rules.d/ @@ -1191,9 +4045,28 @@ drwxr-x--- 2 root root 4096 Dec 27 09:56 rules.d -rw-r----- 1 root root 10357 Dec 27 09:56 stig.rules -If the "/etc/audit/audit.rules", "/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file is owned by a group other than "root", this is a finding.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010136The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. +If the "/etc/audit/audit.rules", "/etc/audit/rules.d/*", or "/etc/audit/auditd.conf" file is owned by a group other than "root", this is a finding. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010136 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the su command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the Ubuntu operating system to generate audit records when successful/unsuccessful attempts to use the "su" command occur. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1201,7 +4074,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "su" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "su" command. Check the configured audit rules with the following commands: @@ -1211,9 +4088,28 @@ $ sudo auditctl -l | grep '/bin/su' If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010137The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010137 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chfn" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1221,7 +4117,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "chfn" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "chfn" command. Check the configured audit rules with the following commands: @@ -1231,9 +4131,28 @@ $ sudo auditctl -l | grep '/usr/bin/chfn' If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010138The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010138 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the mount command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1241,7 +4160,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "mount" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "mount" command. Check the configured audit rules with the following commands: @@ -1251,9 +4174,28 @@ $ sudo auditctl -l | grep '/usr/bin/mount' If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010139The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010139 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the umount command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1261,7 +4203,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify if the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "umount" command. +$ sudo augenrules --load + + + + Verify if the Ubuntu operating system generates audit records upon successful/unsuccessful attempts to use the "umount" command. Check the configured audit rules with the following commands: @@ -1271,9 +4217,28 @@ $ sudo auditctl -l | grep '/usr/bin/umount' If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010140The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010140 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-agent command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1281,7 +4246,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "ssh-agent" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "ssh-agent" command. Check the configured audit rules with the following commands: @@ -1291,9 +4260,28 @@ $ sudo auditctl -l | grep '/usr/bin/ssh-agent' If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010141The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010141 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the ssh-keysign command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1301,7 +4289,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "ssh-keysign" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "ssh-keysign" command. Check the configured audit rules with the following commands: @@ -1311,13 +4303,32 @@ $ sudo auditctl -l | grep ssh-keysign If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010142The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010142 + The Ubuntu operating system must generate audit records for any use of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1330,7 +4341,11 @@ Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls. Check the currently configured audit rules with the following command: @@ -1345,13 +4360,32 @@ If the command does not return audit rules for the "setxattr", "fsetxattr", "lse Notes: For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010148The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010148 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": @@ -1362,7 +4396,11 @@ Note: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat", and "lchown" system calls. Check the configured audit rules with the following commands: @@ -1375,13 +4413,32 @@ If the command does not return audit rules for the "chown", "fchown", "fchownat" Notes: For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010152The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010152 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": @@ -1392,7 +4449,11 @@ Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" system calls. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" system calls. Check the configured audit rules with the following commands: @@ -1405,13 +4466,32 @@ If the command does not return audit rules for the "chmod", "fchmod" and "fchmod Notes: For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010155The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010155 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate system calls. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any unsuccessful use of the"creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any unsuccessful use of the"creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1424,7 +4504,11 @@ Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon unsuccessful attempts to use the "creat", "open", "openat", "open_by_handle_at", "truncate", and "ftruncate" system calls. Check the configured audit rules with the following commands: @@ -1439,9 +4523,28 @@ If the command does not return audit rules for the "creat", "open", "openat", "o Notes: For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010161The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. +The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010161 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudo command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1449,7 +4552,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "sudo" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "sudo" command. Check the configured audit rules with the following command: @@ -1459,9 +4566,28 @@ $ sudo auditctl -l | grep /usr/bin/sudo If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010162The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010162 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudoedit" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules": @@ -1469,7 +4595,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules": To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "sudoedit" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "sudoedit" command. Check the configured audit rules with the following commands: @@ -1479,9 +4609,28 @@ $ sudo auditctl -l | grep /usr/bin/sudoedit If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010163The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010163 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chsh command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1489,7 +4638,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chsh" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chsh" command. Check the configured audit rules with the following commands: @@ -1499,9 +4652,28 @@ $ sudo auditctl -l | grep chsh If the command does not return a line that matches the example or the line is commented out, this is a finding. -Notes: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010164The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. +Notes: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010164 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the newgrp command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1509,7 +4681,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "newgrp" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "newgrp" command. Check the configured audit rules with the following commands: @@ -1519,9 +4695,28 @@ $ sudo auditctl -l | grep newgrp If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010165The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010165 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chcon command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1529,7 +4724,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chcon" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chcon" command. Check the currently configured audit rules with the following command: @@ -1539,9 +4738,28 @@ $ sudo auditctl -l | grep chcon If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010166The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010166 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the apparmor_parser command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "apparmor_parser" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1549,7 +4767,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "apparmor_parser" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "apparmor_parser" command. Check the currently configured audit rules with the following command: @@ -1559,9 +4781,28 @@ $ sudo auditctl -l | grep apparmor_parser If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010167The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010167 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the setfacl command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1569,7 +4810,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "setfacl" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "setfacl" command. Check the currently configured audit rules with the following command: @@ -1579,9 +4824,28 @@ $ sudo auditctl -l | grep setfacl If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010168The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010168 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chacl command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1589,7 +4853,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chacl" command. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful attempts to use the "chacl" command. Check the currently configured audit rules with the following command: @@ -1599,11 +4867,30 @@ $ sudo audtctl -l | grep chacl If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010169The Ubuntu operating system must generate audit records for the use and modification of the tallylog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010169 + The Ubuntu operating system must generate audit records for the use and modification of the tallylog file. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "tallylog" file. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "tallylog" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1611,7 +4898,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful modifications to the "tallylog" file. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful modifications to the "tallylog" file. Check the currently configured audit rules with the following command: @@ -1621,11 +4912,30 @@ $ sudo auditctl -l | grep tallylog If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010170The Ubuntu operating system must generate audit records for the use and modification of faillog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010170 + The Ubuntu operating system must generate audit records for the use and modification of faillog file. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillog" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1633,7 +4943,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record upon successful/unsuccessful modifications to the "faillog" file. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record upon successful/unsuccessful modifications to the "faillog" file. Check the currently configured audit rules with the following command: @@ -1643,11 +4957,30 @@ $ sudo auditctl -l | grep faillog If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010171The Ubuntu operating system must generate audit records for the use and modification of the lastlog file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010171 + The Ubuntu operating system must generate audit records for the use and modification of the lastlog file. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1655,7 +4988,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "lastlog" file occur. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record when successful/unsuccessful modifications to the "lastlog" file occur. Check the currently configured audit rules with the following command: @@ -1665,9 +5002,28 @@ $ sudo auditctl -l | grep lastlog If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010172The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010172 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the passwd command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command. Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: @@ -1675,7 +5031,11 @@ Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "passwd" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "passwd" command. Check the currently configured audit rules with the following command: @@ -1685,9 +5045,28 @@ $ sudo auditctl -l | grep -w passwd If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "key" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010173The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. +Note: The "key" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010173 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the unix_update command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1695,7 +5074,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "unix_update" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "unix_update" command. Check the currently configured audit rules with the following command: @@ -1705,9 +5088,28 @@ $ sudo auditctl -l | grep -w unix_update If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010174The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010174 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the gpasswd command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1715,7 +5117,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "gpasswd" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "gpasswd" command. Check the currently configured audit rules with the following command: @@ -1725,9 +5131,28 @@ $ sudo auditctl -l | grep -w gpasswd If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010175The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010175 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1735,7 +5160,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "chage" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "chage" command. Check the currently configured audit rules with the following command: @@ -1745,9 +5174,28 @@ $ sudo auditctl -l | grep -w chage If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010176The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010176 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the usermod command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1755,7 +5203,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "usermod" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "usermod" command. Check the currently configured audit rules with the following command: @@ -1765,9 +5217,28 @@ $ sudo auditctl -l | grep -w usermod If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010177The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010177 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the crontab command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1775,7 +5246,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "crontab" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "crontab" command. Check the currently configured audit rules with the following command: @@ -1785,9 +5260,28 @@ $ sudo auditctl -l | grep -w crontab If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010178The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010178 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the pam_timestamp_check command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1795,7 +5289,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify that an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command. +$ sudo augenrules --load + + + + Verify that an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command. Check the currently configured audit rules with the following command: @@ -1805,13 +5303,32 @@ $ sudo auditctl -l | grep -w pam_timestamp_check If the command does not return a line that matches the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010179The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module and finit_module syscalls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010179 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the init_module and finit_module syscalls. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible. -Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000471-GPOS-00216</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" syscalls. +Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000471-GPOS-00216</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" syscalls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1822,7 +5339,11 @@ Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the "init_module" and "finit_module" syscalls. Check the currently configured audit rules with the following command: @@ -1835,11 +5356,30 @@ If the command does not return audit rules for the "init_module" and "finit_modu Notes: For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000064-GPOS-00033<GroupDescription></GroupDescription>UBTU-20-010181The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the delete_module syscall.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000064-GPOS-00033 + <GroupDescription></GroupDescription> + + UBTU-20-010181 + The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the delete_module syscall. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -Satisfies: SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" syscall. +Satisfies: SRG-OS-000477-GPOS-00222</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" syscall. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -1850,7 +5390,11 @@ Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the "delete_module" syscall. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates an audit record for any successful/unsuccessful attempts to use the "delete_module" syscall. Check the currently configured audit rules with the following command: @@ -1863,7 +5407,17 @@ If the command does not return a line that matches the example or the line is co Notes: - For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -- The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000122-GPOS-00063<GroupDescription></GroupDescription>UBTU-20-010182The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time.<VulnDiscussion>Without establishing the when, where, type, source, and outcome of events that occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. +- The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000122-GPOS-00063 + <GroupDescription></GroupDescription> + + UBTU-20-010182 + The Ubuntu operating system must produce audit records and reports containing information to establish when, where, what type, the source, and the outcome for all DoD-defined auditable events and actions in near real time. + <VulnDiscussion>Without establishing the when, where, type, source, and outcome of events that occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. @@ -1875,7 +5429,34 @@ Successful incident response and auditing relies on timely, accurate system info Associating event types with detected events in the Ubuntu operating system audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. -Satisfies: SRG-OS-000122-GPOS-00063, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000130CCI-000131CCI-000132CCI-000133CCI-000134CCI-000135CCI-000154CCI-000158CCI-000169CCI-000172CCI-001875CCI-001876CCI-001877CCI-001878CCI-001879CCI-001880CCI-001881CCI-001882CCI-001914Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. +Satisfies: SRG-OS-000122-GPOS-00063, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00020, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000062-GPOS-00031, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000475-GPOS-00220</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000130 + CCI-000131 + CCI-000132 + CCI-000133 + CCI-000134 + CCI-000135 + CCI-000154 + CCI-000158 + CCI-000169 + CCI-000172 + CCI-001875 + CCI-001876 + CCI-001877 + CCI-001878 + CCI-001879 + CCI-001880 + CCI-001881 + CCI-001882 + CCI-001914 + Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: @@ -1887,7 +5468,11 @@ $ sudo systemctl enable auditd.service To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the audit service is configured to produce audit records with the following command: +$ sudo augenrules --load + + + + Verify the audit service is configured to produce audit records with the following command: $ dpkg -l | grep auditd @@ -1904,32 +5489,79 @@ Verify the audit service is properly running and active on the system with the f $ systemctl is-active auditd.service active -If the command above returns "inactive", this is a finding.SRG-OS-000254-GPOS-00095<GroupDescription></GroupDescription>UBTU-20-010198The Ubuntu operating system must initiate session audits at system start-up.<VulnDiscussion>If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001464Configure the Ubuntu operating system to produce audit records at system startup. +If the command above returns "inactive", this is a finding. + + + + + SRG-OS-000254-GPOS-00095 + <GroupDescription></GroupDescription> + + UBTU-20-010198 + The Ubuntu operating system must initiate session audits at system start-up. + <VulnDiscussion>If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001464 + Configure the Ubuntu operating system to produce audit records at system startup. Edit the "/etc/default/grub" file and add "audit=1" to the "GRUB_CMDLINE_LINUX" option. To update the grub config file, run: -$ sudo update-grubVerify that the Ubuntu operating system enables auditing at system startup. +$ sudo update-grub + + + + Verify that the Ubuntu operating system enables auditing at system startup. Verify that the auditing is enabled in grub with the following command: $ sudo grep "^\s*linux" /boot/grub/grub.cfg -linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 +linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro audit=1 linux /boot/vmlinuz-5.4.0-31-generic root=UUID=74d13bcd-6ebd-4493-b5d2-3ebc37d01702 ro recovery nomodeset audit=1 -If any linux lines do not contain "audit=1", this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>UBTU-20-010199The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If any linux lines do not contain "audit=1", this is a finding. + + + + + SRG-OS-000256-GPOS-00097 + <GroupDescription></GroupDescription> + + UBTU-20-010199 + The Ubuntu operating system must configure audit tools with a mode of 0755 or less permissive. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001493CCI-001494Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the correct permissive mode using the following command: +Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001493 + CCI-001494 + Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 0755 [audit_tool] -Replace "[audit_tool]" with the audit tool that does not have the correct permissions.Verify the Ubuntu operating system configures the audit tools to have a file permission of 0755 or less to prevent unauthorized access by running the following command: +Replace "[audit_tool]" with the audit tool that does not have the correct permissions. + + + + Verify the Ubuntu operating system configures the audit tools to have a file permission of 0755 or less to prevent unauthorized access by running the following command: $ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audispd /sbin/augenrules @@ -1941,17 +5573,41 @@ $ stat -c "%n %a" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sb /sbin/audispd 755 /sbin/augenrules 755 -If any of the audit tools have a mode more permissive than 0755, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>UBTU-20-010200The Ubuntu operating system must configure audit tools to be owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If any of the audit tools have a mode more permissive than 0755, this is a finding. + + + + + SRG-OS-000256-GPOS-00097 + <GroupDescription></GroupDescription> + + UBTU-20-010200 + The Ubuntu operating system must configure audit tools to be owned by root. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001493CCI-001494Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the file owner as root using the following command: +Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001493 + CCI-001494 + Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the file owner as root using the following command: $ sudo chown root [audit_tool] -Replace "[audit_tool]" with each audit tool not owned by root.Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent any unauthorized access. +Replace "[audit_tool]" with each audit tool not owned by root. + + + + Verify the Ubuntu operating system configures the audit tools to be owned by root to prevent any unauthorized access. Check the ownership by running the following command: @@ -1965,17 +5621,41 @@ $ stat -c "%n %U" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sb /sbin/audispd root /sbin/augenrules root -If any of the audit tools are not owned by root, this is a finding.SRG-OS-000256-GPOS-00097<GroupDescription></GroupDescription>UBTU-20-010201The Ubuntu operating system must configure the audit tools to be group-owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If any of the audit tools are not owned by root, this is a finding. + + + + + SRG-OS-000256-GPOS-00097 + <GroupDescription></GroupDescription> + + UBTU-20-010201 + The Ubuntu operating system must configure the audit tools to be group-owned by root. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user enjoys in order to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. -Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001493CCI-001494Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the file group as root using the following command: +Satisfies: SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001493 + CCI-001494 + Configure the audit tools on the Ubuntu operating system to be protected from unauthorized access by setting the file group as root using the following command: $ sudo chown :root [audit_tool] -Replace "[audit_tool]" with each audit tool not group-owned by root.Verify the Ubuntu operating system configures the audit tools to be group-owned by root to prevent any unauthorized access. +Replace "[audit_tool]" with each audit tool not group-owned by root. + + + + Verify the Ubuntu operating system configures the audit tools to be group-owned by root to prevent any unauthorized access. Check the group ownership by running the following command: @@ -1989,13 +5669,32 @@ $ stat -c "%n %G" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sb /sbin/audispd root /sbin/augenrules root -If any of the audit tools are not group-owned by root, this is a finding.SRG-OS-000278-GPOS-00108<GroupDescription></GroupDescription>UBTU-20-010205The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools.<VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. +If any of the audit tools are not group-owned by root, this is a finding. + + + + + SRG-OS-000278-GPOS-00108 + <GroupDescription></GroupDescription> + + UBTU-20-010205 + The Ubuntu operating system must use cryptographic mechanisms to protect the integrity of audit tools. + <VulnDiscussion>Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools with the purpose of providing the capability to hide or erase system activity from the audit logs. -To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001496Add or update the following selection lines for "/etc/aide/aide.conf" to protect the integrity of the audit tools: +To address this risk, audit tools must be cryptographically signed in order to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001496 + Add or update the following selection lines for "/etc/aide/aide.conf" to protect the integrity of the audit tools: # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 @@ -2004,7 +5703,11 @@ To address this risk, audit tools must be cryptographically signed in order to p /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 -/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. +/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + + + + Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. Check the selection lines that AIDE is configured to add/check with the following command: @@ -2018,11 +5721,31 @@ $ egrep '(\/sbin\/(audit|au))' /etc/aide/aide.conf /sbin/audispd p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 -If any of the seven audit tools do not have appropriate selection lines, this is a finding.SRG-OS-000326-GPOS-00126<GroupDescription></GroupDescription>UBTU-20-010211The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.<VulnDiscussion>In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. +If any of the seven audit tools do not have appropriate selection lines, this is a finding. + + + + + SRG-OS-000326-GPOS-00126 + <GroupDescription></GroupDescription> + + UBTU-20-010211 + The Ubuntu operating system must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions. + <VulnDiscussion>In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. -Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002233CCI-002234Configure the Ubuntu operating system to audit the execution of all privileged functions. +Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002233 + CCI-002234 + Configure the Ubuntu operating system to audit the execution of all privileged functions. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -2035,7 +5758,11 @@ Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system audits the execution of privilege functions by auditing the "execve" system call. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system audits the execution of privilege functions by auditing the "execve" system call. Check the currently configured audit rules with the following command: @@ -2050,9 +5777,28 @@ If the command does not return lines that match the example or the lines are com Notes: - For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -- The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000341-GPOS-00132<GroupDescription></GroupDescription>UBTU-20-010215The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.<VulnDiscussion>In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. - -The task of allocating audit record storage capacity is usually performed during initial installation of the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001849Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. +- The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000341-GPOS-00132 + <GroupDescription></GroupDescription> + + UBTU-20-010215 + The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility. + <VulnDiscussion>In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. + +The task of allocating audit record storage capacity is usually performed during initial installation of the operating system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001849 + Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, use the "parted" program to resize the partition with sufficient space to contain one week's worth of audit records. @@ -2062,7 +5808,11 @@ Set the auditd server to point to the mount point where the audit records must b $ sudo sed -i -E 's@^(log_file\s*=\s*).*@\1 <log mountpoint>/audit.log@' /etc/audit/auditd.conf -where <log mountpoint> is the aforementioned mount point.Verify the Ubuntu operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. +where <log mountpoint> is the aforementioned mount point. + + + + Verify the Ubuntu operating system allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. Determine which partition the audit records are being written to with the following command: @@ -2081,11 +5831,30 @@ $ sudo du –sh [audit_partition] Note: The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. -If the audit record partition is not allocated for sufficient storage capacity, this is a finding.SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>UBTU-20-010216The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. +If the audit record partition is not allocated for sufficient storage capacity, this is a finding. + + + + + SRG-OS-000342-GPOS-00133 + <GroupDescription></GroupDescription> + + UBTU-20-010216 + The Ubuntu operating system audit event multiplexor must be configured to off-load audit logs onto a different system or storage media from the system being audited. + <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. -Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001851Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited. +Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001851 + Configure the audit event multiplexor to offload audit records to a different system or storage media from the system being audited. Install the audisp-remote plugin: @@ -2103,7 +5872,11 @@ where <remote addr> must be substituted by the address of the remote serve Make the audit service reload its configuration files: -$ sudo systemctl restart auditd.serviceVerify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited. +$ sudo systemctl restart auditd.service + + + + Verify the audit event multiplexor is configured to offload audit records to a different system or storage media from the system being audited. Check that audisp-remote plugin is installed: @@ -2125,13 +5898,36 @@ $ sudo grep -i ^remote_server /etc/audisp/audisp-remote.conf remote_server = 192.168.122.126 -If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding.SRG-OS-000343-GPOS-00134<GroupDescription></GroupDescription>UBTU-20-010217The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001855Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec" or "email". +If the "remote_server" parameter is not set, is set with a local address, or is set with an invalid address, this is a finding. + + + + + SRG-OS-000343-GPOS-00134 + <GroupDescription></GroupDescription> + + UBTU-20-010217 + The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. + <VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001855 + Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec" or "email". If the "space_left_action" parameter is set to "email", set the "action_mail_acct" parameter to an email address for the SA and ISSO. If the "space_left_action" parameter is set to "exec", ensure the command being executed notifies the SA and ISSO. -Edit "/etc/audit/auditd.conf" and set the "space_left" parameter to be at least 25% of the repository maximum audit record storage capacity.Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following command: +Edit "/etc/audit/auditd.conf" and set the "space_left" parameter to be at least 25% of the repository maximum audit record storage capacity. + + + + Verify the Ubuntu operating system notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following command: $ sudo grep ^space_left_action /etc/audit/auditd.conf @@ -2158,16 +5954,49 @@ action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the email address of the SA(s) and/or ISSO, this is a finding. Note: If the email address of the System Administrator - is on a remote system, a mail package must be available.SRG-OS-000359-GPOS-00146<GroupDescription></GroupDescription>UBTU-20-010230The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).<VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. - -Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001890To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with UTC or GMT: - -$ sudo timedatectl set-timezone [ZONE]To verify the time zone is configured to use UTC or GMT, run the following command. + is on a remote system, a mail package must be available. + + + + + SRG-OS-000359-GPOS-00146 + <GroupDescription></GroupDescription> + + UBTU-20-010230 + The Ubuntu operating system must record time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). + <VulnDiscussion>If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis. + +Time stamps generated by the operating system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001890 + To configure the system time zone to use UTC or GMT, run the following command, replacing [ZONE] with UTC or GMT: + +$ sudo timedatectl set-timezone [ZONE] + + + + To verify the time zone is configured to use UTC or GMT, run the following command. $ timedatectl status | grep -i "time zone" Timezone: UTC (UTC, +0000) -If "Timezone" is not set to UTC or GMT, this is a finding.SRG-OS-000392-GPOS-00172<GroupDescription></GroupDescription>UBTU-20-010244The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access.<VulnDiscussion>If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. +If "Timezone" is not set to UTC or GMT, this is a finding. + + + + + SRG-OS-000392-GPOS-00172 + <GroupDescription></GroupDescription> + + UBTU-20-010244 + The Ubuntu operating system must generate audit records for privileged activities, nonlocal maintenance, diagnostic sessions and other system-level access. + <VulnDiscussion>If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks would not be available. This requirement addresses auditing-related issues associated with maintenance tools used specifically for diagnostic and repair actions on organizational information systems. @@ -2175,7 +6004,17 @@ Nonlocal maintenance and diagnostic activities are those activities conducted by This requirement applies to hardware/software diagnostic test equipment or tools. This requirement does not cover hardware/software components that may support information system maintenance, yet are a part of the system, for example, the software implementing "ping," "ls," "ipconfig," or the hardware and software implementing the monitoring port of an Ethernet switch. -Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172CCI-002884Configure the Ubuntu operating system to audit activities performed during nonlocal maintenance and diagnostic sessions. +Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000471-GPOS-00215</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + CCI-002884 + Configure the Ubuntu operating system to audit activities performed during nonlocal maintenance and diagnostic sessions. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -2183,7 +6022,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system audits activities performed during nonlocal maintenance and diagnostic sessions. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system audits activities performed during nonlocal maintenance and diagnostic sessions. Check the currently configured audit rules with the following command: @@ -2193,11 +6036,30 @@ $ sudo auditctl -l | grep sudo.log If the command does not return lines that match the example or the lines are commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000468-GPOS-00212<GroupDescription></GroupDescription>UBTU-20-010267The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000468-GPOS-00212 + <GroupDescription></GroupDescription> + + UBTU-20-010267 + The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate audit events for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. +The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore, it is very important to only use syscall rules when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, though, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate audit events for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -2208,7 +6070,11 @@ Notes: For 32-bit architectures, only the 32-bit specific entries are required. To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records for any successful/unsuccessful use of "unlink", "unlinkat", "rename", "renameat", and "rmdir" system calls. Check the currently configured audit rules with the following command: @@ -2221,9 +6087,28 @@ If the command does not return audit rules for the "unlink", "unlinkat", "rename Notes: For 32-bit architectures, only the 32-bit specific output lines from the commands are required. -The "key" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>UBTU-20-010277The Ubuntu operating system must generate audit records for the /var/log/wtmp file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/wtmp" file. +The "key" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000472-GPOS-00217 + <GroupDescription></GroupDescription> + + UBTU-20-010277 + The Ubuntu operating system must generate audit records for the /var/log/wtmp file. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/wtmp" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -2231,7 +6116,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the "/var/log/wtmp" file. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the "/var/log/wtmp" file. Check the currently configured audit rules with the following command: @@ -2241,9 +6130,28 @@ $ sudo auditctl -l | grep '/var/log/wtmp' If the command does not return a line matching the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>UBTU-20-010278The Ubuntu operating system must generate audit records for the /var/run/wtmp file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate audit events showing start and stop times for user access via the "/var/run/wtmp" file. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000472-GPOS-00217 + <GroupDescription></GroupDescription> + + UBTU-20-010278 + The Ubuntu operating system must generate audit records for the /var/run/wtmp file. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate audit events showing start and stop times for user access via the "/var/run/wtmp" file. Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -2251,7 +6159,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the "/var/run/wtmp" file. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the "/var/run/wtmp" file. Check the currently configured audit rules with the following command: @@ -2261,9 +6173,28 @@ $ sudo auditctl -l | grep '/var/run/wtmp' If the command does not return a line matching the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000472-GPOS-00217<GroupDescription></GroupDescription>UBTU-20-010279The Ubuntu operating system must generate audit records for the /var/log/btmp file.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/btmp file". +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000472-GPOS-00217 + <GroupDescription></GroupDescription> + + UBTU-20-010279 + The Ubuntu operating system must generate audit records for the /var/log/btmp file. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the audit system to generate audit events showing start and stop times for user access via the "/var/log/btmp file". Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: @@ -2271,7 +6202,11 @@ Add or update the following rules in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the "/var/log/btmp" file. +$ sudo augenrules --load + + + + Verify the Ubuntu operating system generates audit records showing start and stop times for user access to the system via the "/var/log/btmp" file. Check the currently configured audit rules with the following command: @@ -2281,9 +6216,28 @@ $ sudo auditctl -l | grep '/var/log/btmp' If the command does not return a line matching the example or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-20-010296The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the Ubuntu operating system to audit the execution of the module management program "modprobe". +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000477-GPOS-00222 + <GroupDescription></GroupDescription> + + UBTU-20-010296 + The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use modprobe command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the Ubuntu operating system to audit the execution of the module management program "modprobe". Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: @@ -2291,7 +6245,11 @@ Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify if the Ubuntu operating system is configured to audit the execution of the module management program "modprobe" by running the following command: +$ sudo augenrules --load + + + + Verify if the Ubuntu operating system is configured to audit the execution of the module management program "modprobe" by running the following command: $ sudo auditctl -l | grep "/sbin/modprobe" @@ -2299,9 +6257,28 @@ $ sudo auditctl -l | grep "/sbin/modprobe" If the command does not return a line, or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-20-010297The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the Ubuntu operating system to audit the execution of the module management program "kmod". +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000477-GPOS-00222 + <GroupDescription></GroupDescription> + + UBTU-20-010297 + The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the kmod command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the Ubuntu operating system to audit the execution of the module management program "kmod". Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: @@ -2309,7 +6286,11 @@ Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system is configured to audit the execution of the module management program "kmod". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system is configured to audit the execution of the module management program "kmod". Check the currently configured audit rules with the following command: @@ -2319,9 +6300,28 @@ $ sudo auditctl -l | grep kmod If the command does not return a line, or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000477-GPOS-00222<GroupDescription></GroupDescription>UBTU-20-010298The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command.<VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. - -Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000172Configure the Ubuntu operating system to audit the execution of the partition management program "fdisk". +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000477-GPOS-00222 + <GroupDescription></GroupDescription> + + UBTU-20-010298 + The Ubuntu operating system must generate audit records when successful/unsuccessful attempts to use the fdisk command. + <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. + +Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000172 + Configure the Ubuntu operating system to audit the execution of the partition management program "fdisk". Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: @@ -2329,7 +6329,11 @@ Add or update the following rule in the "/etc/audit/rules.d/stig.rules" file: To reload the rules file, issue the following command: -$ sudo augenrules --loadVerify the Ubuntu operating system is configured to audit the execution of the partition management program "fdisk". +$ sudo augenrules --load + + + + Verify the Ubuntu operating system is configured to audit the execution of the partition management program "fdisk". Check the currently configured audit rules with the following command: @@ -2339,11 +6343,34 @@ $ sudo auditctl -l | grep fdisk If the command does not return a line, or the line is commented out, this is a finding. -Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above.SRG-OS-000479-GPOS-00224<GroupDescription></GroupDescription>UBTU-20-010300The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems.<VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. - -Offloading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001851Create a script that offloads audit logs to external media and runs weekly. - -The script must be located in the "/etc/cron.weekly" directory.Note: If this is an interconnected system, this is Not Applicable. +Note: The "-k" allows for specifying an arbitrary identifier, and the string after it does not need to match the example output above. + + + + + SRG-OS-000479-GPOS-00224 + <GroupDescription></GroupDescription> + + UBTU-20-010300 + The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems. + <VulnDiscussion>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + +Offloading is a common process in information systems with limited audit storage capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001851 + Create a script that offloads audit logs to external media and runs weekly. + +The script must be located in the "/etc/cron.weekly" directory. + + + + Note: If this is an interconnected system, this is Not Applicable. Verify there is a script that offloads audit data and that script runs weekly. @@ -2355,13 +6382,36 @@ audit-offload Check if the script inside the file does offloading of audit logs to external media. -If the script file does not exist or does not offload audit logs, this is a finding.SRG-OS-000027-GPOS-00008<GroupDescription></GroupDescription>UBTU-20-010400The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types.<VulnDiscussion>The Ubuntu operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. - -This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000054Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all accounts and/or account types. +If the script file does not exist or does not offload audit logs, this is a finding. + + + + + SRG-OS-000027-GPOS-00008 + <GroupDescription></GroupDescription> + + UBTU-20-010400 + The Ubuntu operating system must limit the number of concurrent sessions to ten for all accounts and/or account types. + <VulnDiscussion>The Ubuntu operating system management includes the ability to control the number of users and user sessions that utilize an operating system. Limiting the number of allowed users and sessions per user is helpful in reducing the risks related to DoS attacks. + +This requirement addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. The maximum number of concurrent sessions should be defined based upon mission needs and the operational environment for each system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000054 + Configure the Ubuntu operating system to limit the number of concurrent sessions to 10 for all accounts and/or account types. Add the following line to the top of the "/etc/security/limits.conf" file: -* hard maxlogins 10Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command: +* hard maxlogins 10 + + + + Verify the Ubuntu operating system limits the number of concurrent sessions to 10 for all accounts and/or account types by running the following command: $ grep maxlogins /etc/security/limits.conf | grep -v '^* hard maxlogins' @@ -2369,18 +6419,41 @@ The result must contain the following line: * hard maxlogins 10 -If the "maxlogins" item is missing or the value is not set to 10 or less or is commented out, this is a finding.SRG-OS-000032-GPOS-00013<GroupDescription></GroupDescription>UBTU-20-010403The Ubuntu operating system must monitor remote access methods.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. +If the "maxlogins" item is missing or the value is not set to 10 or less or is commented out, this is a finding. + + + + + SRG-OS-000032-GPOS-00013 + <GroupDescription></GroupDescription> + + UBTU-20-010403 + The Ubuntu operating system must monitor remote access methods. + <VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. -Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000067Configure the Ubuntu operating system to monitor all remote access methods by adding the following lines to the "/etc/rsyslog.d/50-default.conf" file: +Automated monitoring of remote access sessions allows organizations to detect cyber attacks and also ensure ongoing compliance with remote access policies by auditing connection activities of remote access capabilities, such as Remote Desktop Protocol (RDP), on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000067 + Configure the Ubuntu operating system to monitor all remote access methods by adding the following lines to the "/etc/rsyslog.d/50-default.conf" file: auth.*,authpriv.* /var/log/secure daemon.* /var/log/messages For the changes to take effect, restart the "rsyslog" service with the following command: -$ sudo systemctl restart rsyslog.serviceVerify that the Ubuntu operating system monitors all remote access methods. +$ sudo systemctl restart rsyslog.service + + + + Verify that the Ubuntu operating system monitors all remote access methods. Check that remote access methods are being logged by running the following command: @@ -2388,11 +6461,34 @@ $ grep -E -r '^(auth,authpriv\.\*|daemon\.\*)' /etc/rsyslog.* /etc/rsyslog.d/50-default.conf:auth,authpriv.* /var/log/auth.log /etc/rsyslog.d/50-default.conf:daemon.* /var/log/messages -If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged in at least one of the config files, this is a finding.SRG-OS-000120-GPOS-00061<GroupDescription></GroupDescription>UBTU-20-010404The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000803Configure the Ubuntu operating system to encrypt all stored passwords. +If "auth.*", "authpriv.*", or "daemon.*" are not configured to be logged in at least one of the config files, this is a finding. + + + + + SRG-OS-000120-GPOS-00061 + <GroupDescription></GroupDescription> + + UBTU-20-010404 + The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm. + <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000803 + Configure the Ubuntu operating system to encrypt all stored passwords. Edit/modify the following line in the "/etc/login.defs" file and set "ENCRYPT_METHOD" to SHA512: -ENCRYPT_METHOD SHA512Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS 140-2 approved cryptographic hashing algorithm. +ENCRYPT_METHOD SHA512 + + + + Verify that the shadow password suite configuration is set to encrypt passwords with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: @@ -2400,27 +6496,92 @@ $ cat /etc/login.defs | grep -i encrypt_method ENCRYPT_METHOD SHA512 -If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding.SRG-OS-000074-GPOS-00042<GroupDescription></GroupDescription>UBTU-20-010405The Ubuntu operating system must not have the telnet package installed.<VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000197Remove the telnet package from the Ubuntu operating system by running the following command: - -$ sudo apt-get remove telnetdVerify that the telnet package is not installed on the Ubuntu operating system by running the following command: +If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding. + + + + + SRG-OS-000074-GPOS-00042 + <GroupDescription></GroupDescription> + + UBTU-20-010405 + The Ubuntu operating system must not have the telnet package installed. + <VulnDiscussion>Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000197 + Remove the telnet package from the Ubuntu operating system by running the following command: + +$ sudo apt-get remove telnetd + + + + Verify that the telnet package is not installed on the Ubuntu operating system by running the following command: $ dpkg -l | grep telnetd -If the package is installed, this is a finding.SRG-OS-000095-GPOS-00049<GroupDescription></GroupDescription>UBTU-20-010406The Ubuntu operating system must not have the rsh-server package installed.<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. +If the package is installed, this is a finding. + + + + + SRG-OS-000095-GPOS-00049 + <GroupDescription></GroupDescription> + + UBTU-20-010406 + The Ubuntu operating system must not have the rsh-server package installed. + <VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). -Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000381Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: - -$ sudo apt-get remove rsh-serverVerify the rsh-server package is installed with the following command: +Examples of non-essential capabilities include, but are not limited to, games, software packages, tools, and demonstration software, not related to requirements or providing a wide array of functionality not required for every mission, but which cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000381 + Configure the Ubuntu operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: + +$ sudo apt-get remove rsh-server + + + + Verify the rsh-server package is installed with the following command: $ dpkg -l | grep rsh-server -If the rsh-server package is installed, this is a finding.SRG-OS-000096-GPOS-00050<GroupDescription></GroupDescription>UBTU-20-010407The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.<VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. +If the rsh-server package is installed, this is a finding. + + + + + SRG-OS-000096-GPOS-00050 + <GroupDescription></GroupDescription> + + UBTU-20-010407 + The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. + <VulnDiscussion>In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component. -To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000382Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: +To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000382 + Add all ports, protocols, or services allowed by the PPSM CLSA by using the following command: $ sudo ufw allow <direction> <port/protocol/service> @@ -2428,7 +6589,11 @@ where the direction is "in" or "out" and the port is the one corresponding to th To deny access to ports, protocols, or services, use: -$ sudo ufw deny <direction> <port/protocol/service>Verify the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. +$ sudo ufw deny <direction> <port/protocol/service> + + + + Verify the Ubuntu operating system is configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. Check the firewall configuration for any unnecessary or prohibited functions, ports, protocols, and/or services by running the following command: @@ -2450,7 +6615,17 @@ Ask the System Administrator If there are any additional ports, protocols, or services that are not included in the PPSM CLSA, this is a finding. -If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding.SRG-OS-000109-GPOS-00056<GroupDescription></GroupDescription>UBTU-20-010408The Ubuntu operating system must prevent direct login into the root account.<VulnDiscussion>To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. +If there are any ports, protocols, or services that are prohibited by the PPSM CAL, this is a finding. + + + + + SRG-OS-000109-GPOS-00056 + <GroupDescription></GroupDescription> + + UBTU-20-010408 + The Ubuntu operating system must prevent direct login into the root account. + <VulnDiscussion>To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated. A group authenticator is a generic account used by multiple individuals. Use of a group authenticator alone does not uniquely identify individual users. Examples of the group authenticator is the UNIX OS "root" user account, the Windows "Administrator" account, the "sa" account, or a "helpdesk" account. @@ -2458,34 +6633,91 @@ For example, the UNIX and Windows operating systems offer a 'switch user' capabi Users (and any processes acting on behalf of users) need to be uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization, which outlines specific user actions that can be performed on the operating system without identification or authentication. -Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000770Configure the Ubuntu operating system to prevent direct logins to the root account by performing the following operations: - -$ sudo passwd -l rootVerify the Ubuntu operating system prevents direct logins to the root account with the following command: +Requiring individuals to be authenticated with an individual authenticator prior to using a group authenticator allows for traceability of actions, as well as adding an additional level of protection of the actions that can be taken with group account knowledge.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000770 + Configure the Ubuntu operating system to prevent direct logins to the root account by performing the following operations: + +$ sudo passwd -l root + + + + Verify the Ubuntu operating system prevents direct logins to the root account with the following command: $ sudo passwd -S root root L 04/23/2020 0 99999 7 -1 -If the output does not contain "L" in the second field to indicate the account is locked, this is a finding.SRG-OS-000118-GPOS-00060<GroupDescription></GroupDescription>UBTU-20-010409The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.<VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. - -Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000795Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity after the password expiration. +If the output does not contain "L" in the second field to indicate the account is locked, this is a finding. + + + + + SRG-OS-000118-GPOS-00060 + <GroupDescription></GroupDescription> + + UBTU-20-010409 + The Ubuntu operating system must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. + <VulnDiscussion>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. + +Operating systems need to track periods of inactivity and disable application identifiers after 35 days of inactivity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000795 + Configure the Ubuntu operating system to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for adduser: $ sudo useradd -D -f 35 -Note: DoD recommendation is 35 days, but a lower value is acceptable. The value "0" will disable the account immediately after the password expires.Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: +Note: DoD recommendation is 35 days, but a lower value is acceptable. The value "0" will disable the account immediately after the password expires. + + + + Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: Check the account inactivity value by performing the following command: -$ sudo grep INACTIVE /etc/default/useradd - -INACTIVE=35 - -If "INACTIVE" is not set to a value 0<[VALUE]<=35, or is commented out, this is a finding.SRG-OS-000123-GPOS-00064<GroupDescription></GroupDescription>UBTU-20-010410The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours.<VulnDiscussion>Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's System Administrator -s when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001682If an emergency account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. Substitute "account_name" with the account to be created. - -$ sudo chage -E $(date -d "+3 days" +%F) account_nameVerify the Ubuntu operating system expires emergency accounts within 72 hours or less. +$ sudo grep INACTIVE /etc/default/useradd INACTIVE=35 + +If "INACTIVE" is not set to a value 0<[VALUE]<=35, or is commented out, this is a finding. + + + + + SRG-OS-000123-GPOS-00064 + <GroupDescription></GroupDescription> + + UBTU-20-010410 + The Ubuntu operating system must automatically remove or disable emergency accounts after 72 hours. + <VulnDiscussion>Emergency accounts are different from infrequently used accounts (i.e., local logon accounts used by the organization's System Administrator +s when network or normal logon/access is not available). Infrequently used accounts are not subject to automatic termination dates. Emergency accounts are accounts created in response to crisis situations, usually for use by maintenance personnel. The automatic expiration or disabling time period may be extended as needed until the crisis is resolved; however, it must not be extended indefinitely. A permanent account should be established for privileged users who need long-term maintenance accounts.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001682 + If an emergency account must be created, configure the system to terminate the account after a 72-hour time period with the following command to set an expiration date on it. Substitute "account_name" with the account to be created. + +$ sudo chage -E $(date -d "+3 days" +%F) account_name + + + + Verify the Ubuntu operating system expires emergency accounts within 72 hours or less. For every emergency account, run the following command to obtain its account expiration information: @@ -2496,29 +6728,75 @@ Account expires : Aug 07, 2019 Verify each of these accounts has an expiration date set within 72 hours of account creation. -If any of these accounts do not expire within 72 hours of that account's creation, this is a finding.SRG-OS-000138-GPOS-00069<GroupDescription></GroupDescription>UBTU-20-010411The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources.<VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. +If any of these accounts do not expire within 72 hours of that account's creation, this is a finding. + + + + + SRG-OS-000138-GPOS-00069 + <GroupDescription></GroupDescription> + + UBTU-20-010411 + The Ubuntu operating system must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. + <VulnDiscussion>Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DoD or other government agencies. -There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001090Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. +There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001090 + Configure all public directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all public directories using the following command, replacing "[Public Directory]" with any directory path missing the sticky bit: -$ sudo chmod +t [Public Directory]Verify that all public (world-writeable) directories have the public sticky bit set. +$ sudo chmod +t [Public Directory] + + + + Verify that all public (world-writeable) directories have the public sticky bit set. Find world-writable directories that lack the sticky bit by running the following command: $ sudo find / -type d -perm -002 ! -perm -1000 -If any world-writable directories are found missing the sticky bit, this is a finding.SRG-OS-000142-GPOS-00071<GroupDescription></GroupDescription>UBTU-20-010412The Ubuntu operating system must be configured to use TCP syncookies.<VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. - -Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001095Configure the Ubuntu operating system to use TCP syncookies by running the following command: +If any world-writable directories are found missing the sticky bit, this is a finding. + + + + + SRG-OS-000142-GPOS-00071 + <GroupDescription></GroupDescription> + + UBTU-20-010412 + The Ubuntu operating system must be configured to use TCP syncookies. + <VulnDiscussion>DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001095 + Configure the Ubuntu operating system to use TCP syncookies by running the following command: $ sudo sysctl -w net.ipv4.tcp_syncookies=1 If "1" is not the system's default value, add or update the following line in "/etc/sysctl.conf": -net.ipv4.tcp_syncookies = 1Verify the Ubuntu operating system is configured to use TCP syncookies. +net.ipv4.tcp_syncookies = 1 + + + + Verify the Ubuntu operating system is configured to use TCP syncookies. Check the value of TCP syncookies with the following command: @@ -2531,11 +6809,34 @@ Check the saved value of TCP syncookies with the following command: $ sudo grep -i net.ipv4.tcp_syncookies /etc/sysctl.conf /etc/sysctl.d/* | grep -v '#' -If no output is returned, this is a finding.SRG-OS-000184-GPOS-00078<GroupDescription></GroupDescription>UBTU-20-010413The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail.<VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001190If kernel core dumps are not required, disable the "kdump" service with the following command: +If no output is returned, this is a finding. + + + + + SRG-OS-000184-GPOS-00078 + <GroupDescription></GroupDescription> + + UBTU-20-010413 + The Ubuntu operating system must disable kernel core dumps so that it can fail to a secure state if system initialization fails, shutdown fails or aborts fail. + <VulnDiscussion>Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps may consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001190 + If kernel core dumps are not required, disable the "kdump" service with the following command: $ sudo systemctl disable kdump.service -If kernel core dumps are required, document the need with the ISSO.Verify that kernel core dumps are disabled unless needed. +If kernel core dumps are required, document the need with the ISSO. + + + + Verify that kernel core dumps are disabled unless needed. Check if "kdump" service is active with the following command: @@ -2544,11 +6845,34 @@ inactive If the "kdump" service is active, ask the SA if the use of the service is required and documented with the ISSO. -If the service is active and is not documented, this is a finding.SRG-OS-000185-GPOS-00079<GroupDescription></GroupDescription>UBTU-20-010414Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.<VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. - -This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001199To encrypt an entire partition, dedicate a partition for encryption in the partition layout. - -Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed.If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. +If the service is active and is not documented, this is a finding. + + + + + SRG-OS-000185-GPOS-00079 + <GroupDescription></GroupDescription> + + UBTU-20-010414 + Ubuntu operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + <VulnDiscussion>Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. + +This requirement addresses protection of user-generated data, as well as operating system-specific configuration data. Organizations may choose to employ different mechanisms to achieve confidentiality and integrity protections, as appropriate, in accordance with the security category and/or classification of the information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001199 + To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + +Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed. + + + + If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. @@ -2575,13 +6899,36 @@ Verify the system partitions are all encrypted with the following command: Every persistent disk partition present must have an entry in the file. -If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.SRG-OS-000191-GPOS-00080<GroupDescription></GroupDescription>UBTU-20-010415The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP).<VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. - -To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001233The Ubuntu operating system is not compliant with this requirement; however, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. +If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. + + + + + SRG-OS-000191-GPOS-00080 + <GroupDescription></GroupDescription> + + UBTU-20-010415 + The Ubuntu operating system must deploy Endpoint Security for Linux Threat Prevention (ENSLTP). + <VulnDiscussion>Without the use of automated mechanisms to scan for security flaws on a continuous and/or periodic basis, the operating system or other system components may remain vulnerable to the exploits presented by undetected software flaws. + +To support this requirement, the operating system may have an integrated solution incorporating continuous scanning using HBSS and periodic scanning using other tools, as specified in the requirement.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001233 + The Ubuntu operating system is not compliant with this requirement; however, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. Configure the Ubuntu operating system to use ENSLTP. -Install the "mcafeetp" package via the ePO server.The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. +Install the "mcafeetp" package via the ePO server. + + + + The Ubuntu operating system is not compliant with this requirement; hence, it is a finding. However, the severity level can be mitigated to a CAT III if the ENSLTP module is installed and running. Check that the "mcafeetp" package has been installed: @@ -2593,77 +6940,261 @@ Check that the daemon is running: # /opt/McAfee/ens/tp/init/mfetpd-control.sh status -If the daemon is not running, this finding will remain as a CAT II.SRG-OS-000205-GPOS-00083<GroupDescription></GroupDescription>UBTU-20-010416The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.<VulnDiscussion> Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. - -Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001312Configure the Ubuntu operating system to set permissions of all log files under the "/var/log" directory to 640 or more restricted by using the following command: - -$ sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \;Verify the Ubuntu operating system has all system log files under the "/var/log" directory with a permission set to 640 or less permissive by using the following command: +If the daemon is not running, this finding will remain as a CAT II. + + + + + SRG-OS-000205-GPOS-00083 + <GroupDescription></GroupDescription> + + UBTU-20-010416 + The Ubuntu operating system must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. + <VulnDiscussion> Any operating system providing too much information in error messages risks compromising the data and security of the structure, and content of error messages needs to be carefully considered by the organization. + +Organizations carefully consider the structure/content of error messages. The extent to which information systems are able to identify and handle error conditions is guided by organizational policy and operational requirements. Information that could be exploited by adversaries includes, for example, erroneous logon attempts with passwords entered by mistake as the username, mission/business information that can be derived from (if not stated explicitly by) information recorded, and personal information, such as account numbers, social security numbers, and credit card numbers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001312 + Configure the Ubuntu operating system to set permissions of all log files under the "/var/log" directory to 640 or more restricted by using the following command: + +$ sudo find /var/log -perm /137 -type f -exec chmod 640 '{}' \; + + + + Verify the Ubuntu operating system has all system log files under the "/var/log" directory with a permission set to 640 or less permissive by using the following command: $ sudo find /var/log -perm /137 -type f -exec stat -c "%n %a" {} \; -If the command displays any output, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-20-010417The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001314Configure the Ubuntu operating system to have syslog group-own the "/var/log" directory by running the following command: - -$ sudo chgrp syslog /var/logVerify that the Ubuntu operating system configures the "/var/log" directory to be group-owned by syslog with the following command: +If the command displays any output, this is a finding. + + + + + SRG-OS-000206-GPOS-00084 + <GroupDescription></GroupDescription> + + UBTU-20-010417 + The Ubuntu operating system must configure the /var/log directory to be group-owned by syslog. + <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001314 + Configure the Ubuntu operating system to have syslog group-own the "/var/log" directory by running the following command: + +$ sudo chgrp syslog /var/log + + + + Verify that the Ubuntu operating system configures the "/var/log" directory to be group-owned by syslog with the following command: $ sudo stat -c "%n %G" /var/log /var/log syslog -If the "/var/log" directory is not group-owned by syslog, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-20-010418The Ubuntu operating system must configure the /var/log directory to be owned by root.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001314Configure the Ubuntu operating system to have root own the "/var/log" directory by running the following command: - -$ sudo chown root /var/logVerify the Ubuntu operating system configures the "/var/log" directory to be owned by root with the following command: +If the "/var/log" directory is not group-owned by syslog, this is a finding. + + + + + SRG-OS-000206-GPOS-00084 + <GroupDescription></GroupDescription> + + UBTU-20-010418 + The Ubuntu operating system must configure the /var/log directory to be owned by root. + <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001314 + Configure the Ubuntu operating system to have root own the "/var/log" directory by running the following command: + +$ sudo chown root /var/log + + + + Verify the Ubuntu operating system configures the "/var/log" directory to be owned by root with the following command: $ sudo stat -c "%n %U" /var/log /var/log root -If the "/var/log" directory is not owned by root, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-20-010419The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001314Configure the Ubuntu operating system to have permissions of 0750 for the "/var/log" directory by running the following command: - -$ sudo chmod 0750 /var/logVerify that the Ubuntu operating system configures the "/var/log" directory with a mode of 750 or less permissive with the following command: +If the "/var/log" directory is not owned by root, this is a finding. + + + + + SRG-OS-000206-GPOS-00084 + <GroupDescription></GroupDescription> + + UBTU-20-010419 + The Ubuntu operating system must configure the /var/log directory to have mode 0750 or less permissive. + <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001314 + Configure the Ubuntu operating system to have permissions of 0750 for the "/var/log" directory by running the following command: + +$ sudo chmod 0750 /var/log + + + + Verify that the Ubuntu operating system configures the "/var/log" directory with a mode of 750 or less permissive with the following command: $ stat -c "%n %a" /var/log /var/log 750 -If a value of "750" or less permissive is not returned, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-20-010420The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001314Configure the Ubuntu operating system to have adm group-own the "/var/log/syslog" file by running the following command: - -$ sudo chgrp adm /var/log/syslogVerify that the Ubuntu operating system configures the "/var/log/syslog" file to be group-owned by adm with the following command: +If a value of "750" or less permissive is not returned, this is a finding. + + + + + SRG-OS-000206-GPOS-00084 + <GroupDescription></GroupDescription> + + UBTU-20-010420 + The Ubuntu operating system must configure the /var/log/syslog file to be group-owned by adm. + <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001314 + Configure the Ubuntu operating system to have adm group-own the "/var/log/syslog" file by running the following command: + +$ sudo chgrp adm /var/log/syslog + + + + Verify that the Ubuntu operating system configures the "/var/log/syslog" file to be group-owned by adm with the following command: $ sudo stat -c "%n %G" /var/log/syslog /var/log/syslog adm -If the "/var/log/syslog" file is not group-owned by adm, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-20-010421The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001314Configure the Ubuntu operating system to have syslog own the "/var/log/syslog" file by running the following command: - -$ sudo chown syslog /var/log/syslogVerify that the Ubuntu operating system configures the "/var/log/syslog" file to be owned by syslog with the following command: +If the "/var/log/syslog" file is not group-owned by adm, this is a finding. + + + + + SRG-OS-000206-GPOS-00084 + <GroupDescription></GroupDescription> + + UBTU-20-010421 + The Ubuntu operating system must configure /var/log/syslog file to be owned by syslog. + <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001314 + Configure the Ubuntu operating system to have syslog own the "/var/log/syslog" file by running the following command: + +$ sudo chown syslog /var/log/syslog + + + + Verify that the Ubuntu operating system configures the "/var/log/syslog" file to be owned by syslog with the following command: $ sudo stat -c "%n %U" /var/log/syslog /var/log/syslog syslog -If the "/var/log/syslog" file is not owned by syslog, this is a finding.SRG-OS-000206-GPOS-00084<GroupDescription></GroupDescription>UBTU-20-010422The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive.<VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. - -The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001314Configure the Ubuntu operating system to have permissions of 0640 for the "/var/log/syslog" file by running the following command: - -$ sudo chmod 0640 /var/log/syslogVerify that the Ubuntu operating system configures the "/var/log/syslog" file with mode 0640 or less permissive by running the following command: +If the "/var/log/syslog" file is not owned by syslog, this is a finding. + + + + + SRG-OS-000206-GPOS-00084 + <GroupDescription></GroupDescription> + + UBTU-20-010422 + The Ubuntu operating system must configure /var/log/syslog file with mode 0640 or less permissive. + <VulnDiscussion>Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the operating system or platform. Additionally, Personally Identifiable Information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. + +The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001314 + Configure the Ubuntu operating system to have permissions of 0640 for the "/var/log/syslog" file by running the following command: + +$ sudo chmod 0640 /var/log/syslog + + + + Verify that the Ubuntu operating system configures the "/var/log/syslog" file with mode 0640 or less permissive by running the following command: $ sudo stat -c "%n %a" /var/log/syslog /var/log/syslog 640 -If a value of "640" or less permissive is not returned, this is a finding.SRG-OS-000258-GPOS-00099<GroupDescription></GroupDescription>UBTU-20-010423The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If a value of "640" or less permissive is not returned, this is a finding. + + + + + SRG-OS-000258-GPOS-00099 + <GroupDescription></GroupDescription> + + UBTU-20-010423 + The Ubuntu operating system must have directories that contain system commands set to a mode of 0755 or less permissive. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001495Configure the system commands directories to be protected from unauthorized access. Run the following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \;Verify the system commands directories have mode 0755 or less permissive: +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001495 + Configure the system commands directories to be protected from unauthorized access. Run the following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec chmod -R 755 '{}' \; + + + + Verify the system commands directories have mode 0755 or less permissive: /bin /sbin @@ -2676,13 +7207,36 @@ Check that the system command directories have mode 0755 or less permissive with $ find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type d -exec stat -c "%n %a" '{}' \; -If any directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000258-GPOS-00099<GroupDescription></GroupDescription>UBTU-20-010424The Ubuntu operating system must have directories that contain system commands owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If any directories are found to be group-writable or world-writable, this is a finding. + + + + + SRG-OS-000258-GPOS-00099 + <GroupDescription></GroupDescription> + + UBTU-20-010424 + The Ubuntu operating system must have directories that contain system commands owned by root. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001495Configure the system commands directories to be protected from unauthorized access. Run the following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \;Verify the system commands directories are owned by root: +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001495 + Configure the system commands directories to be protected from unauthorized access. Run the following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec chown root '{}' \; + + + + Verify the system commands directories are owned by root: /bin /sbin @@ -2695,13 +7249,36 @@ Use the following command for the check: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type d -exec stat -c "%n %U" '{}' \; -If any system commands directories are returned, this is a finding.SRG-OS-000258-GPOS-00099<GroupDescription></GroupDescription>UBTU-20-010425The Ubuntu operating system must have directories that contain system commands group-owned by root.<VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. +If any system commands directories are returned, this is a finding. + + + + + SRG-OS-000258-GPOS-00099 + <GroupDescription></GroupDescription> + + UBTU-20-010425 + The Ubuntu operating system must have directories that contain system commands group-owned by root. + <VulnDiscussion>Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. Operating systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools and the corresponding rights the user has in order to make access decisions regarding the deletion of audit tools. -Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001495Configure the system commands directories to be protected from unauthorized access. Run the following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \;Verify the system commands directories are group-owned by root: +Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001495 + Configure the system commands directories to be protected from unauthorized access. Run the following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec chgrp root '{}' \; + + + + Verify the system commands directories are group-owned by root: /bin /sbin @@ -2714,58 +7291,215 @@ Run the check with the following command: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type d -exec stat -c "%n %G" '{}' \; -If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010426The Ubuntu operating system library files must have mode 0755 or less permissive.<VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the library files to be protected from unauthorized access. Run the following command: - -$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \;Verify the system-wide shared library files contained in the directories "/lib", "/lib64", and "/usr/lib" have mode 0755 or less permissive with the following command: +If any system commands directories are returned that are not Set Group ID up on execution (SGID) files and owned by a privileged account, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010426 + The Ubuntu operating system library files must have mode 0755 or less permissive. + <VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the library files to be protected from unauthorized access. Run the following command: + +$ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec chmod 755 '{}' \; + + + + Verify the system-wide shared library files contained in the directories "/lib", "/lib64", and "/usr/lib" have mode 0755 or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib -perm /022 -type f -exec stat -c "%n %a" '{}' \; /usr/lib64/pkcs11-spy.so -If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010427The Ubuntu operating system library directories must have mode 0755 or less permissive.<VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the shared library directories to be protected from unauthorized access. Run the following command: - -$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \;Verify the system-wide shared library directories "/lib", "/lib64", and "/usr/lib have mode 0755 or less permissive with the following command: +If any files are found to be group-writable or world-writable, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010427 + The Ubuntu operating system library directories must have mode 0755 or less permissive. + <VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the shared library directories to be protected from unauthorized access. Run the following command: + +$ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec chmod 755 '{}' \; + + + + Verify the system-wide shared library directories "/lib", "/lib64", and "/usr/lib have mode 0755 or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib -perm /022 -type d -exec stat -c "%n %a" '{}' \; -If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010428The Ubuntu operating system library files must be owned by root.<VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command: - -$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' \;Verify the system-wide shared library files contained in the directories "/lib", "/lib64", and "/usr/lib" are owned by root with the following command: +If any of the aforementioned directories are found to be group-writable or world-writable, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010428 + The Ubuntu operating system library files must be owned by root. + <VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the system library files to be protected from unauthorized access. Run the following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec chown root '{}' \; + + + + Verify the system-wide shared library files contained in the directories "/lib", "/lib64", and "/usr/lib" are owned by root with the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type f -exec stat -c "%n %U" '{}' \; -If any system-wide library file is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010429The Ubuntu operating system library directories must be owned by root.<VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: - -$ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \;Verify the system-wide shared library directories "/lib", "/lib64", and "/usr/lib" are owned by root with the following command: +If any system-wide library file is returned, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010429 + The Ubuntu operating system library directories must be owned by root. + <VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the library files and their respective parent directories to be protected from unauthorized access. Run the following command: + +$ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec chown root '{}' \; + + + + Verify the system-wide shared library directories "/lib", "/lib64", and "/usr/lib" are owned by root with the following command: $ sudo find /lib /usr/lib /lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; -If any system-wide library directory is returned, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010430The Ubuntu operating system library files must be group-owned by root or a system account.<VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the system library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account: - -$ sudo chgrp root [FILE]Verify the system-wide library files contained in the directories "/lib", "/lib64", and "/usr/lib" are group-owned by root, or a required system account, with the following command: +If any system-wide library directory is returned, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010430 + The Ubuntu operating system library files must be group-owned by root or a system account. + <VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the system library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account: + +$ sudo chgrp root [FILE] + + + + Verify the system-wide library files contained in the directories "/lib", "/lib64", and "/usr/lib" are group-owned by root, or a required system account, with the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type f -exec stat -c "%n %G" '{}' \; -If any system-wide shared library file is returned and is not group-owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010431The Ubuntu operating system library directories must be group-owned by root.<VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the system library directories to be protected from unauthorized access. Run the following command: - -$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \;Verify the system-wide library directories "/lib", "/lib64", and "/usr/lib" are group-owned by root with the following command: +If any system-wide shared library file is returned and is not group-owned by a required system account, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010431 + The Ubuntu operating system library directories must be group-owned by root. + <VulnDiscussion> If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the system library directories to be protected from unauthorized access. Run the following command: + +$ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec chgrp root '{}' \; + + + + Verify the system-wide library directories "/lib", "/lib64", and "/usr/lib" are group-owned by root with the following command: $ sudo find /lib /usr/lib /lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; -If any system-wide shared library directory is returned, this is a finding.SRG-OS-000269-GPOS-00103<GroupDescription></GroupDescription>UBTU-20-010432The Ubuntu operating system must be configured to preserve log records from failure events.<VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. - -Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001665Configure the log service to collect failure events. +If any system-wide shared library directory is returned, this is a finding. + + + + + SRG-OS-000269-GPOS-00103 + <GroupDescription></GroupDescription> + + UBTU-20-010432 + The Ubuntu operating system must be configured to preserve log records from failure events. + <VulnDiscussion>Failure to a known state can address safety or security in accordance with the mission/business needs of the organization. Failure to a known secure state helps prevent a loss of confidentiality, integrity, or availability in the event of a failure of the information system or a component of the system. + +Preserving operating system state information helps to facilitate operating system restart and return to the operational mode of the organization with least disruption to mission/business processes.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001665 + Configure the log service to collect failure events. Install the log service (if the log service is not already installed) with the following command: @@ -2773,7 +7507,11 @@ $ sudo apt-get install rsyslog Enable the log service with the following command: -$ sudo systemctl enable --now rsyslogVerify the log service is configured to collect system failure events. +$ sudo systemctl enable --now rsyslog + + + + Verify the log service is configured to collect system failure events. Check that the log service is installed properly with the following command: @@ -2797,13 +7535,36 @@ $ systemctl is-active rsyslog active -If the command above returns "inactive", this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>UBTU-20-010433The Ubuntu operating system must have an application firewall installed in order to control remote access methods.<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. +If the command above returns "inactive", this is a finding. + + + + + SRG-OS-000297-GPOS-00115 + <GroupDescription></GroupDescription> + + UBTU-20-010433 + The Ubuntu operating system must have an application firewall installed in order to control remote access methods. + <VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. -Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002314Install the Uncomplicated Firewall by using the following command: - -$ sudo apt-get install ufwVerify that the Uncomplicated Firewall is installed with the following command: +Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002314 + Install the Uncomplicated Firewall by using the following command: + +$ sudo apt-get install ufw + + + + Verify that the Uncomplicated Firewall is installed with the following command: $ dpkg -l | grep ufw @@ -2811,13 +7572,36 @@ ii ufw 0.36-6 If the "ufw" package is not installed, ask the System Administrator if another application firewall is installed. -If no application firewall is installed, this is a finding.SRG-OS-000297-GPOS-00115<GroupDescription></GroupDescription>UBTU-20-010434The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).<VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. +If no application firewall is installed, this is a finding. + + + + + SRG-OS-000297-GPOS-00115 + <GroupDescription></GroupDescription> + + UBTU-20-010434 + The Ubuntu operating system must enable and run the uncomplicated firewall(ufw). + <VulnDiscussion>Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. -Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002314Enable the Uncomplicated Firewall by using the following command: - -$ sudo systemctl enable --now ufw.serviceVerify the Uncomplicated Firewall is enabled on the system by running the following command: +Ubuntu operating system functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002314 + Enable the Uncomplicated Firewall by using the following command: + +$ sudo systemctl enable --now ufw.service + + + + Verify the Uncomplicated Firewall is enabled on the system by running the following command: $ systemctl is-enabled ufw @@ -2831,11 +7615,30 @@ If the above command returns "inactive" or any kind of error, this is a finding. If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. -If no application firewall is installed, this is a finding.SRG-OS-000355-GPOS-00143<GroupDescription></GroupDescription>UBTU-20-010435The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS).<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. +If no application firewall is installed, this is a finding. + + + + + SRG-OS-000355-GPOS-00143 + <GroupDescription></GroupDescription> + + UBTU-20-010435 + The Ubuntu operating system must, for networked systems, compare internal information system clocks at least every 24 hours with a server which is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). + <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. -Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001891If the system is not networked, this requirement is Not Applicable. +Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001891 + If the system is not networked, this requirement is Not Applicable. To configure the system clock to compare the system clock at least every 24 hours to the authoritative time source, edit the "/etc/chrony/chrony.conf" file. Add or correct the following lines, by replacing "[source]" in the following line with an authoritative DoD time source: @@ -2843,7 +7646,11 @@ server [source] iburst maxpoll = 16 If the "chrony" service was running and the value of "maxpoll" or "server" was updated, the service must be restarted using the following command: -$ sudo systemctl restart chrony.serviceIf the system is not networked, this requirement is Not Applicable. +$ sudo systemctl restart chrony.service + + + + If the system is not networked, this requirement is Not Applicable. The system clock must be configured to compare the system clock at least every 24 hours to the authoritative time source. @@ -2861,11 +7668,30 @@ server tick.usno.navy.mil iburst maxpoll 16 server tock.usno.navy.mil iburst maxpoll 16 server ntp2.usno.navy.mil iburst maxpoll 16 -If the parameter "server" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding.SRG-OS-000356-GPOS-00144<GroupDescription></GroupDescription>UBTU-20-010436The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second.<VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. +If the parameter "server" is not set, is not set to an authoritative DoD time source, or is commented out, this is a finding. + + + + + SRG-OS-000356-GPOS-00144 + <GroupDescription></GroupDescription> + + UBTU-20-010436 + The Ubuntu operating system must synchronize internal information system clocks to the authoritative time source when the time difference is greater than one second. + <VulnDiscussion>Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Organizations should consider setting time periods for different types of systems (e.g., financial, legal, or mission-critical systems). -Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002046Configure chrony to synchronize the internal system clocks to the authoritative source when the time difference is greater than one second by doing the following: +Organizations should also consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). This requirement is related to the comparison done every 24 hours in SRG-OS-000355 because a comparison must be done in order to determine the time difference.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002046 + Configure chrony to synchronize the internal system clocks to the authoritative source when the time difference is greater than one second by doing the following: Edit the "/etc/chrony/chrony.conf" file and add: @@ -2873,7 +7699,11 @@ makestep 1 -1 Restart the chrony service: -$ sudo systemctl restart chrony.serviceVerify the operating system synchronizes internal system clocks to the authoritative time source when the time difference is greater than one second. +$ sudo systemctl restart chrony.service + + + + Verify the operating system synchronizes internal system clocks to the authoritative time source when the time difference is greater than one second. Check the value of "makestep" by running the following command: @@ -2881,43 +7711,109 @@ $ sudo grep makestep /etc/chrony/chrony.conf makestep 1 -1 -If the makestep option is commented out or is not set to "1 -1", this is a finding.SRG-OS-000363-GPOS-00150<GroupDescription></GroupDescription>UBTU-20-010437The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001744Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. - -Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist.Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator +If the makestep option is commented out or is not set to "1 -1", this is a finding. + + + + + SRG-OS-000363-GPOS-00150 + <GroupDescription></GroupDescription> + + UBTU-20-010437 + The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the oper + <VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001744 + Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. + +Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist. + + + + Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator when anomalies in the operation of any security functions are discovered with the following command: -$ grep SILENTREPORTS /etc/default/aide - -SILENTREPORTS=no +$ grep SILENTREPORTS /etc/default/aide SILENTREPORTS=no If SILENTREPORTS is commented out, this is a finding. If SILENTREPORTS is set to "yes", this is a finding. -If SILENTREPORTS is not set to "no", this is a finding.SRG-OS-000366-GPOS-00153<GroupDescription></GroupDescription>UBTU-20-010438The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.<VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. +If SILENTREPORTS is not set to "no", this is a finding. + + + + + SRG-OS-000366-GPOS-00153 + <GroupDescription></GroupDescription> + + UBTU-20-010438 + The Ubuntu operating system's Advance Package Tool (APT) must be configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. + <VulnDiscussion>Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. -Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001749Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. +Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001749 + Configure APT to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. Remove/update any APT configuration files that contain the variable "AllowUnauthenticated" to "false", or remove "AllowUnauthenticated" entirely from each file. Below is an example of setting the "AllowUnauthenticated" variable to "false": -APT::Get::AllowUnauthenticated "false";Verify that APT is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. +APT::Get::AllowUnauthenticated "false"; + + + + Verify that APT is configured to prevent the installation of patches, service packs, device drivers, or Ubuntu operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization. Check that the "AllowUnauthenticated" variable is not set at all or is set to "false" with the following command: $ grep AllowUnauthenticated /etc/apt/apt.conf.d/* /etc/apt/apt.conf.d/01-vendor-Ubuntu:APT::Get::AllowUnauthenticated "false"; -If any of the files returned from the command with "AllowUnauthenticated" are set to "true", this is a finding.SRG-OS-000368-GPOS-00154<GroupDescription></GroupDescription>UBTU-20-010439The Ubuntu operating system must be configured to use AppArmor.<VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. +If any of the files returned from the command with "AllowUnauthenticated" are set to "true", this is a finding. + + + + + SRG-OS-000368-GPOS-00154 + <GroupDescription></GroupDescription> + + UBTU-20-010439 + The Ubuntu operating system must be configured to use AppArmor. + <VulnDiscussion>Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that runs counter to the mission or provides users with functionality that exceeds mission requirements. This includes functions and services installed at the operating system-level. Some of the programs, installed by default, may be harmful or may not be necessary to support essential organizational operations (e.g., key missions, functions). Removal of executable programs is not always possible; therefore, establishing a method of preventing program execution is critical to maintaining a secure system baseline. Methods for complying with this requirement include restricting execution of programs in certain environments, while preventing execution in other environments; or limiting execution of certain program functionality based on organization-defined criteria (e.g., privileges, subnets, sandboxed environments, or roles). -Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125, SRG-OS-000370-GPOS-00155</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001764CCI-001774CCI-002165CCI-002235Install "AppArmor" (if it is not installed) with the following command: +Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000312-GPOS-00124, SRG-OS-000324-GPOS-00125, SRG-OS-000370-GPOS-00155</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001764 + CCI-001774 + CCI-002165 + CCI-002235 + Install "AppArmor" (if it is not installed) with the following command: $ sudo apt-get install apparmor @@ -2927,7 +7823,11 @@ Start "apparmor" with the following command: $ sudo systemctl start apparmor.service -Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the AppArmor documentation for more information on configuring profiles.Verify the operating system prevents program execution in accordance with local policies. +Note: AppArmor must have properly configured profiles for applications and home directories. All configurations will be based on the actual system setup and organization and normally are on a per role basis. See the AppArmor documentation for more information on configuring profiles. + + + + Verify the operating system prevents program execution in accordance with local policies. Check that AppArmor is installed and active by running the following command, @@ -2945,9 +7845,28 @@ $ systemctl is-enabled apparmor.service enabled -If "enabled" is not returned, this is a finding.SRG-OS-000380-GPOS-00165<GroupDescription></GroupDescription>UBTU-20-010440The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password.<VulnDiscussion>Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon. - -Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002041Create a policy that ensures when a user is created, it is created using a method that forces a user to change their password upon their next login. +If "enabled" is not returned, this is a finding. + + + + + SRG-OS-000380-GPOS-00165 + <GroupDescription></GroupDescription> + + UBTU-20-010440 + The Ubuntu operating system must allow the use of a temporary password for system logons with an immediate change to a permanent password. + <VulnDiscussion>Without providing this capability, an account may be created without a password. Non-repudiation cannot be guaranteed once an account is created if a user is not forced to change the temporary password upon initial logon. + +Temporary passwords are typically used to allow access when new accounts are created or passwords are changed. It is common practice for administrators to create temporary passwords for user accounts which allow the users to log on, yet force them to change the password once they have successfully authenticated.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002041 + Create a policy that ensures when a user is created, it is created using a method that forces a user to change their password upon their next login. Below are two examples of how to create a user account that requires the user to change their password upon their next login. @@ -2955,13 +7874,40 @@ $ sudo chage -d 0 [UserName] or -$ sudo passwd -e [UserName]Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login. - -If a policy does not exist, this is a finding.SRG-OS-000383-GPOS-00166<GroupDescription></GroupDescription>UBTU-20-010441The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day.<VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002007Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": +$ sudo passwd -e [UserName] + + + + Verify a policy exists that ensures when a user account is created, it is created using a method that forces a user to change their password upon their next login. + +If a policy does not exist, this is a finding. + + + + + SRG-OS-000383-GPOS-00166 + <GroupDescription></GroupDescription> + + UBTU-20-010441 + The Ubuntu operating system must be configured such that Pluggable Authentication Module (PAM) prohibits the use of cached authentications after one day. + <VulnDiscussion>If cached authentication information is out-of-date, the validity of the authentication information may be questionable.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002007 + Configure PAM to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]": offline_credentials_expiration = 1 -Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file.If smart card authentication is not being used on the system, this s Not Applicable. +Note: It is valid for this configuration to be in a file with a name that ends with ".conf" and does not begin with a "." in the "/etc/sssd/conf.d/" directory instead of the "/etc/sssd/sssd.conf" file. + + + + If smart card authentication is not being used on the system, this s Not Applicable. Verify that PAM prohibits the use of cached authentications after one day with the following command: @@ -2969,20 +7915,62 @@ $ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/ offline_credentials_expiration = 1 -If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding.SRG-OS-000396-GPOS-00176<GroupDescription></GroupDescription>UBTU-20-010442The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.<VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. - -Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002450Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during the Ubuntu operating systems install. +If "offline_credentials_expiration" is not set to a value of "1" in "/etc/sssd/sssd.conf" or in a file with a name ending in .conf in the "/etc/sssd/conf.d/" directory, this is a finding. + + + + + SRG-OS-000396-GPOS-00176 + <GroupDescription></GroupDescription> + + UBTU-20-010442 + The Ubuntu operating system must implement NIST FIPS-validated cryptography to protect classified information and for the following: to provision digital signatures, to generate cryptographic hashes, and to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. + <VulnDiscussion>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. + +Satisfies: SRG-OS-000396-GPOS-00176, SRG-OS-000478-GPOS-00223</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002450 + Configure the system to run in FIPS mode. Add "fips=1" to the kernel parameter during the Ubuntu operating systems install. Enabling a FIPS mode on a pre-existing system involves a number of modifications to the Ubuntu operating system. Refer to the Ubuntu Server 18.04 FIPS 140-2 security policy document for instructions. -A subscription to the "Ubuntu Advantage" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS.Verify the system is configured to run in FIPS mode with the following command: +A subscription to the "Ubuntu Advantage" plan is required in order to obtain the FIPS Kernel cryptographic modules and enable FIPS. + + + + Verify the system is configured to run in FIPS mode with the following command: $ grep -i 1 /proc/sys/crypto/fips_enabled 1 -If a value of "1" is not returned, this is a finding.SRG-OS-000403-GPOS-00182<GroupDescription></GroupDescription>UBTU-20-010443The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.<VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. - -The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002470Configure the Ubuntu operating system to only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. +If a value of "1" is not returned, this is a finding. + + + + + SRG-OS-000403-GPOS-00182 + <GroupDescription></GroupDescription> + + UBTU-20-010443 + The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. + <VulnDiscussion>Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. + +The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002470 + Configure the Ubuntu operating system to only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. Edit the "/etc/ca-certificates.conf" file, adding the character "!" to the beginning of all uncommented lines that do not start with the "!" character with the following command: @@ -2992,17 +7980,44 @@ Add at least one DoD certificate authority to the "/usr/local/share/ca-certifica Update the "/etc/ssl/certs" directory with the following command: -$ sudo update-ca-certificatesVerify the directory containing the root certificates for the Ubuntu operating system (/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate authorities. +$ sudo update-ca-certificates + + + + Verify the directory containing the root certificates for the Ubuntu operating system (/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate authorities. Determine if "/etc/ssl/certs" only contains certificate files whose sha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities with the following command: $ for f in $(realpath /etc/ssl/certs/*); do openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; done -If any entry is found, this is a finding.SRG-OS-000404-GPOS-00183<GroupDescription></GroupDescription>UBTU-20-010444Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest.<VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002475To encrypt an entire partition, dedicate a partition for encryption in the partition layout. - -Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed.If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. +If any entry is found, this is a finding. + + + + + SRG-OS-000404-GPOS-00183 + <GroupDescription></GroupDescription> + + UBTU-20-010444 + Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized modification of all information at rest. + <VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002475 + To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + +Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed. + + + + If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. @@ -3029,11 +8044,34 @@ $ more /etc/crypttab Every persistent disk partition present must have an entry in the file. -If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.SRG-OS-000405-GPOS-00184<GroupDescription></GroupDescription>UBTU-20-010445Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest.<VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. - -Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002476To encrypt an entire partition, dedicate a partition for encryption in the partition layout. - -Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed.If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. +If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. + + + + + SRG-OS-000405-GPOS-00184 + <GroupDescription></GroupDescription> + + UBTU-20-010445 + Ubuntu operating system must implement cryptographic mechanisms to prevent unauthorized disclosure of all information at rest. + <VulnDiscussion>Operating systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. + +Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002476 + To encrypt an entire partition, dedicate a partition for encryption in the partition layout. + +Note: Encrypting a partition in an already-installed system is more difficult because it will need to be resized and existing partitions changed. + + + + If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify the Ubuntu operating system prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. @@ -3060,9 +8098,28 @@ $ more /etc/crypttab Every persistent disk partition present must have an entry in the file. -If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding.SRG-OS-000420-GPOS-00186<GroupDescription></GroupDescription>UBTU-20-010446The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces.<VulnDiscussion>Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. - -This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002385Configure the application firewall to protect against or limit the effects of DoS attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces. +If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not listed, this is a finding. + + + + + SRG-OS-000420-GPOS-00186 + <GroupDescription></GroupDescription> + + UBTU-20-010446 + The Ubuntu operating system must configure the uncomplicated firewall to rate-limit impacted network interfaces. + <VulnDiscussion>Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. + +This requirement addresses the configuration of the operating system to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exist to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002385 + Configure the application firewall to protect against or limit the effects of DoS attacks by ensuring the Ubuntu operating system is implementing rate-limiting measures on impacted network interfaces. Check all the services listening to the ports with the following command: @@ -3077,7 +8134,11 @@ $ sudo ufw limit [service] Rate-limiting can also be done on an interface. An example of adding a rate-limit on the eth0 interface follows: -$ sudo ufw limit in on eth0Verify an application firewall is configured to rate limit any connection to the system. +$ sudo ufw limit in on eth0 + + + + Verify an application firewall is configured to rate limit any connection to the system. Check all the services listening to the ports with the following command: @@ -3097,11 +8158,34 @@ To Action From 22/tcp LIMIT Anywhere 22/tcp (v6) LIMIT Anywhere (v6) -If any port with a state of "LISTEN" is not marked with the "LIMIT" action, this is a finding.SRG-OS-000433-GPOS-00192<GroupDescription></GroupDescription>UBTU-20-010447The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002824Configure the Ubuntu operating system to enable NX. - -If "nx" is not showing up in "/proc/cpuinfo", and the system's BIOS setup configuration permits toggling the No Execution bit, set it to "enable".Verify the NX (no-execution) bit flag is set on the system with the following commands: +If any port with a state of "LISTEN" is not marked with the "LIMIT" action, this is a finding. + + + + + SRG-OS-000433-GPOS-00192 + <GroupDescription></GroupDescription> + + UBTU-20-010447 + The Ubuntu operating system must implement non-executable data to protect its memory from unauthorized code execution. + <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002824 + Configure the Ubuntu operating system to enable NX. + +If "nx" is not showing up in "/proc/cpuinfo", and the system's BIOS setup configuration permits toggling the No Execution bit, set it to "enable". + + + + Verify the NX (no-execution) bit flag is set on the system with the following commands: $ dmesg | grep -i "execute disable" [ 0.000000] NX (Execute Disable) protection: active @@ -3111,13 +8195,36 @@ If "dmesg" does not show "NX (Execute Disable) protection: active", check the cp $ grep flags /proc/cpuinfo | grep -w nx | sort -u flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc -If "flags" does not contain the "nx" flag, this is a finding.SRG-OS-000433-GPOS-00193<GroupDescription></GroupDescription>UBTU-20-010448The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution.<VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. - -Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002824Remove the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file or any file located in the "/etc/sysctl.d/" directory. +If "flags" does not contain the "nx" flag, this is a finding. + + + + + SRG-OS-000433-GPOS-00193 + <GroupDescription></GroupDescription> + + UBTU-20-010448 + The Ubuntu operating system must implement address space layout randomization to protect its memory from unauthorized code execution. + <VulnDiscussion>Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can either be hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. + +Examples of attacks are buffer overflow attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002824 + Remove the "kernel.randomize_va_space" entry found in the "/etc/sysctl.conf" file or any file located in the "/etc/sysctl.d/" directory. After the line has been removed, the kernel settings from all system configuration files must be reloaded before any of the changes will take effect. Run the following command to reload all of the kernel system configuration files: -$ sudo sysctl --systemVerify the Ubuntu operating system implements address space layout randomization (ASLR) with the following command: +$ sudo sysctl --system + + + + Verify the Ubuntu operating system implements address space layout randomization (ASLR) with the following command: $ sudo sysctl kernel.randomize_va_space @@ -3135,22 +8242,68 @@ Verify that a saved value of the "kernel.randomize_va_space" variable is not def $ sudo egrep -R "^kernel.randomize_va_space=[^2]" /etc/sysctl.conf /etc/sysctl.d -If this returns a result, this is a finding.SRG-OS-000437-GPOS-00194<GroupDescription></GroupDescription>UBTU-20-010449The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all software components after updated versions have been installed.<VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002617Configure APT to remove all software components after updated versions have been installed. +If this returns a result, this is a finding. + + + + + SRG-OS-000437-GPOS-00194 + <GroupDescription></GroupDescription> + + UBTU-20-010449 + The Ubuntu operating system must be configured so that Advance Package Tool (APT) removes all software components after updated versions have been installed. + <VulnDiscussion>Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by adversaries. Some information technology products may remove older versions of software automatically from the information system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002617 + Configure APT to remove all software components after updated versions have been installed. Add or updated the following options to the "/etc/apt/apt.conf.d/50unattended-upgrades" file: Unattended-Upgrade::Remove-Unused-Dependencies "true"; -Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";Verify is configured to remove all software components after updated versions have been installed with the following command: +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; + + + + Verify is configured to remove all software components after updated versions have been installed with the following command: $ grep -i remove-unused /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; -If the "::Remove-Unused-Dependencies" and "::Remove-Unused-Kernel-Packages" parameters are not set to "true" or are missing or commented out, this is a finding.SRG-OS-000445-GPOS-00199<GroupDescription></GroupDescription>UBTU-20-010450The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions.<VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. - -This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002696Install the AIDE package by running the following command: - -$ sudo apt-get install aideVerify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. +If the "::Remove-Unused-Dependencies" and "::Remove-Unused-Kernel-Packages" parameters are not set to "true" or are missing or commented out, this is a finding. + + + + + SRG-OS-000445-GPOS-00199 + <GroupDescription></GroupDescription> + + UBTU-20-010450 + The Ubuntu operating system must use a file integrity tool to verify correct operation of all security functions. + <VulnDiscussion>Without verification of the security functions, security functions may not operate correctly and the failure may go unnoticed. Security function is defined as the hardware, software, and/or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. + +This requirement applies to the Ubuntu operating system performing security function verification/testing and/or systems and environments that require this functionality.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002696 + Install the AIDE package by running the following command: + +$ sudo apt-get install aide + + + + Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. Check that the AIDE package is installed with the following command: @@ -3159,22 +8312,66 @@ ii aide 0.16.1-1build2 amd64 Advanced Intrusion Detection Environment - s If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. -If no application is installed to perform integrity checks, this is a finding.SRG-OS-000447-GPOS-00201<GroupDescription></GroupDescription>UBTU-20-010451The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered.<VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the Ubuntu operating system. Changes to Ubuntu operating system configurations can have unintended side effects, some of which may be relevant to security. - -Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002702Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. - -Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist.Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator +If no application is installed to perform integrity checks, this is a finding. + + + + + SRG-OS-000447-GPOS-00201 + <GroupDescription></GroupDescription> + + UBTU-20-010451 + The Ubuntu operating system must notify designated personnel if baseline configurations are changed in an unauthorized manner. The file integrity tool must notify the System Administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered. + <VulnDiscussion>Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the Ubuntu operating system. Changes to Ubuntu operating system configurations can have unintended side effects, some of which may be relevant to security. + +Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the Ubuntu operating system. The Ubuntu operating system's IMO/ISSO and SAs must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002702 + Configure the Ubuntu operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. + +Modify the "SILENTREPORTS" parameter in the "/etc/default/aide" file with a value of "no" if it does not already exist. + + + + Verify that Advanced Intrusion Detection Environment (AIDE) notifies the System Administrator when anomalies in the operation of any security functions are discovered with the following command: -$ sudo grep SILENTREPORTS /etc/default/aide - -SILENTREPORTS=no - -If SILENTREPORTS is uncommented and set to "yes", this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010453The Ubuntu operating system must display the date and time of the last successful account logon upon logon.<VulnDiscussion>Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000052Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". +$ sudo grep SILENTREPORTS /etc/default/aide SILENTREPORTS=no + +If SILENTREPORTS is uncommented and set to "yes", this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010453 + The Ubuntu operating system must display the date and time of the last successful account logon upon logon. + <VulnDiscussion>Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000052 + Configure the Ubuntu operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/login". Add the following line to the top of "/etc/pam.d/login": -session required pam_lastlog.so showfailedVerify users are provided with feedback on when account accesses last occurred. +session required pam_lastlog.so showfailed + + + + Verify users are provided with feedback on when account accesses last occurred. Check that "pam_lastlog" is used and not silent with the following command: @@ -3182,13 +8379,36 @@ $ grep pam_lastlog /etc/pam.d/login session required pam_lastlog.so showfailed -If "pam_lastlog" is missing from "/etc/pam.d/login" file, is not "required", or the "silent" option is present, this is a finding.SRG-OS-000480-GPOS-00232<GroupDescription></GroupDescription>UBTU-20-010454The Ubuntu operating system must have an application firewall enabled.<VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Enable the Uncomplicated Firewall by using the following command: +If "pam_lastlog" is missing from "/etc/pam.d/login" file, is not "required", or the "silent" option is present, this is a finding. + + + + + SRG-OS-000480-GPOS-00232 + <GroupDescription></GroupDescription> + + UBTU-20-010454 + The Ubuntu operating system must have an application firewall enabled. + <VulnDiscussion>Firewalls protect computers from network attacks by blocking or limiting access to open network ports. Application firewalls limit which applications are allowed to communicate over the network.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Enable the Uncomplicated Firewall by using the following command: $ sudo systemctl enable ufw.service If the Uncomplicated Firewall is not currently running on the system, start it with the following command: -$ sudo systemctl start ufw.serviceVerify the Uncomplicated Firewall is enabled on the system by running the following command: +$ sudo systemctl start ufw.service + + + + Verify the Uncomplicated Firewall is enabled on the system by running the following command: $ systemctl status ufw.service | grep -i "active:" @@ -3196,11 +8416,34 @@ Active: active (exited) since Mon 2016-10-17 12:30:29 CDT; 1s ago If the above command returns the status as "inactive", this is a finding. -If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010456The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command: - -$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \;Verify the system commands contained in the following directories have mode 0755 or less permissive: +If the Uncomplicated Firewall is not installed, ask the System Administrator if another application firewall is installed. If no application firewall is installed, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010456 + The Ubuntu operating system must have system commands set to a mode of 0755 or less permissive. + <VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the system commands to be protected from unauthorized access. Run the following command: + +$ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec chmod 755 '{}' \; + + + + Verify the system commands contained in the following directories have mode 0755 or less permissive: /bin /sbin @@ -3213,11 +8456,34 @@ Check that the system command files have mode 0755 or less permissive with the f $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -type f -exec stat -c "%n %a" '{}' \; -If any files are found to be group-writable or world-writable, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010457The Ubuntu operating system must have system commands owned by root or a system account.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the system commands and their respective parent directories to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root" or a required system account: - -$ sudo chown root [FILE]Verify the system commands contained in the following directories are owned by root, or a required system account: +If any files are found to be group-writable or world-writable, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010457 + The Ubuntu operating system must have system commands owned by root or a system account. + <VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the system commands and their respective parent directories to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root" or a required system account: + +$ sudo chown root [FILE] + + + + Verify the system commands contained in the following directories are owned by root, or a required system account: /bin /sbin @@ -3230,11 +8496,34 @@ Use the following command for the check: $ sudo find /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -type f -exec stat -c "%n %U" '{}' \; -If any system commands are returned and are not owned by a required system account, this is a finding.SRG-OS-000259-GPOS-00100<GroupDescription></GroupDescription>UBTU-20-010458The Ubuntu operating system must have system commands group-owned by root or a system account.<VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. - -This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001499Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account: - -$ sudo chgrp root [FILE]Verify the system commands contained in the following directories are group-owned by root or a required system account: +If any system commands are returned and are not owned by a required system account, this is a finding. + + + + + SRG-OS-000259-GPOS-00100 + <GroupDescription></GroupDescription> + + UBTU-20-010458 + The Ubuntu operating system must have system commands group-owned by root or a system account. + <VulnDiscussion>If the Ubuntu operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. + +This requirement applies to Ubuntu operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001499 + Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account: + +$ sudo chgrp root [FILE] + + + + Verify the system commands contained in the following directories are group-owned by root or a required system account: /bin /sbin @@ -3247,24 +8536,61 @@ Run the check with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -type f ! -perm /2000 -exec stat -c "%n %G" '{}' \; -If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010459The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file. - -Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: - -[org/gnome/settings-daemon/plugins/media-keys] -logout='' +If any system commands are returned that are not Set Group ID upon execution (SGID) files and group-owned by a required system account, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010459 + The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence if a graphical user interface is installed. + <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In the graphical environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file. + +Add the setting to disable the Ctrl-Alt-Delete sequence for the graphical user interface: [org/gnome/settings-daemon/plugins/media-keys] logout='' Update the dconf settings: -# dconf updateVerify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface. +# dconf update + + + + Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface. Check that the "logout" target is not bound to an action with the following command: -# grep logout /etc/dconf/db/local.d/* - -logout='' - -If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010460The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence.<VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: +# grep logout /etc/dconf/db/local.d/* logout='' + +If the "logout" key is bound to an action, is commented out, or is missing, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010460 + The Ubuntu operating system must disable the x86 Ctrl-Alt-Delete key sequence. + <VulnDiscussion>A locally logged-on user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: $ sudo systemctl disable ctrl-alt-del.target @@ -3272,7 +8598,11 @@ $ sudo systemctl mask ctrl-alt-del.target Reload the daemon to take effect: -$ sudo systemctl daemon-reloadVerify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. +$ sudo systemctl daemon-reload + + + + Verify the Ubuntu operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the "ctrl-alt-del.target" (otherwise also known as reboot.target) is not active with the following command: @@ -3281,26 +8611,91 @@ ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) -If the "ctrl-alt-del.target" is not masked, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010462The Ubuntu operating system must not have accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366Configure all accounts on the system to have a password or lock the account with the following commands: +If the "ctrl-alt-del.target" is not masked, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010462 + The Ubuntu operating system must not have accounts configured with blank or null passwords. + <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: -$ sudo passwd -l [username]Check the "/etc/shadow" file for blank passwords with the following command: +$ sudo passwd -l [username] + + + + Check the "/etc/shadow" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow -If the command returns any results, this is a finding.SRG-OS-000480-GPOS-00227<GroupDescription></GroupDescription>UBTU-20-010463The Ubuntu operating system must not allow accounts configured with blank or null passwords.<VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-000366If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. - -Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords.To verify that null passwords cannot be used, run the following command: +If the command returns any results, this is a finding. + + + + + SRG-OS-000480-GPOS-00227 + <GroupDescription></GroupDescription> + + UBTU-20-010463 + The Ubuntu operating system must not allow accounts configured with blank or null passwords. + <VulnDiscussion>If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-000366 + If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. + +Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords. + + + + To verify that null passwords cannot be used, run the following command: $ grep nullok /etc/pam.d/common-password If this produces any output, it may be possible to log on with accounts with empty passwords. -If null passwords can be used, this is a finding.SRG-OS-000378-GPOS-00163<GroupDescription></GroupDescription>UBTU-20-010461The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.<VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. - -Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-001958Configure the Ubuntu operating system to disable using the USB storage kernel module. +If null passwords can be used, this is a finding. + + + + + SRG-OS-000378-GPOS-00163 + <GroupDescription></GroupDescription> + + UBTU-20-010461 + The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver. + <VulnDiscussion>Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. + +Peripherals include, but are not limited to, such devices as flash drives, external storage, and printers.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-001958 + Configure the Ubuntu operating system to disable using the USB storage kernel module. Create a file under "/etc/modprobe.d" to contain the following: @@ -3308,7 +8703,11 @@ Create a file under "/etc/modprobe.d" to contain the following: Configure the operating system to disable the ability to use USB mass storage devices. -# sudo su -c "echo blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf"Verify that Ubuntu operating system disables ability to load the USB storage kernel module. +# sudo su -c "echo blacklist usb-storage >> /etc/modprobe.d/DISASTIG.conf" + + + + Verify that Ubuntu operating system disables ability to load the USB storage kernel module. # grep usb-storage /etc/modprobe.d/* | grep "/bin/true" @@ -3322,11 +8721,30 @@ Verify the operating system disables the ability to use USB mass storage device. blacklist usb-storage -If the command does not return any output, or the line is commented out, this is a finding.SRG-OS-000481-GPOS-00481<GroupDescription></GroupDescription>UBTU-20-010455The Ubuntu operating system must disable all wireless network adapters.<VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system. +If the command does not return any output, or the line is commented out, this is a finding. + + + + + SRG-OS-000481-GPOS-00481 + <GroupDescription></GroupDescription> + + UBTU-20-010455 + The Ubuntu operating system must disable all wireless network adapters. + <VulnDiscussion>Without protection of communications with wireless peripherals, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read, altered, or used to compromise the operating system. This requirement applies to wireless peripheral technologies (e.g., wireless mice, keyboards, displays, etc.) used with an operating system. Wireless peripherals (e.g., Wi-Fi/Bluetooth/IR Keyboards, Mice, and Pointing Devices and Near Field Communications [NFC]) present a unique challenge by creating an open, unsecured port on a computer. Wireless peripherals must meet DoD requirements for wireless data transmission and be approved for use by the AO. Even though some wireless peripherals, such as mice and pointing devices, do not ordinarily carry information that need to be protected, modification of communications with these wireless peripherals may be used to compromise the operating system. Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. -Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Canonical Ubuntu 20.04 LTSDISADPMS TargetCanonical Ubuntu 20.04 LTS5318CCI-002418List all the wireless interfaces with the following command: +Protecting the confidentiality and integrity of communications with wireless peripherals can be accomplished by physical means (e.g., employing physical barriers to wireless radio frequencies) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, then logical means (cryptography) do not have to be employed, and vice versa. If the wireless peripheral is only passing telemetry data, encryption of the data may not be required.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + + DPMS Target Canonical Ubuntu 20.04 LTS + DISA + DPMS Target + Canonical Ubuntu 20.04 LTS + 5318 + + CCI-002418 + List all the wireless interfaces with the following command: $ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename @@ -3346,10 +8764,18 @@ install <module name> /bin/true For each module from the system, execute the following command to remove it: -$ sudo modprobe -r <module name>Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. +$ sudo modprobe -r <module name> + + + + Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. Verify that there are no wireless interfaces configured on the system with the following command: $ ls -L -d /sys/class/net/*/wireless | xargs dirname | xargs basename -If a wireless interface is configured and has not been documented and approved by the ISSO, this is a finding. \ No newline at end of file +If a wireless interface is configured and has not been documented and approved by the ISSO, this is a finding. + + + + \ No newline at end of file diff --git a/index2.html b/index2.html new file mode 100644 index 000000000..ad8c39a3e --- /dev/null +++ b/index2.html @@ -0,0 +1,10046 @@ + + + + + + + +
+
+
+

MITRE SAF STIG Data

+

A collection of STIG data from DOD Cyber Exchange

+
+ +
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
STIG IDAction + Download +
+ 4e1e5be3-2e0e-466b-bf5e-77b97ed29301 + + A10 Networks ADC ALG - Ver 2, Rel 1 + + Download + + 523.3 KB + + Download Action +
+ 0207e16e-046a-4f38-a3b1-a87c1c5b8e8a + + A10 Networks Application Delivery Controller (ADC) NDM STIG Ver 1 + + Download + + 269.56 KB + + Download Action +
+ 85816b07-989c-4652-b4aa-5cfae7c56723 + + A10 Networks Application Delivery Controller (ADC) Overview, Ver 1 + + Download + + 86.24 KB + + Download Action +
+ e6c0ff53-4618-4b9b-875b-4368626ec33f + + AAA SRG - Ver 1, Rel 2 + + Download + + 665.83 KB + + Download Action +
+ d74d7563-e821-4771-b37b-eca4ec5377bc + + Active Directory Domain STIG - Ver 3, Rel 2 + + Download + + 668.75 KB + + Download Action +
+ e2e884eb-ec6d-4363-9d39-9d8a8bdb6c1e + + Active Directory Forest STIG - Ver 2, Rel 8 + + Download + + 433.92 KB + + Download Action +
+ 920ba3e9-82f9-4db0-9f43-00259a02b732 + + Adobe Acrobat Professional DC Continuous Track STIG - Ver 2, Rel 1 + + Download + + 1.33 MB + + Download Action +
+ d94a4b36-b8c8-4a70-9cd7-91aabbe2b35c + + Adobe Acrobat Reader DC Continuous Track STIG - Ver 2, Rel 1 + + Download + + 818.02 KB + + Download Action +
+ d020164d-4bb1-43a6-9f33-14d3dfee668d + + Adobe Acrobat Reader DC Continuous Track STIG Benchmark - Ver 2, Rel 2 + + Download + + 10.86 KB + + Download Action +
+ 3b69de7f-225c-4ce6-9a41-5c754e0cad57 + + Akamai KSD Service IL2 ALG STIG Version 1 + + Download + + 314.77 KB + + Download Action +
+ 84b9d098-af1e-450f-8121-110824945c45 + + Akamai KSD Service IL2 NDM STIG Version 1 + + Download + + 309.02 KB + + Download Action +
+ 299f3008-2092-4db1-b5bb-0c55313cb536 + + Akamai KSD Service IL2 STIG Overview + + Download + + 136.95 KB + + Download Action +
+ 27df0561-f1a8-4f2e-8df0-a53ec8085179 + + Apache 2.2 STIG UNIX - Ver 1, Rel 11 + + Download + + 839.22 KB + + Download Action +
+ 23333287-72cf-428b-aaa0-e4bbb3dbc0a9 + + Apache 2.2 STIG Windows - Ver 1, Rel 13 + + Download + + 827.34 KB + + Download Action +
+ f6ed69b9-98be-4330-a694-8539d924037b + + Apache Tomcat Application Server 9 STIG - Ver 2, Rel 4 + + Download + + 1.61 MB + + Download Action +
+ f79fdead-ac9e-412e-80a3-81cc021d65ef + + Sunset - Apple iOS 12 STIG - Ver 2, Rel 1 + + Download + + 1.34 MB + + Download Action +
+ 3987fd28-1763-44b8-8991-a409a09d2c60 + + Sunset - Apple iOS/iPadOS 14 STIG - Ver 1, Rel 3 + + Download + + 1.61 MB + + Download Action +
+ c3da423c-64a1-4fb7-bb67-bd64b52ccdfd + + Apple iOS/iPadOS 15 STIG - Ver 1, Rel 3 + + Download + + 1.05 MB + + Download Action +
+ 234dd4bf-49ca-446b-b5dd-657a7ee6cc27 + + Apple OS X 10.15 STIG - Ver 1, Rel 9 + + Download + + 1.54 MB + + Download Action +
+ 518c2a1b-923a-41c3-b656-ed4fa497981d + + Apple macOS 11 (Big Sur) STIG - Ver 1, Rel 6 + + Download + + 1.03 MB + + Download Action +
+ 0e97a122-3cff-4608-a1cd-53311dce600a + + Apple macOS 12 (Monterey) STIG - Ver 1, Rel 4 + + Download + + 949.59 KB + + Download Action +
+ e99d5ed1-f483-4755-a7fa-added014f9d5 + + Application Layer Gateway (ALG) SRG - Ver 1, Rel 2 + + Download + + 579.7 KB + + Download Action +
+ 0da6441c-a8ea-4c34-a1c2-9064166cc63f + + Application Security and Development STIG - Ver 5, Rel 2 + + Download + + 870.45 KB + + Download Action +
+ 7c44937e-4e54-4c56-968e-d4ab1717e6c7 + + Application Server SRG - Ver 3, Rel 3 + + Download + + 807.73 KB + + Download Action +
+ 4c011694-b966-468f-a99b-465b43acb91c + + BIND 9.x STIG - Ver 2, Rel 2 + + Download + + 702.63 KB + + Download Action +
+ 53d2e9f0-3440-48df-8613-de340c993c3c + + BlackBerry Enterprise Mobility Server (BEMS) 2.x STIG - Ver 1, Rel 3 + + Download + + 1.29 MB + + Download Action +
+ 163b5f29-92be-448a-ac6a-8cfccbf5504f + + Blackberry UEM STIG - Ver 2, Rel 1 + + Download + + 1.54 MB + + Download Action +
+ ff0a6820-bfce-48a8-a9a8-9072a0816bdd + + CA API Gateway ALG STIG - Ver 1, Rel 2 + + Download + + 540.17 KB + + Download Action +
+ 46f2c37f-ae70-41b1-96ea-3157aa459d9a + + CA API Gateway NDM STIG Ver 1 + + Download + + 279.81 KB + + Download Action +
+ a4c38dd1-1668-4212-b1b0-7f61237d250b + + CA API Gateway STIG Ver 1 Overview + + Download + + 89.21 KB + + Download Action +
+ c22a797e-0992-475a-9dc4-eb2b64b0a54b + + CA IDMS STIG - Ver 1, Rel 2 + + Download + + 1.54 MB + + Download Action +
+ 0ca21645-9ede-48a2-b45d-23d6bbd4ef37 + + Canonical Ubuntu 18.04 LTS STIG - Ver 2, Rel 9 + + Download + + 851.8 KB + + Download Action +
+ 10227570-52a5-4bda-bd58-07aa648740eb + + Canonical Ubuntu 18.04 LTS STIG Benchmark - Ver 2, Rel 7 + + Download + + 56.85 KB + + Download Action +
+ 44cf5338-0825-4997-a7ee-51117dd6dade + + Canonical Ubuntu 18.04 LTS STIG for Ansible - Ver 2 Rel 9 + + Download + + 319.25 KB + + Download Action +
+ 6482ad37-7938-4786-beb0-8a7eae7a90c8 + + Canonical Ubuntu 20.04 LTS STIG - Ver 1, Rel 6 + + Download + + 1.44 MB + + Download Action +
+ a0686056-29ba-4fcb-9d52-688d07a87bd1 + + Canonical Ubuntu 20.04 LTS STIG Benchmark - Ver 1, Rel 4 + + Download + + 59.4 KB + + Download Action +
+ 39c204e5-054c-4384-baad-63622829aa3b + + Canonical Ubuntu 20.04 LTS STIG for Ansible - Ver 1, Rel 6 + + Download + + 318.15 KB + + Download Action +
+ c6877daf-5a53-47a2-aeb4-1844aaf795e3 + + Central Log Server SRG - Ver 2, Rel 2 + + Download + + 772.14 KB + + Download Action +
+ 9467f309-9c4a-4ad8-a393-dd0596be4f65 + + Cisco IOS XE Router NDM RTR STIG for Ansible - Ver 2, Rel 3 + + Download + + 402.99 KB + + Download Action +
+ f1e97c1f-51b9-4f2f-8d7f-780827402da3 + + Cisco IOS-XE Router NDM STIG Benchmark - Ver 1, Rel 5 + + Download + + 15.62 KB + + Download Action +
+ fd58cdb4-80a0-4bf9-a3d1-fe65fb9d1f36 + + Cisco IOS XE Router STIG for Ansible - Ver 2, Rel 1 + + Download + + 713.94 KB + + Download Action +
+ 9d6fe94c-a4d9-42b2-8a20-b1e001634643 + + Cisco IOS-XE Router RTR STIG Benchmark - Ver 1, Rel 2 + + Download + + 6.95 KB + + Download Action +
+ a8a659d8-cacc-4db2-80df-6eae3db1d178 + + Container Platform SRG - Ver 1, Rel 3 + + Download + + 785.1 KB + + Download Action +
+ 12451344-ed69-44d9-8e09-eb703d4ded45 + + Crunchy Data PostgreSQL STIG - Ver 2, Rel 1 + + Download + + 2.75 MB + + Download Action +
+ 7b253766-0f71-41eb-964d-258f9c0b9757 + + Database SRG - Ver 3, Rel 3 + + Download + + 645.23 KB + + Download Action +
+ 47f81e17-1761-4cbf-9c7d-fa54a34eea72 + + DBN-6300 IDPS STIG Ver 1 + + Download + + 309.65 KB + + Download Action +
+ 8fb56fa7-a9e7-4b65-aa02-599c03976c13 + + DBN-6300 NDM STIG Ver 1 + + Download + + 320.44 KB + + Download Action +
+ 94a71952-abab-46f9-85d3-30154808600c + + DBN-6300 Overview - Ver 1, Rel 2 + + Download + + 409.24 KB + + Download Action +
+ 297942f8-c2ca-496c-9b29-3f3f860c2820 + + DNS SRG - Ver 2, Rel 4 + + Download + + 601.26 KB + + Download Action +
+ fd19a7d5-c2b9-46b4-86d5-72d6be467b9d + + Docker Enterprise 2.x Linux/Unix - Ver 2, Rel 1 + + Download + + 1.02 MB + + Download Action +
+ e600d9f9-7a36-4970-a613-ddfc118752ef + + Docker Enterprise 2.x Linux/Unix STIG for Ansible - Ver 1, Rel 1 + + Download + + 489.84 KB + + Download Action +
+ 094e2264-9f8b-4a5f-9f29-ab47138436fb + + EDB Postgres Advanced Server STIG - Ver 2, Rel 2 + + Download + + 1.17 MB + + Download Action +
+ b3338ba7-ccb9-4370-926a-f6f41fd56794 + + EDB Postgres Advanced Server v11 for Windows STIG - Ver 2, Rel 2 + + Download + + 882.31 KB + + Download Action +
+ 8012d167-08e8-4dcc-99ad-3c438ca503b5 + + Esri ArcGIS Server 10.3 STIG - Ver 1, Rel 3 + + Download + + 399.4 KB + + Download Action +
+ d283510b-b23f-401f-a492-b325a03cd867 + + Firewall SRG - Ver 2, Rel 3 + + Download + + 515.57 KB + + Download Action +
+ 2b1527fd-de76-483b-9d2f-9062e146059f + + ForeScout CounterACT ALG STIG - Ver 1, Rel 2 + + Download + + 438.53 KB + + Download Action +
+ 5ad497eb-ff0a-401f-b434-16696e601ac0 + + ForeScout CounterACT NDM STIG Ver 1 + + Download + + 355.31 KB + + Download Action +
+ 06775e40-3939-40cd-8a0b-577aa2d3c7dc + + ForeScout CounterACT Ver 1 Overview + + Download + + 134.09 KB + + Download Action +
+ c1f43cf0-4262-4e17-85e5-277823e12b8b + + General Purpose Operating System SRG - Ver 2, Rel 4 + + Download + + 602.49 KB + + Download Action +
+ 19be99e6-39a4-49a8-b88d-623bb5b1c57c + + Google Android 10.x STIG - Ver 1, Rel 2 + + Download + + 1.64 MB + + Download Action +
+ ac1500fc-2999-442b-a078-3ce9b1859d53 + + Sunset - Google Android 9 STIG - Ver 2, Rel 1 + + Download + + 3.52 MB + + Download Action +
+ c8538ad7-d952-4bff-86bd-5f0d5bdef859 + + Google Chrome STIG - Ver 2, Rel 7 + + Download + + 835.21 KB + + Download Action +
+ 26cee806-d9e8-45ae-901a-2b572d4538dc + + Google Chrome STIG Benchmark - Ver 2, Rel 7 + + Download + + 24.23 KB + + Download Action +
+ 8302426b-b2a0-4b50-b39a-d5536542b56b + + HPE 3PAR StoreServ 3.2.x STIG - Ver 2, Rel 1 + + Download + + 745.74 KB + + Download Action +
+ a12a1e08-1440-430d-9f50-06f87bfdb66c + + HPE Nimble Storage Array STIG - Ver 1, Rel 1 + + Download + + 1.49 MB + + Download Action +
+ 21e37782-cf47-4fe4-8505-bad97fe22aff + + HYCU for Nutanix STIG - Ver 1 Rel 1 + + Download + + 1.33 MB + + Download Action +
+ c60df65d-436b-447c-8967-f55ddd207c9d + + IBM AIX 7.x STIG - Ver 2, Rel 6 + + Download + + 2.98 MB + + Download Action +
+ 2678d09a-7d7d-446a-b101-5f161557040d + + IBM Aspera Platform 4.2 STIG - Ver 1, Rel 1 + + Download + + 857.94 KB + + Download Action +
+ c8662465-67ea-4f84-b4a2-c77243a74340 + + IBM DataPower NDM STIG - Ver 1, Rel 2 + + Download + + 452.3 KB + + Download Action +
+ f6f4d8f4-f713-47d8-940b-6a7daacac0dd + + IBM DataPower STIG ALG STIG Ver 1 + + Download + + 288.27 KB + + Download Action +
+ fd7bb956-bc0a-43f9-8cab-6d9a5125cb92 + + IBM DataPower STIG Overview, Ver 1 + + Download + + 84.73 KB + + Download Action +
+ 40ac956d-b768-4f38-ac91-4bb13fe77dde + + IBM DB2 V10.5 STIG - Ver 1, Rel 4 + + Download + + 825.06 KB + + Download Action +
+ 7f421832-f46f-491c-b27c-43651428d6a2 + + IBM Hardware Management Console (HMC) STIG - Ver 1, Rel 5 + + Download + + 706.74 KB + + Download Action +
+ a65f53a1-e067-4aa5-9e21-fdd98cdb0192 + + IBM MaaS360 with Watson v10-x MDM STIG - Ver1, Rel 2 + + Download + + 969.3 KB + + Download Action +
+ 4af6be54-e464-4540-868e-52d3abcc773d + + IBM MQ Appliance v9-0 AS STIG V1 + + Download + + 342.73 KB + + Download Action +
+ 8c680498-77e9-49d3-b33b-ea272b7cd4c6 + + IBM MQ Appliance v9-0 NDM STIG V1 + + Download + + 322.58 KB + + Download Action +
+ 96464574-3611-4175-8271-ca05d901dd10 + + IBM MQ Appliance v9-0 STIG Overview + + Download + + 216.17 KB + + Download Action +
+ 0efc0113-9bf8-49a3-9b85-9b55274a0eda + + IBM WebSphere Liberty Server STIG - Ver 1, Rel 2 + + Download + + 1.62 MB + + Download Action +
+ 894e33b2-4968-45c5-8bf5-1ae54c0909ff + + IBM WebSphere Traditional V9.x STIG Version 1 + + Download + + 464.6 KB + + Download Action +
+ 4ca227e7-eb24-48ec-95e8-d4c0ab1620fa + + IBM zVM Using CA VMSecure STIG - Ver 2, Rel 2 + + Download + + 730.63 KB + + Download Action +
+ 02f8a822-38ec-4577-8efb-7550bced2da1 + + Infoblox 7.x DNS STIG - Ver 2, Rel 1 + + Download + + 981.51 KB + + Download Action +
+ d3577e86-3d41-4d3f-9114-16b668976633 + + Infoblox 8.x DNS STIG - Ver 1, Rel 1 + + Download + + 1.66 MB + + Download Action +
+ c03f7c72-bb80-426c-9e9f-62bde5e003b7 + + Intrusion Detection and Prevention System SRG - Ver 2, Rel 6 + + Download + + 850.55 KB + + Download Action +
+ 9b2261ee-384b-4fbb-9c89-f5fd5076cb02 + + ISEC7 EMM Suite v6.x STIG - Ver 1, Rel 1 + + Download + + 1.67 MB + + Download Action +
+ 8c1ffb56-ee32-4631-8d2f-e15b5336c5c0 + + ISEC7 Sphere STIG - Ver 2, Rel 1 + + Download + + 2.16 MB + + Download Action +
+ e9acc0f6-a1e7-4d0b-9c0d-7c63028b8647 + + Ivanti MobileIron Core MDM Server STIG - Ver 1, Rel 1 + + Download + + 1.82 MB + + Download Action +
+ aac33ef0-b4ea-4148-9067-5fe0c7fa7667 + + Jamf Pro v10.x EMM STIG - Ver 1, Rel 1 + + Download + + 1.69 MB + + Download Action +
+ e945ae32-60c3-4acd-8de0-2538f3a30c7a + + Juniper SRX SG STIG for Ansible - Ver 1, Rel 1 + + Download + + 368.27 KB + + Download Action +
+ 3394416b-2142-425b-b99b-6b9983a6ea3d + + Kubernetes STIG - Ver 1, Rel 7 + + Download + + 2.47 MB + + Download Action +
+ 57328aed-c982-460d-b28c-9aaa9dca726b + + Layer 2 Switch SRG - Ver 2, Rel 1 + + Download + + 679.55 KB + + Download Action +
+ 9dbc42de-893d-4e6c-9969-c32392eb7791 + + Mainframe Product SRG - Ver 2, Rel 1 + + Download + + 814.87 KB + + Download Action +
+ fcd19dfd-9ae9-475b-965b-9712d5662a92 + + MarkLogic Server v9 STIG - Ver 2, Rel 1 + + Download + + 977.38 KB + + Download Action +
+ 12e9b282-dabf-4de8-8678-68b954ab7226 + + McAfee Application Control 8.x STIG - Ver 2, Rel 1 + + Download + + 910.13 KB + + Download Action +
+ dee61fbe-4041-43d0-86cc-c30cadd8ded5 + + McAfee Application Control 7.x STIG - Ver 1, Rel 3 + + Download + + 380.54 KB + + Download Action +
+ a7a088d6-d0d5-4cc8-a360-487c6fccb1ab + + McAfee Virus Scan Enterprise for Linux 1.9x/2.0x Managed Client STIG - Ver 1, Rel 3 + + Download + + 449.32 KB + + Download Action +
+ df96c1a8-4fcc-49da-a6b5-38c3f06c6d9b + + Microsoft .Net Framework 4 STIG Benchmark - Ver 2, Rel 1 + + Download + + 8.44 KB + + Download Action +
+ 77fbad7e-899a-4cf1-a86f-4959c5dac3ec + + Microsoft .Net Framework 4.0 STIG - Ver 2, Rel 2 + + Download + + 765.15 KB + + Download Action +
+ 292bd8db-b00f-4b4b-b2ba-0b6afbd89880 + + Microsoft Access 2010 STIG - Ver 1, Rel 10 + + Download + + 451.37 KB + + Download Action +
+ b75d850a-a867-40f5-a0f2-91c485266cb5 + + Microsoft Access 2013 STIG - Ver 1, Rel 6 + + Download + + 436.33 KB + + Download Action +
+ 00a093e9-6903-4251-9505-3f79e0b35aba + + Microsoft Access 2016 STIG - Ver 1, Rel 1 + + Download + + 356.81 KB + + Download Action +
+ 4cbf78f1-9737-46ce-99e8-052c2b3720e8 + + Microsoft Defender Antivirus STIG - Ver 2, Rel 4 + + Download + + 733.35 KB + + Download Action +
+ 8f339765-729d-40de-8833-ac00c374f260 + + Microsoft Defender Antivirus STIG Benchmark - Ver 2, Rel 3 + + Download + + 23.2 KB + + Download Action +
+ e36d7f35-74a6-4cc7-83a9-cc87aa20368d + + Microsoft Edge STIG - Ver 1, Rel 6 + + Download + + 1.53 MB + + Download Action +
+ 2460db5c-039e-4e61-a981-d3dd6343844c + + Microsoft Edge STIG Benchmark - Ver 1, Rel 2 + + Download + + 1.53 MB + + Download Action +
+ 4f5cd45c-3c88-4937-a011-43faf9336aaa + + Microsoft Excel 2010 STIG - Ver 1, Rel 11 + + Download + + 443.24 KB + + Download Action +
+ 01847f17-d702-45f8-8348-0507776b8dce + + Microsoft Excel 2013 STIG - Ver 1, Rel 7 + + Download + + 440.15 KB + + Download Action +
+ b5b7d542-3cdd-4a54-8ade-90758cfde5db + + Microsoft Excel 2016 STIG - Ver 1, Rel 2 + + Download + + 406.81 KB + + Download Action +
+ 75dfe011-acca-47db-a7c0-e389603971a6 + + Microsoft Exchange 2010 Client Access STIG - Ver 1, Rel 9 + + Download + + 682.87 KB + + Download Action +
+ 0622e9ff-5eb7-42af-aff1-5465325dc1aa + + Microsoft Exchange 2010 Edge Transport Server STIG - Ver 1, Rel 15 + + Download + + 642.96 KB + + Download Action +
+ 6a87dd60-d0ed-462e-a4f0-e01f89cd9f67 + + Microsoft Exchange 2010 Hub STIG - Ver 1, Rel 12 + + Download + + 689.63 KB + + Download Action +
+ 6b6e81d7-99dd-4b2d-ba58-e19120b04c72 + + Microsoft Exchange 2010 Mailbox STIG - Ver 1, Rel 10 + + Download + + 445.45 KB + + Download Action +
+ ab2844c5-aac3-40a1-97f2-ef3a816f2fb9 + + Microsoft Exchange 2010 Overview - Ver 1, Rel 6 + + Download + + 985.59 KB + + Download Action +
+ 1254c3b3-ef14-4d44-bb26-6214f8f58288 + + Microsoft Groove 2013 STIG - Ver 1, Rel 3 + + Download + + 439.24 KB + + Download Action +
+ b8cde87b-c02c-4b47-926d-660e9a3b197e + + Microsoft InfoPath 2010 STIG - Ver 1, Rel 11 + + Download + + 460.93 KB + + Download Action +
+ d73ce1c5-8f61-4ea2-ad30-700da92a2c16 + + Microsoft InfoPath 2013 STIG - Ver 1, Rel 5 + + Download + + 431.7 KB + + Download Action +
+ a1f30e24-867f-4378-98d9-012375b3d49a + + Microsoft Internet Explorer 11 STIG - Ver 2, Rel 3 + + Download + + 706.39 KB + + Download Action +
+ 691c2c7d-a266-457d-b07f-a45b45408228 + + Microsoft Lync 2013 STIG - Ver 1, Rel 4 + + Download + + 439.13 KB + + Download Action +
+ db8380d2-4a40-4e8f-a304-411b3145f8b9 + + Microsoft Office 2010 Overview - Ver 1, Rel 12 + + Download + + 159.11 KB + + Download Action +
+ b6864455-b1a8-4997-a757-ccf477592624 + + Microsoft Office 2013 Overview - Ver 1, Rel 5 + + Download + + 531.32 KB + + Download Action +
+ a6d1f0a2-1f52-40ff-b41e-7ec8282bb497 + + Microsoft Office 365 ProPlus STIG - Ver 2, Rel 7 + + Download + + 824.28 KB + + Download Action +
+ a87f81b9-10cc-4256-ac60-c90b9c5ed324 + + Microsoft Office System 2010 STIG - Ver 1, Rel 12 + + Download + + 445.38 KB + + Download Action +
+ 690c9402-2846-4b58-9dfc-40e14d736f03 + + Microsoft Office System 2013 STIG - Ver 2, Rel 1 + + Download + + 885.34 KB + + Download Action +
+ dd119d0c-772b-49b9-9bab-d99b5d5e59a3 + + Microsoft Office System 2016 STIG - Ver 2, Rel 2 + + Download + + 715.87 KB + + Download Action +
+ ad1245bd-5338-4cdb-9e15-e68f8bac5664 + + Microsoft OneDrive for Business 2016 STIG - Ver 1, Rel 3 + + Download + + 594.98 KB + + Download Action +
+ 71a0e3ba-286a-401a-9f01-a8ab2b632a6e + + Microsoft OneDrive STIG - Ver 2, Rel 2 + + Download + + 667.58 KB + + Download Action +
+ 8275af7a-eef4-4242-a2eb-1b2e40da4264 + + Microsoft OneNote 2010 STIG - Ver 1, Rel 9 + + Download + + 435.61 KB + + Download Action +
+ f807ac56-981e-491b-816c-03ac056ce669 + + Microsoft OneNote 2013 STIG - Ver 1, Rel 3 + + Download + + 426.92 KB + + Download Action +
+ f304b867-70e3-45ee-b759-218e4c19448e + + Microsoft OneNote 2016 STIG - Ver 1, Rel 2 + + Download + + 339.07 KB + + Download Action +
+ 8940c077-4612-4207-ab49-1269da8f3f81 + + Microsoft Outlook 2010 STIG - Ver 1, Rel 13 + + Download + + 458.93 KB + + Download Action +
+ 1ccbbe6a-558b-408d-b56c-adecd6dca184 + + Microsoft Outlook 2013 STIG - Ver 1, Rel 13 + + Download + + 423.68 KB + + Download Action +
+ 356f8b76-e222-4c94-a584-36548153f579 + + Microsoft Outlook 2016 STIG - Ver 2, Rel 3 + + Download + + 660.23 KB + + Download Action +
+ 8a6d9a9b-da90-4720-93bb-cdd80943741f + + Microsoft PowerPoint 2010 STIG - Ver 1, Rel 10 + + Download + + 414.21 KB + + Download Action +
+ 42a8104e-acc7-4316-b493-007698ef5f11 + + Microsoft PowerPoint 2013 STIG - Ver 1, Rel 6 + + Download + + 440.97 KB + + Download Action +
+ a3e496d1-e0b3-46b2-811e-d44831705ef8 + + Microsoft PowerPoint 2016 STIG - Ver 1, Rel 1 + + Download + + 363.05 KB + + Download Action +
+ 5fd452ce-fe7f-416a-abbf-60b0d2a331f5 + + Microsoft Project 2010 STIG - Ver 1, Rel 9 + + Download + + 435.29 KB + + Download Action +
+ 0ebcfef6-9b75-410f-9a2e-9fc759d19a81 + + Microsoft Project 2013 STIG - Ver 1, Rel 4 + + Download + + 428.58 KB + + Download Action +
+ dc17bf23-a310-4ac4-a555-6285f14a0f31 + + Microsoft Project 2016 STIG - Ver 1, Rel 1 + + Download + + 356.08 KB + + Download Action +
+ 5c06cbdf-739d-4c1b-beea-011299e7cd1e + + Microsoft Publisher 2010 STIG - Ver 1, Rel 11 + + Download + + 409.49 KB + + Download Action +
+ 02390da9-a893-4ef7-ad3c-312c1f1a8198 + + Microsoft Publisher 2013 STIG - Ver 1, Rel 5 + + Download + + 429.2 KB + + Download Action +
+ c6bf29e5-e708-4897-933e-cfe83f0c1a7f + + Microsoft Publisher 2016 STIG - Ver 1, Rel 3 + + Download + + 379.19 KB + + Download Action +
+ 407676ab-e403-4b58-bdcb-027a70cf94fc + + Microsoft SCOM STIG - Ver 1, Rel 1 + + Download + + 1.5 MB + + Download Action +
+ 5d9bd57b-995f-47ed-b05b-050ed7c44eac + + Microsoft SharePoint 2013 STIG - Ver 2, Rel 3 + + Download + + 692.2 KB + + Download Action +
+ 906af73d-7e44-4c65-b815-d207ce00c987 + + Microsoft Sharepoint Designer 2013 STIG - Ver 1, Rel 3 + + Download + + 442.79 KB + + Download Action +
+ 322a6857-ea64-4c78-893c-3a84cc1d991f + + Microsoft Skype for Business 2016 STIG - Ver 1, Rel 1 + + Download + + 352.2 KB + + Download Action +
+ 031d5eaf-86f0-4ba7-a4b0-99a607606b93 + + Microsoft Visio 2013 STIG - Ver 1, Rel 4 + + Download + + 427.91 KB + + Download Action +
+ 99fa788e-a83b-4cf2-bb4f-1da627ef9396 + + Microsoft Visio 2016 STIG - Ver 1, Rel 1 + + Download + + 355.78 KB + + Download Action +
+ ae35da45-3476-426f-820f-74093cd277f3 + + Microsoft Windows 10 STIG - Ver 2, Rel 5 + + Download + + 966.35 KB + + Download Action +
+ 004c1096-80f8-49d0-913e-8f98744b685b + + Microsoft Windows 10 STIG Benchmark - Ver 2, Rel 6 + + Download + + 99.71 KB + + Download Action +
+ 1ae6abfc-a7d8-4e7f-a738-2f9d0c9001a5 + + Microsoft Windows 2012 and 2012 R2 DC STIG- Ver 3, Rel 5 + + Download + + 905.58 KB + + Download Action +
+ de5ffd8d-7341-485c-8c85-63e72ccb5b9b + + Microsoft Windows 2012 and 2012 R2 MS STIG - Ver 3, Rel 5 + + Download + + 852.32 KB + + Download Action +
+ 894646d0-6965-4e18-8d18-a42862285979 + + Microsoft Windows 2012 Server Domain Name System STIG - Ver 2, Rel 5 + + Download + + 770.26 KB + + Download Action +
+ 3be7fef2-abd7-4b8b-8eef-9e8cc8f00d0a + + Microsoft Windows Firewall STIG and Advanced Security STIG - Ver 2, Rel 1 + + Download + + 716.43 KB + + Download Action +
+ c8ffa39b-89f2-454d-99a0-b17de1aed87e + + Microsoft Windows Firewall STIG Benchmark - Ver 2, Rel 1 + + Download + + 13.53 KB + + Download Action +
+ dfb16402-d384-49a3-bf57-9bafaf59ee09 + + Microsoft Windows Operating Systems Overview - Ver 1, Rel 5 + + Download + + 349.97 KB + + Download Action +
+ 3a3f8056-ca9c-45a6-b166-a79de2f3ac56 + + Microsoft Windows Privileged Access Workstation (PAW) STIG - Ver 2, Rel 2 + + Download + + 731.43 KB + + Download Action +
+ 3713eab8-40ed-493b-8776-2a54e74bae15 + + Microsoft Windows Server 2012 and 2012 R2 DC STIG Benchmark - Ver 3, Rel 4 + + Download + + 123.35 KB + + Download Action +
+ d920b983-be46-4daf-aa06-66d1260b5626 + + Microsoft Windows Server 2012 and 2012 R2 MS STIG Benchmark - Ver 3, Rel 4 + + Download + + 118.5 KB + + Download Action +
+ c73d1745-8a33-4266-ba64-a0025af87429 + + Microsoft Windows Server 2016 STIG - Ver 2, Rel 5 + + Download + + 827.92 KB + + Download Action +
+ 48500464-6c80-42d3-9f73-7da28fbe24d7 + + Microsoft Windows Server 2019 STIG Benchmark - Ver 2, Rel 3 + + Download + + 99.36 KB + + Download Action +
+ 8424ae69-5688-473e-bca9-4e98e541b3bb + + Microsoft Windows Server 2016 STIG for Chef - Ver 1, Rel 3 + + Download + + 688.81 KB + + Download Action +
+ b5b36896-d8a8-4630-9eb6-153867a4a34b + + Microsoft Windows Server 2016 STIG for PowerShell DSC - Ver 1, Rel 3 + + Download + + 617.57 KB + + Download Action +
+ 21543d04-830e-47ad-9277-d61ea17da260 + + Microsoft Windows Server 2019 STIG - Ver 2, Rel 5 + + Download + + 793.5 KB + + Download Action +
+ 751d828a-fc8c-45c0-9bc3-f3175e3442e1 + + Microsoft Windows Server 2019 STIG for Chef - Ver 1, Rel 2 + + Download + + 717.29 KB + + Download Action +
+ bf7899c3-9b8b-4e59-ab5e-c2af4a52a576 + + Microsoft Word 2010 STIG - Ver 1, Rel 11 + + Download + + 662.17 KB + + Download Action +
+ bb1ccac1-da6b-49fc-9d12-5d6f056b9a6e + + Microsoft Word 2013 STIG - Ver 1, Rel 6 + + Download + + 462.31 KB + + Download Action +
+ 2628de40-984d-4d85-b016-ef3cec65c520 + + Microsoft Word 2016 STIG - Ver 1, Rel 1 + + Download + + 361.84 KB + + Download Action +
+ 88b7cf24-556f-4238-911c-32a38ba0224d + + MobileIron Core v10.x MDM STIG Ver 1 Rel 1 + + Download + + 1 MB + + Download Action +
+ c31f572f-17c5-4d56-a35c-a74e53dccbb1 + + MongoDB Enterprise Advanced 3.x STIG - Ver 2, Rel 1 + + Download + + 609.61 KB + + Download Action +
+ dd3a1fe8-f2be-4326-b5e5-20a62ad043c0 + + MongoDB Enterprise Advanced 4.x STIG - Ver 1, Rel 2 + + Download + + 1.56 MB + + Download Action +
+ 0e0e9b73-e2a1-495e-9b16-e9b7d37fed1d + + Motorola Solutions Android 11 - Ver 1, Rel 2 + + Download + + 1.68 MB + + Download Action +
+ df63a2a7-2ba7-4d2f-9eed-d785b42ec35c + + Mozilla Firefox for Linux STIG Benchmark - Ver 6, Rel 3 + + Download + + 17.52 KB + + Download Action +
+ 2f68eeb8-d228-45c3-83ae-ee0b894060d3 + + Mozilla Firefox for Windows STIG Benchmark - Ver 6, Rel 3 + + Download + + 14.8 KB + + Download Action +
+ c39c9fbd-4ae7-4e11-a2a0-705760c1a212 + + Mozilla Firefox STIG - Ver 6, Rel 4 + + Download + + 886.06 KB + + Download Action +
+ 94019a9f-4868-4aba-86f1-c40a18dd4cca + + Microsoft Internet Explorer 11 STIG Benchmark - Ver 2, Rel 3 + + Download + + 64.58 KB + + Download Action +
+ a2264826-1f90-483b-9495-b129ae2b36c7 + + Multifunction Device and Network Printers STIG - Ver 2, Rel 14 + + Download + + 596.06 KB + + Download Action +
+ 3cb5dd33-27f7-42f7-b54b-f9836d13c8b0 + + NetApp ONTAP DSC 9.X STIG - Ver 1, Rel 2 + + Download + + 1.43 MB + + Download Action +
+ 852d1641-dbb3-4224-98ec-473d1093dbc9 + + Network Device Management SRG - Ver 4, Rel 1 + + Download + + 1017.22 KB + + Download Action +
+ 2ab92045-2d9a-42f3-924f-56af73a7ce7f + + Network Infrastructure Policy STIG - Ver 10, Rel 3 + + Download + + 625.96 KB + + Download Action +
+ 76da4756-c86c-45c0-b825-b24f17e48a71 + + Oracle Database 11.2g STIG - Ver 2, Rel 3 + + Download + + 1.38 MB + + Download Action +
+ a81ef52f-6667-4a3c-9356-a1f6dba60433 + + Oracle Database 12c STIG - Ver 2, Rel 5 + + Download + + 1.18 MB + + Download Action +
+ 7ebb6e4a-3775-4af0-aa85-9cc0b3a9b9fe + + Oracle HTTP Server 12.1.3 STIG - Ver 2, Rel 1 + + Download + + 764.64 KB + + Download Action +
+ aa6ea48a-c036-4acf-93da-1fbc31142985 + + Oracle Linux 6 STIG - Ver 2, Rel 6 + + Download + + 882.99 KB + + Download Action +
+ c8b90298-bb3f-4b84-99ed-202724edc430 + + Oracle Linux 7 STIG - Ver 2, Rel 9 + + Download + + 743.02 KB + + Download Action +
+ e7bda7c2-b807-443c-bb85-465a7066c88e + + Oracle Linux 7 STIG Benchmark - Ver 2, Rel 9 + + Download + + 88.69 KB + + Download Action +
+ 01a29b52-ba96-40f9-8d73-9d363466d421 + + Oracle Linux 8 STIG - Ver 1, Rel 4 + + Download + + 1.67 MB + + Download Action +
+ 6d3454fa-91f9-4d5b-b92b-12f1d813f2cf + + Oracle Linux 8 STIG Benchmark - Ver 1, Rel 3 + + Download + + 124.4 KB + + Download Action +
+ 1096e864-7d3e-4a2a-a5c0-237e89fc0597 + + Oracle MySQL 8.0 STIG - Ver 1, Rel 3 + + Download + + 1.58 MB + + Download Action +
+ 29180784-67fe-4a76-95b8-a41b585520d8 + + Oracle WebLogic Server 12c - Ver 2, Rel 1 + + Download + + 1.16 MB + + Download Action +
+ 536d7bd0-5c7a-4e2b-8c03-6e6413154368 + + Palo Alto Networks STIG for Ansible - Ver 1, Rel 4 + + Download + + 338.55 KB + + Download Action +
+ ced2645a-25b7-4e07-9bab-16cfc32a0c06 + + PostgreSQL 9.x STIG - Ver 2, Rel 3 + + Download + + 751.18 KB + + Download Action +
+ a5892b22-2327-497e-b75c-e9365bd32396 + + Rancher Government Solutions Multi-Cluster Manager STIG - Ver 1, Rel 2 + + Download + + 832.58 KB + + Download Action +
+ b0fe6bbb-8d7b-49e2-8775-057c9eb07a77 + + Red Hat Enterprise Linux 7 STIG - Ver 3, Rel 9 + + Download + + 883 KB + + Download Action +
+ 07ed5a15-4487-4f8d-b96e-1a0fa8a43295 + + Red Hat Enterprise Linux 7 STIG for Ansible - Ver 3 Rel 9 + + Download + + 358.44 KB + + Download Action +
+ cf737780-7413-41a0-ad4c-353e57031021 + + Red Hat Enterprise Linux 7 STIG for Chef - Ver 3, Rel 8 + + Download + + 362.5 KB + + Download Action +
+ 97ebd686-ba07-482a-a980-6ba16a89e1dd + + Red Hat Enterprise Linux 8 STIG - Ver 1, Rel 8 + + Download + + 1.19 MB + + Download Action +
+ 9f3e7da1-db87-4a54-8554-b1cf89b9c726 + + Red Hat Enterprise Linux 8 STIG for Ansible - Ver 1 Rel 8 + + Download + + 403.74 KB + + Download Action +
+ 9ebbe295-652c-4311-9c53-055ab6fd81c3 + + Red Hat JBoss Enterprise Application Platform (EAP) 6.3 STIG - Ver 2, Rel 3 + + Download + + 1008.98 KB + + Download Action +
+ 1ab618a5-6b7a-4e72-8dbb-c517b9b54b99 + + Redis Enterprise 6.x STIG - Ver 1, Rel 2 + + Download + + 1.61 MB + + Download Action +
+ 353ca44e-716c-4707-a51a-94d53e3e37b0 + + Red Hat Enterprise Linux 7 STIG Benchmark - Ver 3, Rel 9 + + Download + + 94.16 KB + + Download Action +
+ e066e0e0-54d8-4b86-a2bc-1db4863c6802 + + Red Hat Enterprise Linux 8 STIG Benchmark - Ver 1, Rel 7 + + Download + + 120.6 KB + + Download Action +
+ 1f436578-dae6-47a4-8369-0b1e4682d64b + + Router SRG - Ver 4, Rel 2 + + Download + + 842.54 KB + + Download Action +
+ ed5cee51-aab1-4f32-8a58-37dee8068093 + + Samsung Android 12 with Knox 3.x - Ver 1 Rel 1 + + Download + + 1.57 MB + + Download Action +
+ 73deb3ac-26d7-4275-83aa-3372920db43a + + Samsung Android OS 10 with Knox 3.x STIG - Ver 1, Rel 1 + + Download + + 1.97 MB + + Download Action +
+ 2d9d4276-5aa5-43d7-8b18-aa46ae09458d + + Samsung SDS EMM STIG - Ver 1, Rel 3 + + Download + + 1.67 MB + + Download Action +
+ 512b0dde-6739-4bdb-874f-7332dcaa4da9 + + SDN Controller SRG - Ver 1, Rel 2 + + Download + + 780.17 KB + + Download Action +
+ 5856fcd5-e8c0-40f9-98fe-92e8c1014a38 + + SEL-2740S STIG Ver 1 Rel 1 + + Download + + 1.5 MB + + Download Action +
+ b85eee35-9d6d-4a9f-9390-4eb8fd365fc2 + + SUSE Linux Enterprise Server 12 STIG Benchmark - Ver 2, Rel 7 + + Download + + 55.73 KB + + Download Action +
+ 926c2106-3c5c-4b52-bdd9-64d2d44e0265 + + SUSE Linux Enterprise Server 15 STIG Benchmark - Ver 1, Rel 2 + + Download + + 55.9 KB + + Download Action +
+ 2b073b02-2b56-4816-b308-116d49d4aa31 + + SLES V11 for System z STIG - Ver 1, Rel 12 + + Download + + 568.64 KB + + Download Action +
+ 37861e70-8b29-427d-b1fc-59424c599494 + + Software-Defined Networking (SDN) Using Network Virtualization (NV) STIG Ver 1 + + Download + + 496.15 KB + + Download Action +
+ 6055321b-f5e6-4198-b0b3-56fe44784fbf + + Solaris 10 SPARC STIG - Ver 2, Rel 3 + + Download + + 800.41 KB + + Download Action +
+ 20ec2511-cb53-4c22-ba6e-c359aec03aee + + Solaris 10 SPARC STIG Benchmark - Ver 2, Rel 3 + + Download + + 75.88 KB + + Download Action +
+ b10b45ec-d6ae-4adc-bc1b-eaddbf9f4266 + + Solaris 10 x86 STIG - Ver 2, Rel 3 + + Download + + 817.09 KB + + Download Action +
+ e7f0c1d8-af1d-4cfb-b36e-60faf1597273 + + Solaris 10 x86 STIG Benchmark - Ver 2, Rel 3 + + Download + + 77.55 KB + + Download Action +
+ afc293ac-5298-4be8-afad-e39060958e27 + + Solaris 11 SPARC STIG - Ver 2, Rel 6 + + Download + + 894.25 KB + + Download Action +
+ 908c99ed-6dd8-41c2-b2ba-624413b631fe + + Solaris 11 SPARC STIG Benchmark - Ver 2, Rel 3 + + Download + + 38.94 KB + + Download Action +
+ a438b369-bba4-4427-af57-ffe596f1c7b6 + + Solaris 11 x86 STIG - Ver 2, Rel 6 + + Download + + 895.22 KB + + Download Action +
+ 8be7072b-a660-495d-ac05-c8ed087f4bab + + Solaris 11 X86 STIG Benchmark - Ver 2, Rel 3 + + Download + + 39.94 KB + + Download Action +
+ 7e532771-9168-434e-9035-94b576318a0b + + Splunk Enterprise 7.x for Windows STIG - Ver 2, Rel 3 + + Download + + 3.25 MB + + Download Action +
+ dd03be71-cd6e-4a17-bdea-08995141b717 + + Splunk Enterprise 8.0 for Linux STIG - Ver 1, Rel 2 + + Download + + 3.45 MB + + Download Action +
+ 1c52ddf5-356f-48fd-8982-3c1ebe63ebca + + Storage Area Network STIG - Ver 2, Rel 4 + + Download + + 1.1 MB + + Download Action +
+ 8b1e15c0-5495-458e-8e93-169658330f34 + + Sunset - Adobe Acrobat Pro DC Classic Track STIG - Ver 2, Rel 1 + + Download + + 664.84 KB + + Download Action +
+ ed47cb56-780a-4083-93e7-32182916358a + + Sunset - Adobe Acrobat Pro XI STIG Ver 1, Rel 2 + + Download + + 382.41 KB + + Download Action +
+ 0cb32189-501f-41da-b2de-a30c5ebdbcc4 + + Sunset - Adobe Acrobat Reader DC Classic Track STIG - Ver 2, Rel 1 + + Download + + 714.32 KB + + Download Action +
+ 09d6d5e5-a450-4275-b4cb-b941a8aa24b6 + + Sunset - Adobe Acrobat Reader DC Classic Track STIG Benchmark - Ver 2, Rel 1 + + Download + + 10.95 KB + + Download Action +
+ ed66544b-0c16-4c6d-85bf-7f6ccbf55fe7 + + Sunset - Adobe ColdFusion 11 STIG - Ver 2, Rel 1 + + Download + + 889.89 KB + + Download Action +
+ c95b85bc-074f-4f35-b184-bd8554c3fa9f + + Sunset - AirWatch MDM STIG - Ver 1, Rel 3 + + Download + + 677.55 KB + + Download Action +
+ 025622b2-6061-45e3-b6de-480e9feffe48 + + Sunset - AIX 6.1 STIG - Ver 1, Rel 14 + + Download + + 451.33 KB + + Download Action +
+ 417c73e4-aafe-41e7-8d33-b439dfd000e9 + + Sunset - AIX 6.1 STIG-Benchmark - Ver 1, Rel 9 + + Download + + 70.83 KB + + Download Action +
+ 4d42bbe6-99d0-4165-8d2f-1b6f6c4d4cbb + + Sunset - Apple iOS 11 STIG - Ver 1, Rel 4 + + Download + + 875.23 KB + + Download Action +
+ 799553ce-1b85-4084-917b-e62b75af19bd + + Sunset - Apple iOS/iPad OS 13 STIG - Ver 2, Rel 1 + + Download + + 2.6 MB + + Download Action +
+ c143159c-2257-4bf3-8d0d-665e1f930761 + + Sunset - Apple macOS 10.13 STIG - Ver 2, Rel 5 + + Download + + 783.5 KB + + Download Action +
+ 7434631a-73b8-41b3-a54b-5d12b5321dea + + Sunset - Apple macOS 10.14 STIG - Ver 2, Rel 6 + + Download + + 1.79 MB + + Download Action +
+ 60aa409b-dbfe-4109-b929-c328de549ef3 + + Sunset - Apple OS X 10.12 STIG - Ver 1, Rel 6 + + Download + + 734.39 KB + + Download Action +
+ baad3d98-def6-4e58-8d2f-64d1c9ae4b9c + + Sunset - BlackBerry OS 10.3x STIG - Ver 1, Rel 4 + + Download + + 1.92 MB + + Download Action +
+ 3a869939-abef-469c-8813-c5bfae2247fb + + Sunset - BlackBerry UEM 12.10 STIG - Ver 1, Rel 1 + + Download + + 1.12 MB + + Download Action +
+ 5eb4cd8d-cfba-42a3-9e76-30e1914cd104 + + Sunset - BlackBerry UEM 12.11 STIG - Ver 1, Rel 1 + + Download + + 1.18 MB + + Download Action +
+ 06f4bd1d-408c-4c26-82bb-011a122a962c + + Sunset - BlackBerry UEM 12.8 STIG - Ver 1, Rel 2 + + Download + + 1.38 MB + + Download Action +
+ 1b8af826-0bcf-4b88-ad1f-015ccab9d371 + + Sunset - Canonical Ubuntu 16.04 LTS STIG - Ver 2, Rel 3 + + Download + + 677.91 KB + + Download Action +
+ fe33663b-1df9-4880-bdc1-01f02d1dfd8a + + Sunset - Canonical Ubuntu 16.04 LTS STIG Benchmark - Ver 2, Rel 3 + + Download + + 55.78 KB + + Download Action +
+ 962b5eef-55db-4b7d-b370-c55bce7da903 + + Sunset - CISCO CSS DNS STIG - Ver 4, Rel 1.18 + + Download + + 442.95 KB + + Download Action +
+ 81858e29-f743-4e06-bd17-d5cf3afba810 + + Sunset - Cisco IOS XE Release 3 NDM STIG - Ver 1, Rel 5 + + Download + + 626.59 KB + + Download Action +
+ 63fb1ba6-2c70-4453-adfd-cb6545fd6bce + + Sunset - Cisco IOS XE Release 3 Router Overview - Ver 1, Rel 4 + + Download + + 236.14 KB + + Download Action +
+ 4c6b44f1-3aef-4584-bd03-c06c48bbfbf7 + + Sunset - Cisco IOS XE Release 3 RTR STIG - Ver 1, Rel 3 + + Download + + 416.86 KB + + Download Action +
+ 4755e183-410d-4f60-97c0-79ef3c8d03a4 + + Sunset - CSfC Campus WLAN Policy STIG - Ver 1, Rel 3 + + Download + + 313.78 KB + + Download Action +
+ 96d959cc-c045-44cb-8489-e6984c9f46db + + Sunset - Desktop Applications General STIG - Ver 4, Rel 5 + + Download + + 533.68 KB + + Download Action +
+ 9aff773f-f014-4bbf-9458-6b1b7a3d9fa2 + + Sunset - DNS Policy STIG - Ver 4, Rel 1.22 + + Download + + 721.21 KB + + Download Action +
+ 14fb6eaa-986a-4c4e-80e8-3b684bda0014 + + Sunset - Email Services Policy STIG - Ver 2, Rel 6 + + Download + + 535.35 KB + + Download Action +
+ 407f4a4a-2a71-4f3a-bbdd-789bd19f8a05 + + Sunset - Enclave Test and Development STIG - Ver 1, Rel 6 + + Download + + 703.24 KB + + Download Action +
+ a145d07e-58e1-49f3-87a4-e58fd7f08eb5 + + Sunset - Google Search Appliance STIG + + Download + + 258.63 KB + + Download Action +
+ 7f23a503-ea29-45c7-821d-d61719f6e3ca + + Sunset - Harris SecNet 11/54 STIG - Ver 6, Rel 10 + + Download + + 310.42 KB + + Download Action +
+ 87274342-6a64-4fd9-bc7e-1dd806703417 + + Sunset - HP-UX 11.23 Manual STIG - Ver 1, Rel 8 + + Download + + 469.17 KB + + Download Action +
+ 6fbac36c-4261-4f94-80e4-fa338cbf6c5d + + Sunset - HP-UX 11.23 STIG-Benchmark - Ver 1, Rel 9 + + Download + + 101.2 KB + + Download Action +
+ 0d682f96-3f65-4317-8dab-4578292f165e + + Sunset - HP-UX 11.31 STIG - Ver 1, Rel 19 + + Download + + 785.63 KB + + Download Action +
+ fe988760-0ac5-46b3-bbf6-dc7af960a5ed + + Sunset - IBM MaaS360 V2.3.x MDM STIG - Ver 1, Rel 2 + + Download + + 700.4 KB + + Download Action +
+ def06fd4-1021-4847-9616-37a1c62d5746 + + Sunset - L3 KOV-26 Talon (Wireless Role) STIG - Ver 6, Rel 8 + + Download + + 233.34 KB + + Download Action +
+ d0a0e8aa-e930-47f2-b4b8-fbe0750eefe3 + + Sunset - McAfee VirusScan 8.8 Local Client STIG - Ver 6, Rel 1 + + Download + + 873.79 KB + + Download Action +
+ 23b0abe8-56ad-4118-b22a-6a7aa2f9b466 + + Sunset - McAfee VirusScan 8.8 Local Client STIG Benchmark - Version 1, Release 4 + + Download + + 37.07 KB + + Download Action +
+ f6c48aff-7e1f-4210-9c3e-db3e6c445d60 + + Sunset - McAfee VirusScan 8.8 Managed Client STIG - Ver 6, Rel 1 + + Download + + 842.16 KB + + Download Action +
+ 85c69298-5f80-40dc-a7ea-4b5e2c7ecf00 + + Sunset - Microsoft InfoPath 2007 STIG - Ver 4, Rel 13 + + Download + + 430.67 KB + + Download Action +
+ d25c2f2e-c4cf-4626-a66b-347ce53969ae + + Sunset - Microsoft Internet Explorer 10 STIG - Ver 1, Rel 16 + + Download + + 934.99 KB + + Download Action +
+ b89d7b6d-69dd-40f0-96a2-f981d7ac16bf + + Sunset - Microsoft Internet Explorer 10 STIG Benchmark - Ver 1, Rel 10 + + Download + + 66.9 KB + + Download Action +
+ b16c114e-ece1-4d94-9a65-2231d61e77d9 + + Sunset - Microsoft Internet Explorer 9 STIG - Ver 1, Rel 15 + + Download + + 345.95 KB + + Download Action +
+ b09264fe-ccb5-41a7-af23-e48d43f41c99 + + Sunset - Microsoft SQL Server 2012 STIG - Ver 1, Rel 20 + + Download + + 1019.87 KB + + Download Action +
+ 28026698-4eb9-4904-962a-ba77487888ea + + Sunset - Microsoft Windows 10 Mobile STIG - Ver 1, Rel 4 + + Download + + 1.9 MB + + Download Action +
+ f73b47da-6db0-4588-878e-6a9e96ee552f + + Sunset - Microsoft Windows 2008 DC STIG - Ver 6, Rel 47 + + Download + + 886.99 KB + + Download Action +
+ 463114c4-7c50-4301-9f72-c03c0fa41ce9 + + Sunset - Microsoft Windows 2008 MS STIG - Ver 6, Rel 46 + + Download + + 881.7 KB + + Download Action +
+ a3a8ff64-1b48-4f82-852b-23c0ac38de03 + + Sunset - Microsoft Windows 2008 R2 DC STIG - Ver 1, Rel 34 + + Download + + 904.34 KB + + Download Action +
+ 2a3461f7-d935-4f92-9154-06ec2526aade + + Sunset - Microsoft Windows 2008 R2 DC STIG Benchmark - Ver 1, Rel 33 + + Download + + 112.44 KB + + Download Action +
+ 5ff53042-1e70-4ab8-bbe0-b07bb99f02d8 + + Sunset - Microsoft Windows 2008 R2 MS STIG - Ver 1, Rel 33 + + Download + + 877.75 KB + + Download Action +
+ 3c3da85f-7c67-40d7-a8e6-8660c914a1a2 + + Sunset - Microsoft Windows 2008 R2 MS STIG Benchmark - Ver 1, Rel 34 + + Download + + 107.88 KB + + Download Action +
+ 902ed223-1492-43b0-8f3e-db4bfe706a1e + + Sunset - Microsoft Windows 2008 Server DNS STIG - Ver 1, Rel 8 + + Download + + 621.78 KB + + Download Action +
+ e055c73a-d662-4536-9d42-76a2df4ad1bd + + Sunset - Microsoft Windows 7 STIG - Ver 1, Rel 32 + + Download + + 895.09 KB + + Download Action +
+ e9c437b9-4d0b-4ca9-afa5-0a0f08100697 + + Sunset - Microsoft Windows 8/8.1 STIG - Ver 1, Rel 23 + + Download + + 913.02 KB + + Download Action +
+ 17c61428-f23e-4d63-8236-88093b96c84a + + Sunset - Microsoft Windows DNS STIG - Ver 4, Rel 1.19 + + Download + + 454.72 KB + + Download Action +
+ 01ad411b-4b03-4c14-920d-38200b6d60a0 + + Sunset - Microsoft Windows Vista STIG - Ver 6, Rel 42 + + Download + + 615.5 KB + + Download Action +
+ ef282613-8e2d-4b47-a477-6b7bb34b6423 + + Sunset - Microsoft Windows Vista STIG Benchmark - Ver 6, Rel 44 + + Download + + 105.83 KB + + Download Action +
+ c9c3567f-a2dc-470d-9a93-99b4425f92db + + Sunset - Microsoft Windows XP STIG - Version 6, Release 1.32 + + Download + + 535.29 KB + + Download Action +
+ 4f66aa3d-2d89-4135-b264-623deb72f40e + + Sunset - Oracle JRE 8 UNIX STIG - Ver 1, Rel 3 + + Download + + 442.57 KB + + Download Action +
+ f67ef64d-da16-44ff-b762-56e6b61794e1 + + Sunset - Oracle JRE 8 Windows STIG - Ver 2, Rel 1 + + Download + + 905.36 KB + + Download Action +
+ b4d0eb0f-a34e-411a-a435-498d30a5e47d + + Sunset - Oracle Linux 5 STIG - Ver 2, Rel 1 + + Download + + 814.81 KB + + Download Action +
+ 75e7cb7b-f181-48a4-a8d3-d0210f593388 + + Sunset - Red Hat 5 Manual STIG - Ver 1, Rel 18 + + Download + + 598.58 KB + + Download Action +
+ 778b53f5-a8f4-48de-85d9-913dd8bd0d6d + + Sunset - Red Hat 5 STIG Benchmark - Ver 1, Rel 19 + + Download + + 165.72 KB + + Download Action +
+ d22e1cb5-4118-4f1c-a75f-d6571b43ece9 + + Sunset - Red Hat Enterprise Linux 6 STIG - Ver 2, Rel 2 + + Download + + 971.12 KB + + Download Action +
+ 488f3200-21e0-42f5-89ef-5aa263d48343 + + Sunset - Red Hat Enterprise Linux 6 STIG Benchmark - Ver 2, Rel 2 + + Download + + 93.91 KB + + Download Action +
+ dc4635e3-1f46-4764-b1fe-8c830162c474 + + Sunset - Removable Storage STIG - Ver 1, Rel 7 + + Download + + 463.5 KB + + Download Action +
+ 7e02f2f5-fd75-4f8f-a9fb-653ed3ad0e71 + + Sunset - Samsung Android OS 7 with Knox 2.x STIG - Ver 1, Rel 7 + + Download + + 1.57 MB + + Download Action +
+ 31afa755-2547-4d61-bf25-9ec90c52fc34 + + Sunset - Symantec Endpoint Protection 12.1 Local Client STIG - Ver 1, Rel 3 + + Download + + 311.85 KB + + Download Action +
+ 1962711b-498a-4ded-b38b-235b98e3fd09 + + Sunset - Symantec Endpoint Protection 12.1 Managed Client STIG - Ver 1, Rel 4 + + Download + + 312.81 KB + + Download Action +
+ d33b645b-aadc-4fb0-b854-9225b590c31e + + Sunset - Symantec Endpoint Protection 12.1 Overview - Ver 1, Rel 1 + + Download + + 224.25 KB + + Download Action +
+ 0609f8e7-ba51-4e34-9d81-3967fd3c1e60 + + Sunset - VMware AirWatch v9.x MDM STIG - Ver 1, Rel 2 + + Download + + 888.85 KB + + Download Action +
+ 4b4ddf65-e853-4efa-9b11-0f642dba6d6a + + Sunset - VMWare ESX 3 Policy STIG - Ver 1, Rel 2 + + Download + + 302.4 KB + + Download Action +
+ 887250a0-2646-4dc3-9ca7-71da97c207a0 + + Sunset - VMware ESX 3 Server STIG - Ver 1, Rel 2 + + Download + + 441.18 KB + + Download Action +
+ a9a280c6-671e-41ae-854e-72d1650a495e + + Sunset - VMware ESX 3 Virtual Center STIG - Ver 1, Rel 2 + + Download + + 326.67 KB + + Download Action +
+ 58f93157-cd2d-4cc9-b3cb-e4422669d6ad + + Sunset - VMware ESX 3 Virtual Machine STIG - Ver 1, Rel 2 + + Download + + 310.92 KB + + Download Action +
+ d2a14ab6-e250-4726-9b00-ea1e9699a0cb + + Sunset - VMware ESXi 5 Server STIG - Version 2, Release 1 + + Download + + 883.35 KB + + Download Action +
+ e94bdc1b-f0a1-454b-ac75-0258317636e3 + + Sunset - VMware ESXi 5 vCenter Server STIG - Version 2, Release 1 + + Download + + 889.34 KB + + Download Action +
+ e9e48224-e3ce-4e83-bfb6-5a77861ce264 + + Sunset - VMware ESXi 5 Virtual Machine STIG - Version 2, Release 1 + + Download + + 812.4 KB + + Download Action +
+ 034ef28c-162b-40ae-9ece-0c7056483b22 + + Sunset - VMware vSphere 6.0 ESXi STIG - Ver 1, Rel 5 + + Download + + 699.63 KB + + Download Action +
+ 01c31b41-ffcc-4a61-a4e5-41a69620562e + + Sunset - VMware vSphere 6.0 vCenter Server for Windows STIG - Ver 1, Rel 4 + + Download + + 459.52 KB + + Download Action +
+ df8bfd19-68dd-41d6-b5d4-478ecf67f4cd + + Sunset - VMware vSphere 6.0 Virtual Machine STIG - Ver 1, Rel 1 + + Download + + 260.33 KB + + Download Action +
+ cba2a34d-15a7-449f-a817-4a53607d9dfa + + Sunset - Apache 2.0 UNIX STIG - Ver 1, Rel 5 + + Download + + 494.16 KB + + Download Action +
+ 4e47dfed-cc86-401e-b513-9690332061f1 + + Sunset Tanium 6.5 STIG - Ver 1, Rel 3 + + Download + + 652.25 KB + + Download Action +
+ acf85d6e-2a92-42c3-b483-7e165aefc22c + + Sunset-CMD Policy STIG - Ver 2, Rel 5 + + Download + + 278.93 KB + + Download Action +
+ dce6bab9-f2c8-4a37-935c-a0e6e46b7910 + + Sunset-McAfee VirusScan 8.8 Managed Client STIG Benchmark - Ver 1, Rel 3 + + Download + + 25.45 KB + + Download Action +
+ 4b4c21fc-b72b-485c-aed5-2f485b7dc88f + + Sunset-MDM Server Policy STIG - Ver 2, Rel 5 + + Download + + 639.29 KB + + Download Action +
+ 3cfd80b7-b4fa-4d95-9e98-4181d85a8eaa + + Sunset-Mobile Device Policy STIG - Ver 2, Rel 6 + + Download + + 590.68 KB + + Download Action +
+ 6d7da529-21b6-442f-bd49-47062d44f400 + + SUSE Linux Enterprise Server 12 STIG - Ver 2, Rel 8 + + Download + + 741.32 KB + + Download Action +
+ 172da517-f526-4e6f-8ff2-14eded302a55 + + SUSE Linux Enterprise Server 15 STIG - Ver 1, Rel 8 + + Download + + 924.42 KB + + Download Action +
+ 1d8048bc-100d-4e5c-8036-12a9ec10573f + + SUSE Linux Enterprise Server (SLES) 15 STIG for Ansible - Ver 1 Rel 8 + + Download + + 346.16 KB + + Download Action +
+ c51ae7fe-22a1-4210-bdc7-3166ebb7904e + + Tanium 7.0 STIG Ver 1, Rel 2 + + Download + + 694.53 KB + + Download Action +
+ caaf4944-4b04-48e9-a8d6-4e1e1f5087ba + + Tanium 7.3 STIG - Ver 2, Rel 2 + + Download + + 1.81 MB + + Download Action +
+ dbe63c18-c7a3-4514-8365-fe4328e1312a + + Traditional Security Checklist - Ver 2, Rel 2 + + Download + + 521.64 KB + + Download Action +
+ 07b992c1-bac5-41bc-9341-566a078e8c1c + + Trend Micro Deep Security 9.x STIG Ver 1, Rel 1 + + Download + + 286.13 KB + + Download Action +
+ 6d0448ba-00c1-455c-8915-d1045fb9dbb4 + + Sunset - Video Services Policy STIG - Ver 1, Rel 12 + + Download + + 1.44 MB + + Download Action +
+ b12e9e1f-b76d-4657-9619-28217f482ee0 + + Virtual Private Network SRG - Version 2, Release 4 + + Download + + 747.39 KB + + Download Action +
+ 1e309614-ca49-459d-8286-d99d171b5c2d + + VMware Horizon 7.13 STIG - Ver 1, Rel 1 + + Download + + 850.6 KB + + Download Action +
+ a54944ea-c446-4e67-b9eb-ab47bcbc3f47 + + VMware NSX Distributed Logical Router STIG, Ver 1 + + Download + + 250.55 KB + + Download Action +
+ 0a1f367b-96d2-4d8f-a10b-5af67dfb1bf6 + + VMware NSX Manager STIG, Ver 1 + + Download + + 261.53 KB + + Download Action +
+ 4a6276fb-7ed6-4fb5-86c8-05139f307338 + + VMware NSX STIG Overview, Ver 1 + + Download + + 90.18 KB + + Download Action +
+ 42cbdb3d-f82d-4d5e-9246-0881db536be5 + + VMware NSX-T Data Center STIG + + Download + + 5.29 MB + + Download Action +
+ ffcd0545-df4a-48a5-8e94-b25b82afa197 + + VMWare vRealize Operations Manager Cassandra STIG - Ver 1, Rel 1 + + Download + + 357.2 KB + + Download Action +
+ ac280cec-34ac-4901-a67d-9374b5f7d80b + + VMware vSphere 6.5 STIG for Ansible - Ver 1, Rel 2 + + Download + + 490.76 KB + + Download Action +
+ 2b43ee91-a488-4f82-9260-3dbfa6fd867b + + VMware Workspace ONE UEM STIG- Ver 2, Rel 1 + + Download + + 1.01 MB + + Download Action +
+ b111a292-bd0d-4cfc-b535-5fd6ccbccd57 + + Sunset - Voice Video Endpoint SRG - Ver 2, Rel 2 + + Download + + 644.96 KB + + Download Action +
+ 2898f6b6-ff1b-4ca1-935b-c97decbd6e89 + + Sunset - Voice/Video over Internet Protocol (VVoIP) STIG - Ver 3, Rel 15 + + Download + + 7.12 MB + + Download Action +
+ 2ac9f8db-2746-46fb-82c3-1f6c2f1ce454 + + Sunset - Voice Video Services Policy Security STIG - Ver 3, Rel 18 + + Download + + 7.13 MB + + Download Action +
+ 247bf02e-aacc-48b7-957a-aae9ffa173fb + + Sunset - Voice Video Session Management SRG - Ver 2, Rel 2 + + Download + + 823.34 KB + + Download Action +
+ 5d582f2a-92bd-4ce1-8afe-ad12c2827a2f + + Web Server SRG - Ver 3, Rel 1 + + Download + + 768.04 KB + + Download Action +
+ 827be6bc-064d-4c5e-b32f-84f668da1ab0 + + zOS RACF Products - Ver 6, Rel 55 + + Download + + 8.14 MB + + Download Action +
+ 8f83ef04-084b-4f44-b0d7-ce2afb20d305 + + Zebra Android 11 COBO STIG - Ver 1, Rel 2 + + Download + + 587.48 KB + + Download Action +
+ 29a075d4-87d5-4309-bc9e-f8473b1c47eb + + Sunset - Apache 2.0 Windows STIG - Ver 1, Rel 5 + + Download + + 494.44 KB + + Download Action +
+ 53bb6d2d-7cd0-4ad9-8918-71f6adc49550 + + Sunset - Solaris 9 SPARC STIG Benchmark - Ver 1, Rel 12 + + Download + + 56.53 KB + + Download Action +
+ 344ab208-3f77-4e81-902b-553319daba47 + + Apple iOS/iPadOS 16 STIG - Ver 1, Rel 1 + + Download + + 2.13 MB + + Download Action +
+ 66c232cd-46f2-49a4-9e21-8d4e97e8b926 + + AvePoint DocAve 6 STIG - Ver 1, Rel 2 + + Download + + 841.07 KB + + Download Action +
+ 1f3fd01d-4f76-4720-bea5-eda492a4b04b + + BlackBerry Enterprise Mobility Server (BEMS) 3.x STIG - Ver 1, Rel 1 + + Download + + 1.79 MB + + Download Action +
+ 1815c8ef-fdf1-455e-b240-9ba594700454 + + Cloud Computing Mission Owner Draft SRG - Ver 1, Rel 0.1 + + Download + + 550.89 KB + + Download Action +
+ dd0fa2b0-9296-4ef5-99bb-79f84735e39f + + Google Android 13 STIG - Ver 1, Rel 1 + + Download + + 3.89 MB + + Download Action +
+ 17652044-9449-434e-9f40-258ddc8268ca + + MariaDB Enterprise 10.x STIG - Ver 1, Rel 2 + + Download + + 1.55 MB + + Download Action +
+ bdebd64f-7df1-43df-9521-d28246a0c928 + + McAfee Virus Scan 8.8 Overview - Ver 5, Rel 7 + + Download + + 450.86 KB + + Download Action +
+ 3fb21c64-3e8e-42ad-819e-45f06e0e861d + + Microsoft Azure SQL Database STIG - Ver 1, Rel 1 + + Download + + 869.22 KB + + Download Action +
+ 6ded8db8-9a2d-47e4-a902-0601b9e3e1fc + + Microsoft Windows 11 STIG - Ver 1 Rel 2 + + Download + + 948.64 KB + + Download Action +
+ 72a2cd10-80dc-4f53-8d4f-586e63755535 + + Microsoft Windows 11 STIG Benchmark - Ver 1, Rel 1 + + Download + + 94.76 KB + + Download Action +
+ fbca8263-c28a-4d76-bfb4-0119a550903c + + Microsoft Windows Server 2022 - Ver 1, Rel 1 + + Download + + 1.57 MB + + Download Action +
+ 6a288f4c-999e-4dc8-8803-db2189f0fd43 + + Microsoft Windows Server 2022 SCAP Draft STIG Benchmark - Ver 1, Rel 0.1 + + Download + + 71.26 KB + + Download Action +
+ a852b9a8-f3cc-44d2-878b-c69dcbda6eaf + + Oracle Linux 8 STIG for Ansible - Ver 1, Rel 4 + + Download + + 398.84 KB + + Download Action +
+ 7df98089-a01c-4bd2-a281-246d0b44f11c + + Palo Alto Networks Prisma Cloud Compute STIG - Ver 1, Rel 2 + + Download + + 1.5 MB + + Download Action +
+ 09c4d5aa-820b-4827-9f4b-bcc998a78b8a + + Rancher Government Solutions RKE2 STIG - Ver 1, Rel 1 + + Download + + 909.72 KB + + Download Action +
+ a55e8328-31e7-4c7b-8641-8763c6b6bece + + Red Hat Enterprise Linux 8 STIG for Chef - Ver 1, Rel 7 + + Download + + 453.2 KB + + Download Action +
+ 535dd983-0961-4fd0-b7d8-edb11075f540 + + Samsung Android 13 with Knox 3.x STIG - Ver 1, Rel 1 + + Download + + 1.15 MB + + Download Action +
+ 3ff26216-81a7-44d6-8485-a10ec9722e08 + + SPEC Innovations Innoslate 4.x STIG - Ver 1, Rel 1 + + Download + + 848.83 KB + + Download Action +
+ d97af952-97f6-4e06-b62e-7b96c3384676 + + Splunk Enterprise 8.x For Linux STIG - Ver 1, Rel 3 + + Download + + 3.44 MB + + Download Action +
+ c5521bd2-84d7-4baa-b2dd-3eac93c2f8db + + Sunset - HP-UX 11.31 STIG Benchmark - Ver 1, Rel 17 + + Download + + 109.21 KB + + Download Action +
+ 7a0dda60-1dd4-4ebe-baf0-3a5de700fde8 + + Sunset - Microsoft Windows 2008 DC STIG Benchmark - Ver 6, Rel 45 + + Download + + 99.29 KB + + Download Action +
+ 69bc9388-16f1-4cb0-841b-eb4a4a488e1b + + Sunset - Microsoft Windows 2008 MS STIG Benchmark - Ver 6, Rel 45 + + Download + + 96.55 KB + + Download Action +
+ 36161e28-70bc-40be-82ac-aea159ec399e + + Sunset - Microsoft Windows 7 STIG Benchmark - Ver 1, Rel 36 + + Download + + 130.68 KB + + Download Action +
+ 56e5caf7-bcc2-4458-bf43-46db098dabaa + + Sunset - Microsoft Windows 8/8.1 STIG Benchmark - Ver 1, Rel 22 + + Download + + 143.43 KB + + Download Action +
+ c99f4a6c-f0cd-4617-9063-6cae80ed34d9 + + Tanium 7.x on TanOS STIG - Ver 1, Rel 1 + + Download + + 1.72 MB + + Download Action +
+ bfeabb0e-42e7-4042-bb1a-4eff351785f0 + + Tanium 7.x STIG - Ver 1, Rel 2 + + Download + + 1.65 MB + + Download Action +
+ 1ef7d99c-7d20-447c-9e82-9352c1af369b + + Traditional Security Checklist - Ver 2, Rel 3 + + Download + + 754.97 KB + + Download Action +
+ 48bc9106-f18d-4610-baa4-681adfa6ccb6 + + z/OS SRR Scripts - Ver 6, Rel 55 + + Download + + 1.85 MB + + Download Action +
+ 214552bb-c351-4631-9820-800c2c2c2218 + + zOS ACF2 Products - Ver 6, Rel 55 + + Download + + 8.87 MB + + Download Action +
+ bd058009-9c71-4e14-b8f9-38318b35eefb + + zOS TSS Products - Ver 6, Rel 55 + + Download + + 8.06 MB + + Download Action +
+ 54b44609-b6ee-4d03-9aa4-aeb0f79bf3a5 + + Apache Server 2.4 UNIX STIG + + Download + + 1.64 MB + + Download Action +
+ 3a4ae492-3613-4d03-89ca-b341098db701 + + Apache Server 2.4 Windows STIG + + Download + + 1.63 MB + + Download Action +
+ 871463e1-6dbf-43fe-b084-920ce140fa63 + + Arista MLS DCS-7000 Series STIG + + Download + + 943.56 KB + + Download Action +
+ d15383f7-01a5-4508-8f3d-3fa6c3364d36 + + CCI List + + Download + + 415.78 KB + + Download Action +
+ f641358c-ffb5-4ee7-9020-7b88bba2dc9a + + CCI Specification + + Download + + 112.14 KB + + Download Action +
+ dbb5db7a-5d0b-4765-ad44-f922951be150 + + Cisco ASA STIG + + Download + + 924.99 KB + + Download Action +
+ 9c15a771-80b4-4f33-bab3-3837e82c7e8c + + Cisco IOS Router STIG + + Download + + 1.66 MB + + Download Action +
+ c4f4cf31-41cd-419b-b3c5-8a1fb89a31d1 + + Cisco IOS Switch STIG + + Download + + 1.72 MB + + Download Action +
+ c838d855-eeb2-4d06-add7-84b02aa668cd + + Cisco IOS-XE Router STIG + + Download + + 1.67 MB + + Download Action +
+ 27fb5440-d241-43b7-b79e-9b10fe1a812a + + Cisco IOS-XE Switch STIG + + Download + + 1.73 MB + + Download Action +
+ 8c75c08c-9f2f-4f5c-961c-96993fa20ee5 + + Cisco IOS-XR Router STIG + + Download + + 1.61 MB + + Download Action +
+ 10b23e1e-7075-476c-a84b-0d8c023b2043 + + Cisco ISE STIG + + Download + + 2.29 MB + + Download Action +
+ 5ed7ebee-003f-49c6-8df9-40b400ceb855 + + Cisco NX-OS Switch STIG + + Download + + 1.68 MB + + Download Action +
+ dd640ab1-9b0a-435a-803c-cb226c5b258b + + Citrix Virtual Apps and Desktops (VAD) 7.x STIG + + Download + + 1.23 MB + + Download Action +
+ 59f1efcd-fa58-4e86-8728-b4f467939f9d + + Citrix XenDesktop 7.x STIG + + Download + + 1014.39 KB + + Download Action +
+ ae1aea1f-a88a-4720-a87b-95aaba651612 + + Compilation - SRG-STIG Library + + Download + + 260.23 MB + + Download Action +
+ 824374a9-503c-4994-bdee-586318b7a9ce + + F5 BIG-IP 11.x STIG + + Download + + 1.3 MB + + Download Action +
+ 63130a1a-0888-4257-a71a-c67e89dfb696 + + Forescout STIG + + Download + + 93.37 KB + + Download Action +
+ 13947dd2-2075-4b49-adaa-325585b2ca32 + + Fortinet FortiGate Firewall STIG + + Download + + 1005.36 KB + + Download Action +
+ c4598f98-0efe-4d4f-9217-df75f6b8e6ef + + Google Android 11 STIG + + Download + + 3.15 MB + + Download Action +
+ ecdc9230-adab-4339-89fb-d732daf6497a + + Google Android 12 STIG - Ver 1, Rel 1 + + Download + + 1.61 MB + + Download Action +
+ fbafb2ec-1359-4551-a7bc-bb03cd080845 + + Group Policy Objects (GPOs) - October 2022 + + Download + + 6.72 MB + + Download Action +
+ 891730ec-35f5-46f5-a8c4-a16a2cab5362 + + Honeywell Android 9.x STIG + + Download + + 948 KB + + Download Action +
+ d194f807-e99d-4922-acae-a21864218d40 + + HP FlexFabric Switch STIG + + Download + + 906.13 KB + + Download Action +
+ 84509f17-d404-4f0f-98d7-dbb8200d6178 + + HPE 3PAR StoreServ OS STIG - Ver 1, Rel 1 + + Download + + 882.73 KB + + Download Action +
+ e73d6150-fa73-4e98-9a81-64759831a6c3 + + IBM z/OS STIG + + Download + + 2.07 MB + + Download Action +
+ 579eb02e-8bcc-4959-88f0-9ac2177d824d + + Ivanti MobileIron Sentry 9.x STIG - Ver 1 Rel 1 + + Download + + 1.52 MB + + Download Action +
+ ee5fec36-6871-4297-b533-7b2ab477f8fe + + Juniper EX Series Switches STIG + + Download + + 990.08 KB + + Download Action +
+ 72657804-a3b8-41eb-aea2-1d53ee61b507 + + Juniper Router STIG + + Download + + 1 MB + + Download Action +
+ 1f7d8b58-9f43-4d31-8324-3a00bd47a9b3 + + Juniper SRX Services Gateway STIG + + Download + + 1.05 MB + + Download Action +
+ 29a32fce-2455-40fa-b4fb-0ec04acb167e + + Microsoft Android 11 STIG + + Download + + 1.71 MB + + Download Action +
+ 5c326280-0b6a-44d7-b111-22ba9f0b1905 + + Microsoft Exchange 2013 STIG + + Download + + 1.79 MB + + Download Action +
+ 314d7178-c20c-454c-86db-5c2321282d65 + + Microsoft Exchange 2016 STIG + + Download + + 685.44 KB + + Download Action +
+ f6e38a84-2313-4b54-a190-0d3d7eac930c + + Microsoft IIS 10.0 STIG + + Download + + 1.11 MB + + Download Action +
+ dac8a428-4e15-4b05-adbf-2cd8909d2924 + + Microsoft IIS 8.5 STIG + + Download + + 799.95 KB + + Download Action +
+ c9a9d328-089d-468e-9ce4-9dca211785d8 + + Motorola Android 9.x STIG + + Download + + 2.95 MB + + Download Action +
+ a1f6480f-cf97-4817-9144-4fc7b5694cce + + MS SQL Server 2014 STIG + + Download + + 1 MB + + Download Action +
+ e9297957-df3b-429e-878a-f50565f7d4ea + + MS SQL Server 2016 STIG + + Download + + 915.01 KB + + Download Action +
+ c7bd3803-2b82-4273-bcad-1d5ec9888971 + + Network WLAN STIG + + Download + + 894.74 KB + + Download Action +
+ 965f2e4b-7150-4fc9-b612-cd987d8b4670 + + Palo Alto Networks STIG + + Download + + 906.54 KB + + Download Action +
+ 73e4f9b8-1175-426d-b97d-81d3056b2c58 + + Riverbed SteelHead CX v8 STIG + + Download + + 699.84 KB + + Download Action +
+ 68242a42-d18f-4a2d-b6ad-e77bda61ae92 + + Samsung Android 11 Knox 3.x + + Download + + 3.39 MB + + Download Action +
+ 4d531447-580f-4e5c-ac0f-41c75a18ebc9 + + Samsung Android 12 with Knox 3.x STIG + + Download + + 1.45 MB + + Download Action +
+ 95d27d65-3fe1-4b8f-8250-4afd85df7338 + + SCC 5.6 Mac OS X x86 64 + + Download + + 41.1 MB + + Download Action +
+ f6742777-44ec-4318-9ea7-0ba1f393a27b + + SCC 5.6 Raspbian 11 ARMv7 + + Download + + 78.41 MB + + Download Action +
+ fe95cadf-c35e-4696-9045-19845eb81ed0 + + SCC 5.6 Raspbian 8 ARMv7 + + Download + + 74.93 MB + + Download Action +
+ aa7c8587-54e8-4f9f-ba6f-a405c9b47e4c + + SCC 5.6 RHEL 6 i686 + + Download + + 82.26 MB + + Download Action +
+ 8454181f-bf78-4739-a4a9-c6d34c6774e9 + + SCC 5.6 RHEL 6 x86 64 + + Download + + 83.34 MB + + Download Action +
+ 649d2262-7120-42cd-8f37-d3b266ee2a79 + + SCC 5.6 RHEL 7/Oracle Linux 7/SLES12 x86 64 + + Download + + 81.84 MB + + Download Action +
+ aca5160a-be14-418e-92f4-65f5afdaf7cf + + SCC 5.6 RHEL 8/Oracle Linux 8 Aarch64 + + Download + + 81.77 MB + + Download Action +
+ 24cdb0d1-43dd-4a4f-b0d5-6e1b89dd8961 + + SCC 5.6 RHEL 8/Oracle Linux 8 x86 64 + + Download + + 76.96 MB + + Download Action +
+ fd4effc8-2fb1-44dc-93ce-cf15b3b794fa + + SCC 5.6 RHEL 9/Oracle Linux 9 x86 64 + + Download + + 90.54 MB + + Download Action +
+ a793f58b-d9a2-4b67-b3f6-7fedd15aad7c + + SCC 5.6 RPM GPG key + + Download + + 1.48 KB + + Download Action +
+ 6fc9f154-cf82-4e61-bac1-34a9d659f268 + + SCC 5.6 Solaris 10 i386 + + Download + + 85.44 MB + + Download Action +
+ 51968e30-c82b-4727-a36b-5335ba7c2145 + + SCC 5.6 Solaris 10 SPARC + + Download + + 71.09 MB + + Download Action +
+ 3b54e85e-ecd6-4035-b05e-0bde1e195bb6 + + SCC 5.6 Solaris 11 i386 + + Download + + 71.81 MB + + Download Action +
+ b5bb6de7-a5f8-44cf-8bb2-139cb05d1240 + + SCC 5.6 Solaris 11 SPARC + + Download + + 69.87 MB + + Download Action +
+ bee81b44-8a61-43df-ac44-71c71072684c + + SCC 5.6 Ubuntu 16 AMD64 + + Download + + 87.58 MB + + Download Action +
+ 05dc6020-63e6-48eb-94f2-e128c27680c7 + + SCC 5.6 Ubuntu 16 i686 + + Download + + 77.26 MB + + Download Action +
+ b52b24b3-e3f5-4724-8124-25453e34c66e + + SCC 5.6 Ubuntu 18/Ubuntu 20 AMD64 + + Download + + 90.43 MB + + Download Action +
+ 218a92cc-4e09-4f69-8ec2-91cf42ac6cb4 + + SCC 5.6 Ubuntu 20/Raspios-bulleye Aarch64 + + Download + + 76.97 MB + + Download Action +
+ 5057f760-6c4b-488a-a284-c71d0f243a17 + + SCC 5.6 UNIX Remote Scanning Plugin + + Download + + 369.48 MB + + Download Action +
+ 78381739-a36c-4ac2-b12f-927b9b9a563b + + SCC 5.6 Windows + + Download + + 152.38 MB + + Download Action +
+ 73b9669b-76d6-4e17-8cc6-274c6ace8a30 + + STIG Applicability Guide (BETA) - Linux v2.3.0 + + Download + + 88.11 MB + + Download Action +
+ 916c6b66-0faf-4448-bc61-0b71c118284c + + STIG Applicability Guide (BETA) - Windows MSI v2.3.0 + + Download + + 91.83 MB + + Download Action +
+ 3778695e-8900-4d41-9e19-df10ba7a84ae + + STIG Applicability Guide (BETA) - Windows v2.3.0 + + Download + + 92.24 MB + + Download Action +
+ f4f8707a-4879-43bc-b839-6776031cfb92 + + STIG Applicability Guide - Linux v1.9 + + Download + + 38.61 MB + + Download Action +
+ 9e24419f-f432-4a2e-9a97-68d280d2e302 + + STIG Applicability Guide - Windows v1.9 + + Download + + 36.88 MB + + Download Action +
+ b7d8d49f-66ca-423d-a688-d7c4ac57896d + + Sunset - Citrix XenApp STIG - Ver 1, Rel 1.4 + + Download + + 1.54 MB + + Download Action +
+ 4f640da9-a7fe-4966-a363-3e60caff592a + + Sunset - Enclave STIG - Ver 4, Rel 5 + + Download + + 637.07 KB + + Download Action +
+ e25da17f-8b80-4316-9e83-3a12b2be9adc + + Sunset - Microsoft IIS 7.0 STIG + + Download + + 1.17 MB + + Download Action +
+ 6ce7b292-e406-442f-b36f-39b8a7686b21 + + Sunset - Microsoft Windows 2008 Audit Benchmark + + Download + + 97.13 KB + + Download Action +
+ b730ee36-a81f-4d89-bc8f-4dce4561d4ad + + Sunset - Microsoft Windows 2008 R2 Audit Benchmark + + Download + + 108.77 KB + + Download Action +
+ 8cdd3b53-e490-4cfc-b5dc-7d737802f147 + + Sunset - Microsoft Windows 7 Audit Benchmark + + Download + + 111.06 KB + + Download Action +
+ c21786b3-5eac-4d03-87f6-2abb20ed9da6 + + Sunset - Microsoft Windows XP STIG Benchmark - Ver 6, Rel 1.34 + + Download + + 83.23 KB + + Download Action +
+ 83a70aa8-606a-4694-b306-cc90199496fe + + Sunset - Motorola Android 9 STIG + + Download + + 3.15 MB + + Download Action +
+ 812fc67b-776e-49ca-a855-ed54ce103dea + + Sunset - Oracle 10g Database STIG - Ver 8, Rel 1.11 + + Download + + 1.07 MB + + Download Action +
+ 62d06ecb-7d59-45f3-9b21-62594f4a0617 + + Sunset - Oracle 9 Database STIG - Ver 8, Rel 1.8 + + Download + + 1.24 MB + + Download Action +
+ 4d51e205-b159-4579-886b-028e494d3367 + + Sunset - Oracle Database 11g STIG - Version 9, Release 1 + + Download + + 1.14 MB + + Download Action +
+ 965d92a4-98a7-48e3-a39c-1361c08273e8 + + Sunset - Samsung Android OS 8 with Knox 3.x STIG + + Download + + 2.12 MB + + Download Action +
+ e97b551b-b1d2-4003-931f-8e13ad962b78 + + Sunset - Samsung Android OS9 Knox 3.x STIG + + Download + + 2.86 MB + + Download Action +
+ 2c56bf9c-be9d-4b7f-ac36-4f395f2f6400 + + Sunset - Wireless STIG - Ver 6, Rel 9 + + Download + + 1.09 MB + + Download Action +
+ 9a54e1a3-f822-4916-a397-3bb737f56abb + + Sunset - Zebra Android 10 STIG + + Download + + 1.76 MB + + Download Action +
+ 16c9eab2-69c5-434b-acc6-b2b92b2fc861 + + Sunset-McAfee VSEL 1.9/2.0 STIG + + Download + + 801.48 KB + + Download Action +
+ 4e27a452-e1f0-4923-abac-66c4189b1e8d + + Symantec ProxySG STIG + + Download + + 1.56 MB + + Download Action +
+ a23ebc2f-c2cf-46dc-b6b0-b55361d832ec + + Trend Micro TippingPoint STIG + + Download + + 1.69 MB + + Download Action +
+ 7ac5cf61-a55c-42ae-bc76-90011817a160 + + Unified Endpoint Manager (UEM) SRG + + Download + + 989.07 KB + + Download Action +
+ 8f245c97-ff49-40d5-a2d8-d128a6c7ed87 + + VMware vRealize Automation 7.x STIG + + Download + + 1.34 MB + + Download Action +
+ e086ed9f-80bb-43dd-8fec-11a7f54c36a6 + + VMware vRealize Ops 6.x STIG + + Download + + 970.78 KB + + Download Action +
+ e42a92a4-805d-4261-beb4-8aa468a9ffe3 + + VMware vSphere 6.5 STIG + + Download + + 1.09 MB + + Download Action +
+ 262ffc2e-56ce-414f-be1b-fe81ecf166b8 + + VMware vSphere 6.7 STIG + + Download + + 2.56 MB + + Download Action +
+
+ + + \ No newline at end of file diff --git a/notes-on-data-processing.md b/notes-on-data-processing.md new file mode 100644 index 000000000..9b12c69e5 --- /dev/null +++ b/notes-on-data-processing.md @@ -0,0 +1,82 @@ +# Things to review + +- https://github.com/agronholm/sqlacodegen +- https://github.com/graphql-python/graphene-sqlalchemy/tree/master/examples/flask_sqlalchemy + +// """ +// SQLAlchemy model class that represents the Benchmarks table. + +// Attributes: +// **tablename** (str): The name of the table this class represents. +// benchmark_id (sqlalchemy.sql.schema.Column): The primary key column of the table. +// version (sqlalchemy.sql.schema.Column): Column for the version of the benchmark. +// release (sqlalchemy.sql.schema.Column): Column for the release of the benchmark. +// release_date (sqlalchemy.sql.schema.Column): Column for the release date of the benchmark. +// type_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the benchmark_type table. +// product_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Products table. +// author_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. +// sponsor_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. +// status_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Statuses table. +// """ + +General thought is to have a static dict in the parser module with some of these known vendors/organization +products. + +```json +Benchmark { + file_name: 'U.....', < have this + product_name:, < generated + short_name: < have -> SHORT STIGID RHEL_8_STIG + long_name: < have -> RedHat Enterprise Linux -> { vendor } + { product } + vendor:, < generated + version:, < have + release:, < have + release_date:, < have "" vs Benchmark_date ? find out how these differ + publisher:, < adding but have + type: -> easy identificd from multiple places, title filename etc. + status: add to module: accepted +} +``` + +```json +Organization { + short_name < have this usually in the header || or 'Fixme systle value' + long_name < added later after processs-- > default to 'fixme style value' + ... +} + +Author { + +} +``` + +Artifact Generation: + +( each of these is a entry in the artifacts table ) + +- have association with a owner and a benchmark + +1. XCCDF File < we got it ( automated ) +2. InSpec Profile JSON ( will make automated in py somehow ) + + + * lazy approach - make sure saf-cli is installed and have it create JSON + from the XCCDF-File + * med approach -> cross compline SAF JS/TS code to PY + +3. URI Location of the existing or to be made profile Stub ( github location ) + + + ## USER UDPATED LATER + +4. originial zip file form processing + +# would like to have for history and easy access + +5. InSpec Profile STUBS location ( uri ) + + + - 1) generate single file stubs + - 2) gendrate mulitefile stub -> tar or zip -> store the tar or zip in BLOB + +https://dassum.medium.com/building-rest-apis-using-fastapi-sqlalchemy-uvicorn-8a163ccf3aa1 diff --git a/requirements.txt b/requirements.txt index d779dbe0d..558e10eda 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,2 +1,8 @@ bs4 -requests \ No newline at end of file +requests +wheel +ipdb +stig_parser==1.1.1 +libsql_client +sqlalchemy +pytest diff --git a/scripts/database/mitre-saf-security-benchmarks.dbml b/scripts/database/mitre-saf-security-benchmarks.dbml new file mode 100644 index 000000000..f3151e313 --- /dev/null +++ b/scripts/database/mitre-saf-security-benchmarks.dbml @@ -0,0 +1,176 @@ +Project MITRE_SAF_Security_Guidance { + database_type: 'SQLite' + Note: ''' + # Security Guidance Database + **markdown content here** + ''' +} +Table Organization { + organization_id int [pk, increment, not null, note: "organization identifier"] + short_name varchar [not null] + uri varchar + email varchar + long_name varchar [not null] +} + +Table artifact_types { + type_name varchar [not null] + artifact_type_id int [pk, increment, not null] + description text +} + +Table benchmark_type { + short_name varchar [not null] + description text [not null] + benchmark_type_id int [pk, increment, not null] + long_name varchar [not null] +} + +Table Artifact { + artifact_id int [pk, increment, not null] + name varchar [not null] + location varchar [not null] + created_at date [not null] + secondary_location varchar + raw_data blob + type_id int [not null, ref: > artifact_types.artifact_type_id] + organization_id int [not null, ref: > Organization.organization_id] +} + +Table Products { + product_id int [pk, not null] + long_name varchar [not null] + short_name varchar [not null] + version real [not null] + release int [not null] + author_id int [not null, ref: > Organization.organization_id] + owner_id int [not null, ref: > Organization.organization_id] + + Note: ''' + # Products Table + Collection of Product that are stored in the database. + + A Benchmarks `status`, `type`, `product`, `author` and `sponsor` all come from entries in the supporting database tables. + + ### Table Constraints + #### [Must be added on the SQL Code side until DBML supports them] + 1. A Benchmark should only belong to one Author, Product, Version, Release + 2. A Benchmark may have an Author, Product, Version, Release with different Status + 3. A Benchmark usually should not hae a (Product, Version, Release, Status ...) with different Authors or Sponsors + + ### Column Constraints + #### [Must be added on the SQL Code side until DBML supports them] + - (`benchmark_id`,`product_id`,'version','release') [BPVR] is UNIQUE + ''' +} + +Table Statuses { + status_id int [ + pk, + increment, + not null, + note: 'Primary Key for the status.'] + name varchar [ + not null, + note: 'Text based name of the status.'] + + Note: ''' + # Statuses Table + Collection of statuses that show the current working state of the Benchmark or Artifact. + + Valid entries are: + - 'Draft', WIP', 'In Review' + - 'Published', 'Final' + - 'Sunset' + ''' +} + +Table Benchmarks { + benchmark_id int [ + pk, + increment, + not null, + note: 'The `id` of the Benchmark'] + version smallint [ + not null, + note: 'The major `version` of the published Benchmark'] + release smallint [ + not null, + note: 'The release of the published Benchmark'] + release_date date [ + not null, + note: 'The `release_date` the Benchmark was published'] + status_id int [ + not null, + ref: > Statuses.status_id, + note: 'The publication status of the Benchmark'] + type_id int [ + not null, + ref: > benchmark_type.benchmark_type_id, + note: 'The type of the Benchmark'] + product_id int [ + not null, + ref: > Products.product_id, + note: 'The Product this Benchmark is related to'] + author_id int [ + not null, + ref: > Organization.organization_id, + note: 'The authoring Team or Organization that created this Benchmark'] + sponsor_id int [ + not null, + ref: > Organization.organization_id, + note: 'The Organization that supported or sponsored the development of the Benchmark'] + + Note: ''' + # Benchmarks Table + Collection of Benchmarks that are stored in the database. A benchmark has a `benchmark_id` `version`, `release`, `release_date`. + + A Benchmarks `status`, `type`, `product`, `author` and `sponsor` all come from entries in the supporting database tables. + + ### Table Constraints + #### [Must be added on the SQL Code side until DBML supports them] + 1. A Benchmark should only belong to one Author, Product, Version, Release + 2. A Benchmark may have an Author, Product, Version, Release with different Status + 3. A Benchmark usually should not hae a (Product, Version, Release, Status ...) with different Authors or Sponsors + + ### Column Constraints + #### [Must be added on the SQL Code side until DBML supports them] + - (`benchmark_id`,`product_id`,'version','release') [BPVR] is UNIQUE + + ### Column Checks + #### [Must be added on the SQL Code side until DBML supports them] + - `status_id`,`type_id`,`product_id`,`author_id`,`sponsor_id` all need + ''' +} + +Table benchmark_artifacts { + + default int2 [ + note: 'Marks the artifact as the `default` (0,NULL or 1) for the Benchmark'] + benchmark_id int [ + pk, + not null, ref: > Benchmarks.benchmark_id, + note: 'The `benchmark_id` the artifact relates to'] + artifact_id int [ + pk, not null, + ref: > Artifact.artifact_id, + note: 'The `artifact_id` we are linking to the referenced Benchmark'] + + Note: ''' + # benchmark_artifacts table + #### [Linking Table between Benchmark and Artifact] + + Collection of artifacts associated with a Benchmark by (`benchmark_id`,`artifact_id`). + + ### Table Properties + - `default`: An `INT(2)` to mark an artifact as the `default` or `primary` Artifact related to this Benchmark. + + ### Table Constraints: + #### [Must be added on the SQL Code side until DBML supports them] + - (`benchmark_id`,`artifact_id`,'default') is UNIQUE as only one artifact can be the 'default' artifact for a given Benchmark. + + ### Column Constraints: + #### [Must be added on the SQL Code side until DBML supports them] + - (`benchmark_id`,`artifact_id`) is UNIQUE since an Artifact can only belong to one Benchmark. + ''' +} diff --git a/scripts/database/mitre-saf-security-benchmarks.dmm b/scripts/database/mitre-saf-security-benchmarks.dmm new file mode 100644 index 000000000..5848cc011 --- /dev/null +++ b/scripts/database/mitre-saf-security-benchmarks.dmm @@ -0,0 +1,1669 @@ +{ + "tables": { + "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40": { + "id": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "visible": true, + "name": "Benchmarks", + "desc": "A collection of Security Benchmarks that are publied by Autors", + "estimatedSize": "", + "cols": [ + { + "id": "1d76151a-b0c8-4b0a-8400-f244d48a92d6", + "name": "benchmark_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autogenerated] Autogenerated primary key of the vendor published security guidance document", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "", + "fk": false + }, + { + "id": "f428635d-6ccc-4a7f-8649-0c02987ec283", + "name": "version", + "datatype": "SMALLINT", + "param": "", + "pk": false, + "nn": true, + "comment": "The benchmark version number ", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "b00c4bcd-d3ba-4d03-bdcd-cd72c2e48b07", + "name": "release", + "datatype": "SMALLINT", + "param": "", + "pk": false, + "nn": true, + "comment": "The benchmark release number", + "defaultvalue": "", + "data": "", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "8f7d58d8-8560-4bb5-946a-6784a261d0d3", + "name": "release_date", + "datatype": "DATE", + "param": "", + "pk": false, + "nn": true, + "comment": "The date that the benchmark was published by the Autor", + "defaultvalue": "", + "data": "01/02/2023", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "2da7d7d5-7ef4-4c07-a424-8b116ecd29ba", + "name": "type_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": true, + "comment": "[autoincrement] id of the benchmark type", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "ff9f083a-372b-499b-8dc8-fdcf0fdc822e", + "name": "author_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": true, + "comment": "Integer id of the organization that authored the benchmark", + "defaultvalue": "0", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "df997652-f34f-45cc-9138-755f4c5ba318", + "name": "sponsor_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": false, + "comment": "Integer id of the organization that supported the development of the benchmark", + "defaultvalue": "0", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "3c0c4bfd-eb57-40e8-b62e-d180f64125c3", + "name": "status_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": true, + "comment": "[autogenerated] id of the status type", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "e63e3fd6-0c07-4793-8e50-2b9041d02b3a", + "name": "Products_product_id", + "datatype": "INT", + "param": "", + "pk": false, + "nn": true, + "comment": "[autoincrement] The int id of the product", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "", + "fk": true + } + ], + "relations": [ + "6465776d-da1f-414e-a12c-32ac13b66909", + "8440ea26-76c0-4269-9597-a6995d857b68", + "e12f9a4e-1035-45c0-bd66-a0b32b825758", + "3627acdc-20c5-462a-9096-da39cd6b9ed8", + "a2782a52-3d03-4937-8ccf-9e0a994db294", + "22f19dfb-22c4-4bd4-9522-2e26dc83c101" + ], + "lines": [], + "keys": [ + { + "id": "fa60d456-7fef-4426-9a1d-b938566b8d9b", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "57007081-1108-49b6-bc9f-182034e7f0cf", + "colid": "1d76151a-b0c8-4b0a-8400-f244d48a92d6" + } + ] + } + ], + "indexes": [ + { + "id": "9e02440e-8b59-43c9-ab67-a0610b707796", + "name": "unique_product_version_release_owner", + "unique": true, + "sqlite": { + "expression": "", + "desc": "" + }, + "cols": [ + { + "id": "656e8c24-f389-47e4-8c5c-ce006d40d5d1", + "colid": "f428635d-6ccc-4a7f-8649-0c02987ec283", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + }, + { + "id": "4ebcc84d-fdcb-453e-8d69-005dd0704c7b", + "colid": "b00c4bcd-d3ba-4d03-bdcd-cd72c2e48b07", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + }, + { + "id": "e875a7c1-abb1-4853-96c1-efcb53d00ec5", + "colid": "ff9f083a-372b-499b-8dc8-fdcf0fdc822e", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + } + ] + } + ], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "ae252854-db26-47df-9077-04e929b84447": { + "id": "ae252854-db26-47df-9077-04e929b84447", + "visible": true, + "name": "benchmark_type", + "desc": "Describes the kind of benchmark to include:\n - Security Technical Implementation Gudie (stig)\n - Security Requirements Guide (srg)\n - Center for Internet Security Benchmark (cis)\n - Vendor Guidance (vendor)", + "estimatedSize": "", + "cols": [ + { + "id": "2df4ebdd-61f4-4cbc-b21e-7abd97d92e3d", + "name": "benchmark_type_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autoincrement] id of the benchmark type", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "" + }, + { + "id": "e799c237-5417-437d-a4aa-c2da58ff5de2", + "name": "long_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The full name of the Benchmark type", + "defaultvalue": "", + "data": "'Security Technical Implementation Guide', 'Center for Internet Security Benchmark', 'Redhat Best Practices Guide', 'Amazon Best Practices Guide'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "6684e545-9261-4248-8a02-b11526e64fd8", + "name": "short_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The short name name of the benchmark type", + "defaultvalue": "", + "data": "\"stig\", \"cis\", \"srg\", \"AWS-BP\", 'RH-BP'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "e2f74eb2-b3b5-4c54-87ab-e131faee5c35", + "name": "description", + "datatype": "TEXT", + "param": "", + "pk": false, + "nn": true, + "comment": "The full text description of the guidane type", + "defaultvalue": "", + "data": "'A Security Technical Implementation Guide ....' , 'A Center for Internet Security Benchmark.....'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + } + ], + "relations": [ + "6465776d-da1f-414e-a12c-32ac13b66909" + ], + "lines": [], + "keys": [ + { + "id": "28a111ff-8ee7-4a1b-8ad5-6ceee0ba3098", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "d5d5d063-6b18-40f6-b91a-1dfe9de63169", + "colid": "2df4ebdd-61f4-4cbc-b21e-7abd97d92e3d" + } + ] + } + ], + "indexes": [ + { + "id": "d82b592a-fecc-4798-ba01-e42d057b718e", + "name": "unique_bt_long_name", + "unique": true, + "sqlite": { + "expression": "", + "desc": "" + }, + "cols": [ + { + "id": "2bca5342-ed5c-43e9-9f4a-8ed1d78b3470", + "colid": "e799c237-5417-437d-a4aa-c2da58ff5de2", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + } + ] + }, + { + "id": "840721a4-1a2c-42da-8e27-c6d88e083a00", + "name": "unique_bt_short_name", + "unique": true, + "sqlite": { + "expression": "", + "desc": "" + }, + "cols": [ + { + "id": "f4df0e64-f531-492e-9773-75d4fc9b92ca", + "colid": "6684e545-9261-4248-8a02-b11526e64fd8", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + } + ] + } + ], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "510cb49c-1f0e-4203-bd5d-80c96e661f5e": { + "id": "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "visible": true, + "name": "Organization", + "desc": "List of organizations or gorups that author or manage security guidance", + "estimatedSize": "", + "cols": [ + { + "id": "4f150da9-eb0c-4e4a-bbee-6f3ea1781ec9", + "name": "organization_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "Integer id of the author of the benchmark", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "" + }, + { + "id": "25edc163-dc64-4451-b8b5-010934342c35", + "name": "long_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The full text name of the author, vendor or agency.", + "defaultvalue": "", + "data": "'MITRE Security Automation Framework', 'Defense Information Systems Agency', 'Defense Counterintelligence Services Agency', 'National Geospatial-Intelligence Agency'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "cee2c943-546c-4f5c-a4c3-9483a4e03410", + "name": "short_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The short text name of the author, vendor or agency", + "defaultvalue": "", + "data": "''MITRE SAF', 'VMWare', 'RedHat', 'DISA','Oracle','Microsoft', 'DSCA', 'DCSA','NGA'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "3c4f5e5d-568e-4714-8c21-9390758cfbbd", + "name": "uri", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": false, + "comment": "The primary uri of the author, vendor or agency", + "defaultvalue": "", + "data": "'https://www.mitre.org','https://www.disa.mil','https://www.vmware.com'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "016880f0-a877-42fa-af4d-f3bc012d36a2", + "name": "email", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": false, + "comment": "[optional] The email of the autor", + "defaultvalue": "", + "data": "'me@you.com'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + } + ], + "relations": [ + "fd560202-d9f1-4e3a-8133-4d207466a3c0", + "e12f9a4e-1035-45c0-bd66-a0b32b825758", + "3627acdc-20c5-462a-9096-da39cd6b9ed8", + "46831da2-6151-4803-a00f-c8b7a0fb5cf4" + ], + "lines": [], + "keys": [ + { + "id": "b056d86c-a62c-465f-ac96-9374f6e41b3f", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "c53bc39a-2a2d-4167-860f-1cbbad8238a7", + "colid": "4f150da9-eb0c-4e4a-bbee-6f3ea1781ec9" + } + ] + } + ], + "indexes": [ + { + "id": "35afc829-703b-42de-b22a-d9436fb46d23", + "name": "unique_org_short_and_long_name", + "unique": true, + "sqlite": { + "expression": "", + "desc": "" + }, + "cols": [ + { + "id": "1dcd45b7-dd08-4d1b-9928-706379479dd0", + "colid": "25edc163-dc64-4451-b8b5-010934342c35", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + }, + { + "id": "fea50942-9291-4517-a05c-6f8453bb3658", + "colid": "cee2c943-546c-4f5c-a4c3-9483a4e03410", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + } + ] + } + ], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "6e2bb99e-5664-4222-b085-611dca238bf8": { + "id": "6e2bb99e-5664-4222-b085-611dca238bf8", + "visible": true, + "name": "Artifact", + "desc": "Collection of file artifacts related to the Benchmark, their data and where they are stored.", + "estimatedSize": "", + "cols": [ + { + "id": "2d7700a1-2d99-49fe-b90c-4fd176eb8951", + "name": "artifact_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autogenerated] The id of the artifact.", + "defaultvalue": "", + "data": "", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "" + }, + { + "id": "23ae68f2-9c16-41af-bc28-13cd4eab9a71", + "name": "type_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": true, + "comment": "", + "defaultvalue": "", + "data": "", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "4c828330-0377-4eee-a133-32a062c1f18b", + "name": "owner_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": true, + "comment": "Integer id of the creator or owner of the artifact", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "4491f4ac-a271-44c9-96b8-91373e4deab9", + "name": "name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "Filename that the artifact is stored as on the target location", + "defaultvalue": "", + "data": "'U_A10_Networks_ADC_ALG_V2R1_STIG.zip', 'rhel-9-profile.json', 'U_Red_Hat_Enterprise_Linux_7_STIG_V3R7_Manual-xccdf.xml'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "e81132e3-e87c-4733-a5c4-1b7572f801d8", + "name": "location", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The URI path of the artifact", + "defaultvalue": "", + "data": "https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "568f380a-7d3b-4363-80a1-8459c0de6473", + "name": "secondary_location", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": false, + "comment": "[optional] A file path, uri or other location you can find the reference besides the default location.", + "defaultvalue": "", + "data": "'my_other/place/file.zip'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "ecaa1880-06fc-4554-b8f4-2e3fdc71c029", + "name": "created_at", + "datatype": "DATE", + "param": "", + "pk": false, + "nn": true, + "comment": "", + "defaultvalue": "", + "data": "", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "59dbe73d-c74b-4b4a-b3a0-e5e566a9cd23", + "name": "raw_data", + "datatype": "BLOB", + "param": "", + "pk": false, + "nn": false, + "comment": "[optional] The raw data of the Artifact", + "defaultvalue": "", + "data": "XCCDF_File, Profile JSON, ", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + } + ], + "relations": [ + "ab7e56b9-8aa7-429c-97ac-d4e117244aec", + "4624830c-2ee0-4972-b189-2657e9b7998b", + "46831da2-6151-4803-a00f-c8b7a0fb5cf4" + ], + "lines": [], + "keys": [ + { + "id": "3f97f355-6d9f-4714-8099-5b17c5f57130", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "ad95d426-57d4-4e67-b616-24582987192c", + "colid": "2d7700a1-2d99-49fe-b90c-4fd176eb8951" + } + ] + } + ], + "indexes": [], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "e4cfe7e8-661f-462c-b51e-401688f089aa": { + "id": "e4cfe7e8-661f-462c-b51e-401688f089aa", + "visible": true, + "name": "benchmark_artifacts", + "desc": "", + "estimatedSize": "", + "cols": [ + { + "id": "51e1ca41-0019-4f28-828a-baea406e7692", + "name": "benchmark_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autogenerated] Autogenerated primary key of the vendor published security guidance document", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "75e75cd3-b681-43db-8506-a9d3dea7c1de", + "name": "artifact_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autogenerated] The id of the artifact.", + "defaultvalue": "", + "data": "", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + }, + { + "id": "16db22ec-71fe-45af-a622-ff81a5c8500a", + "name": "is_default", + "datatype": "INT2", + "param": "", + "pk": false, + "nn": false, + "comment": "[optional] Boolean like indicator of if this artifact is the 'primary artifact' for the Benchmark it belongs to.", + "defaultvalue": "0", + "data": "0.1,NULL", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + } + ], + "relations": [ + "a2782a52-3d03-4937-8ccf-9e0a994db294", + "4624830c-2ee0-4972-b189-2657e9b7998b" + ], + "lines": [], + "keys": [ + { + "id": "39423998-e8c5-4fb5-92ac-845c28a6d1de", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "7cafc003-1052-4edb-8ee0-2f973c5ca745", + "colid": "51e1ca41-0019-4f28-828a-baea406e7692" + }, + { + "id": "9c3e011a-7328-4902-aa6d-eccc063ea7a8", + "colid": "75e75cd3-b681-43db-8506-a9d3dea7c1de" + } + ] + } + ], + "indexes": [ + { + "id": "5064de45-9c89-47c3-bb15-651ed06dc65a", + "name": "unique_benchmark_artificat_default", + "unique": true, + "sqlite": { + "desc": "Allows only one artifact to be the default artifact related to a benchmark.", + "expression": "" + }, + "cols": [ + { + "id": "3c7c92e4-6d00-45a6-81e1-1950c4cb2c33", + "colid": "51e1ca41-0019-4f28-828a-baea406e7692", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + }, + { + "id": "7b92bb84-b8f3-4a5d-8e26-bc45d2177da3", + "colid": "75e75cd3-b681-43db-8506-a9d3dea7c1de", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + }, + { + "id": "47dbec11-89b2-4298-a665-0195c52ee348", + "colid": "16db22ec-71fe-45af-a622-ff81a5c8500a", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + } + ] + } + ], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "6aecb762-1a99-493f-987c-133569ac56d9": { + "id": "6aecb762-1a99-493f-987c-133569ac56d9", + "visible": true, + "name": "artifact_types", + "desc": "A Collection of kinds of Artifacts that vendors produce, such as documents, security validation content, XCCDF Files, SCAP Files, inspec profiles, ansible playbooks, chef recipies", + "estimatedSize": "", + "cols": [ + { + "id": "a4c26fa6-5af9-4d31-96ab-5b068fe82fd9", + "name": "artifact_type_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autoincrement] The int id of the artifact kind", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "" + }, + { + "id": "77f4d932-64bb-4cb8-a6d4-6511cac8493a", + "name": "type_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The simple name of the artifact", + "defaultvalue": "", + "data": "XCCDF Benchmark, SRG Benchmark, InSpec Profile, HDF Profile JOSN, Zip Archieve,", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "f86361cd-57a5-4cee-98c0-ac57ccea6a1a", + "name": "description", + "datatype": "TEXT", + "param": "", + "pk": false, + "nn": false, + "comment": "", + "defaultvalue": "", + "data": "", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + } + ], + "relations": [ + "ab7e56b9-8aa7-429c-97ac-d4e117244aec" + ], + "lines": [], + "keys": [ + { + "id": "db251232-ef40-4eb6-92ff-67f608e7f6f6", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "f7d1404a-15dd-4014-a49d-0fb118f6883f", + "colid": "a4c26fa6-5af9-4d31-96ab-5b068fe82fd9" + } + ] + } + ], + "indexes": [], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "52cf2433-451e-4ba0-8b3d-8624bd967ffb": { + "id": "52cf2433-451e-4ba0-8b3d-8624bd967ffb", + "visible": true, + "name": "Products", + "desc": "A collection of products and services that are tracked via the Benchmarks. A product is owned by an Author and is organized at the version level by autor.id. Sometimes vendors organize benchmarks only at the version level but sometimes they can do it at the version + release level.\n\nFor example, Author: 'RedHat', name: 'Enterprise Linux', version: '7', [optional] release: '4'", + "estimatedSize": "", + "cols": [ + { + "id": "83427e84-109d-43a2-9c15-a1d3c444ebaa", + "name": "product_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autoincrement] The int id of the product", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "" + }, + { + "id": "7a5090f4-bee9-46a5-9cbf-b9b97cb5dbb7", + "name": "long_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The long name of the product, many products have longer formal name, such as: VMware Identity Manager 3.3.x DoD STIG Compliance and Automation or VMware Cloud Foundation 5.x. - if there is no difference it is expected 'short_name' and 'full_name' wil be the same.", + "defaultvalue": "", + "data": "'Identity Manager', 'Cloud Foundation', 'vSphere'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "058e47d0-7551-4777-95d1-738dc4381129", + "name": "short_name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "The common name of the product or service - sometimes called the 'short name' - for example:\nRHEL for Red Hat Enterprise Linux \nVIDM for VMware Identity Manager\nvSphere for VMware vSphere\n", + "defaultvalue": "", + "data": "'RHEL', 'VCF', 'VIDM', 'vSphere'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "48f5eb1d-79c8-4914-bfff-53c5d057be39", + "name": "version", + "datatype": "REAL", + "param": "", + "pk": false, + "nn": true, + "comment": "The version of the project", + "defaultvalue": "", + "data": "1, 7, 10.7", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "db0e76c4-1a99-4c6f-a92d-ae2e44a085c0", + "name": "release", + "datatype": "INT", + "param": "", + "pk": false, + "nn": true, + "comment": "", + "defaultvalue": "", + "data": "", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + }, + { + "id": "af7e3f56-16b2-463c-afa0-3393593014d8", + "name": "owner_id", + "datatype": "INTEGER", + "param": "", + "pk": false, + "nn": true, + "comment": "Integer id of the organization that ownes or manages the product", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "", + "fk": true + } + ], + "relations": [ + "fd560202-d9f1-4e3a-8133-4d207466a3c0", + "8440ea26-76c0-4269-9597-a6995d857b68" + ], + "lines": [], + "keys": [ + { + "id": "91648061-8fe5-45d6-a841-129186f7cdc0", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "03f9e1e7-8fcb-47b6-80d2-5f48d98d7a92", + "colid": "83427e84-109d-43a2-9c15-a1d3c444ebaa" + } + ] + } + ], + "indexes": [], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + }, + "3042578a-ef8c-490f-86e5-4cebe82acc7d": { + "id": "3042578a-ef8c-490f-86e5-4cebe82acc7d", + "visible": true, + "name": "Statuses", + "desc": "Collection of statuses that can applly to a Benckmark or Artifact", + "estimatedSize": "", + "cols": [ + { + "id": "4bc8e5d6-ec2c-44a7-940c-d75199f981af", + "name": "status_id", + "datatype": "INTEGER", + "param": "", + "pk": true, + "nn": true, + "comment": "[autogenerated] id of the status type", + "defaultvalue": "", + "data": "1,2,3", + "after": "", + "collation": "", + "sqlite": { + "autoincrement": true + }, + "estimatedSize": "", + "fk": false + }, + { + "id": "2bbc6494-a884-4eca-8769-d8aedfc02637", + "name": "name", + "datatype": "VARCHAR", + "param": "", + "pk": false, + "nn": true, + "comment": "Text based name for the status", + "defaultvalue": "", + "data": "'final', 'draft', 'in-review', 'sunset'", + "after": "", + "sqlite": { + "autoincrement": false + }, + "estimatedSize": "" + } + ], + "relations": [ + "22f19dfb-22c4-4bd4-9522-2e26dc83c101" + ], + "lines": [], + "keys": [ + { + "id": "83c53cd8-165d-4d51-b67e-8c74146d2572", + "name": "Primary key", + "isPk": true, + "cols": [ + { + "id": "77066e97-129c-446c-aa0c-c6d71ad508dc", + "colid": "4bc8e5d6-ec2c-44a7-940c-d75199f981af" + } + ] + } + ], + "indexes": [ + { + "id": "e8d18d0a-bb20-41b5-a5d9-23412c13ea64", + "name": "unique_status_id_name", + "unique": true, + "sqlite": { + "desc": "Ensures that the tuple (status_id, name) is unique in the table, so we can only have one status name called 'abc'", + "expression": "" + }, + "cols": [ + { + "id": "f2b7cf54-ddf3-49ca-8636-1b7c92a690f3", + "colid": "4bc8e5d6-ec2c-44a7-940c-d75199f981af", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + }, + { + "id": "10dbae4d-1479-4a8a-b3fa-db595935b2af", + "colid": "2bbc6494-a884-4eca-8769-d8aedfc02637", + "sqlite": { + "desc": false, + "collate": "", + "expression": "" + } + } + ] + } + ], + "embeddable": false, + "generate": true, + "generateCustomCode": true, + "customCode": "", + "beforeScript": "", + "afterScript": "", + "sqlite": { + "withoutrowid": false, + "strict": false + } + } + }, + "relations": { + "ab7e56b9-8aa7-429c-97ac-d4e117244aec": { + "id": "ab7e56b9-8aa7-429c-97ac-d4e117244aec", + "visible": true, + "name": "artifact_has_a_type", + "desc": "", + "type": "identifying", + "parent_key": "db251232-ef40-4eb6-92ff-67f608e7f6f6", + "parent": "6aecb762-1a99-493f-987c-133569ac56d9", + "child": "6e2bb99e-5664-4222-b085-611dca238bf8", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "72c50d9c-e2e7-434f-aebd-74f8ea024323", + "parentcol": "a4c26fa6-5af9-4d31-96ab-5b068fe82fd9", + "childcol": "23ae68f2-9c16-41af-bc28-13cd4eab9a71" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Restrict", + "ri_pu": "Cascade" + }, + "fd560202-d9f1-4e3a-8133-4d207466a3c0": { + "id": "fd560202-d9f1-4e3a-8133-4d207466a3c0", + "visible": true, + "name": "product_has_a_owner", + "desc": "", + "type": "identifying", + "parent_key": "b056d86c-a62c-465f-ac96-9374f6e41b3f", + "parent": "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "child": "52cf2433-451e-4ba0-8b3d-8624bd967ffb", + "c_mp": "true", + "c_mch": "false", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "318857a7-a606-4717-965d-87afc13b2539", + "parentcol": "4f150da9-eb0c-4e4a-bbee-6f3ea1781ec9", + "childcol": "af7e3f56-16b2-463c-afa0-3393593014d8" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Restrict", + "ri_pu": "Cascade" + }, + "6465776d-da1f-414e-a12c-32ac13b66909": { + "id": "6465776d-da1f-414e-a12c-32ac13b66909", + "visible": true, + "name": "benchmark_has_a_type", + "desc": "", + "type": "identifying", + "parent_key": "28a111ff-8ee7-4a1b-8ad5-6ceee0ba3098", + "parent": "ae252854-db26-47df-9077-04e929b84447", + "child": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "d1e80650-fddc-4d27-8377-6c6335c1f8d0", + "parentcol": "2df4ebdd-61f4-4cbc-b21e-7abd97d92e3d", + "childcol": "2da7d7d5-7ef4-4c07-a424-8b116ecd29ba" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Restrict", + "ri_pu": "Cascade" + }, + "8440ea26-76c0-4269-9597-a6995d857b68": { + "id": "8440ea26-76c0-4269-9597-a6995d857b68", + "visible": true, + "name": "benchmark_has_a_product", + "desc": "", + "type": "identifying", + "parent_key": "91648061-8fe5-45d6-a841-129186f7cdc0", + "parent": "52cf2433-451e-4ba0-8b3d-8624bd967ffb", + "child": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "one", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "57d1aa03-3765-40c8-a275-4b9317290baa", + "parentcol": "83427e84-109d-43a2-9c15-a1d3c444ebaa", + "childcol": "e63e3fd6-0c07-4793-8e50-2b9041d02b3a" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Restrict", + "ri_pu": "Cascade" + }, + "e12f9a4e-1035-45c0-bd66-a0b32b825758": { + "id": "e12f9a4e-1035-45c0-bd66-a0b32b825758", + "visible": true, + "name": "benchmark_has_an_author", + "desc": "", + "type": "identifying", + "parent_key": "b056d86c-a62c-465f-ac96-9374f6e41b3f", + "parent": "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "child": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "b91acfd7-91d9-4c82-b152-a0731685fc7f", + "parentcol": "4f150da9-eb0c-4e4a-bbee-6f3ea1781ec9", + "childcol": "ff9f083a-372b-499b-8dc8-fdcf0fdc822e" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Restrict", + "ri_pu": "Cascade" + }, + "3627acdc-20c5-462a-9096-da39cd6b9ed8": { + "id": "3627acdc-20c5-462a-9096-da39cd6b9ed8", + "visible": true, + "name": "benmark_has_a_sponsor", + "desc": "", + "type": "identifying", + "parent_key": "b056d86c-a62c-465f-ac96-9374f6e41b3f", + "parent": "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "child": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "c_mp": "false", + "c_mch": "false", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "f6151098-8bd2-4eb5-b9e7-f25d659a5eb3", + "parentcol": "4f150da9-eb0c-4e4a-bbee-6f3ea1781ec9", + "childcol": "df997652-f34f-45cc-9138-755f4c5ba318" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Restrict", + "ri_pu": "Cascade" + }, + "a2782a52-3d03-4937-8ccf-9e0a994db294": { + "id": "a2782a52-3d03-4937-8ccf-9e0a994db294", + "visible": true, + "name": "benchmark_has_an_artifact", + "desc": "", + "type": "identifying", + "parent_key": "fa60d456-7fef-4426-9a1d-b938566b8d9b", + "parent": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "child": "e4cfe7e8-661f-462c-b51e-401688f089aa", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "6fced89c-1eaf-4bb5-913a-638ea22caa51", + "parentcol": "1d76151a-b0c8-4b0a-8400-f244d48a92d6", + "childcol": "51e1ca41-0019-4f28-828a-baea406e7692" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Cascade", + "ri_pu": "Cascade" + }, + "4624830c-2ee0-4972-b189-2657e9b7998b": { + "id": "4624830c-2ee0-4972-b189-2657e9b7998b", + "visible": true, + "name": "artifact_belongs_to_benchmark", + "desc": "", + "type": "identifying", + "parent_key": "3f97f355-6d9f-4714-8099-5b17c5f57130", + "parent": "6e2bb99e-5664-4222-b085-611dca238bf8", + "child": "e4cfe7e8-661f-462c-b51e-401688f089aa", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "dcf7410d-e61c-40ef-9ccc-f3961b3c3790", + "parentcol": "2d7700a1-2d99-49fe-b90c-4fd176eb8951", + "childcol": "75e75cd3-b681-43db-8506-a9d3dea7c1de" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pd": "Cascade", + "ri_pu": "Cascade" + }, + "46831da2-6151-4803-a00f-c8b7a0fb5cf4": { + "id": "46831da2-6151-4803-a00f-c8b7a0fb5cf4", + "visible": true, + "name": "artifact_has_a_owner", + "desc": "", + "type": "identifying", + "parent_key": "b056d86c-a62c-465f-ac96-9374f6e41b3f", + "parent": "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "child": "6e2bb99e-5664-4222-b085-611dca238bf8", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "c981600c-4d98-44cb-80d4-913c5972493f", + "parentcol": "4f150da9-eb0c-4e4a-bbee-6f3ea1781ec9", + "childcol": "4c828330-0377-4eee-a133-32a062c1f18b" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pu": "Cascade", + "ri_pd": "Restrict" + }, + "22f19dfb-22c4-4bd4-9522-2e26dc83c101": { + "id": "22f19dfb-22c4-4bd4-9522-2e26dc83c101", + "visible": true, + "name": "benchmark_has_a_status", + "desc": "", + "type": "identifying", + "parent_key": "83c53cd8-165d-4d51-b67e-8c74146d2572", + "parent": "3042578a-ef8c-490f-86e5-4cebe82acc7d", + "child": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "c_mp": "true", + "c_mch": "true", + "c_p": "one", + "c_ch": "many", + "c_cp": "", + "c_cch": "", + "cols": [ + { + "id": "3bf50adc-d91b-4889-8ead-7725c9a3dd5a", + "parentcol": "4bc8e5d6-ec2c-44a7-940c-d75199f981af", + "childcol": "3c0c4bfd-eb57-40e8-b62e-d180f64125c3" + } + ], + "generate": true, + "generateCustomCode": true, + "customCode": "", + "relationColor": "transparent", + "ri_pu": "Cascade", + "ri_pd": "Restrict" + } + }, + "notes": {}, + "lines": {}, + "model": { + "name": "MITRE SAF Security Benchmarks", + "id": "5c30763e-cd89-4cee-8ae6-ff0aee49e72e", + "activeDiagram": "1bdbbea3-d7c8-4cfb-a10a-8e33bd65a392", + "desc": "The Security Benchmarks databse is a collection of Government, Industry and Vendor Security Guidance Benchmarks and their artiefacts.", + "path": "", + "type": "SQLITE", + "version": 1, + "parentTableInFkCols": true, + "caseConvention": "under", + "replaceSpace": "_", + "color": "transparent", + "sideSelections": true, + "isDirty": true, + "storedin": { + "major": 7, + "minor": 5, + "extra": 0 + }, + "laststoredin": { + "major": 7, + "minor": 5, + "extra": 1 + }, + "writeFileParam": true, + "authorName": "The Security Automation Frameowrk Team", + "companyDetails": "The MITRE Coroporation", + "companyUrl": "https://saf.mitre.org", + "def_coltopk": true, + "sqlSettings": { + "wrapLines": false, + "wrapOffset": "120", + "indent": true, + "indentationString": "spaces", + "indentationSize": "2", + "limitItemsOnLine": true, + "maxListItemsOnLine": "2", + "statementDelimiter": ";", + "routineDelimiter": ";", + "keywordCase": "upper", + "identiferCase": "lower" + }, + "lastSaved": 1702779462159 + }, + "otherObjects": {}, + "diagrams": { + "1bdbbea3-d7c8-4cfb-a10a-8e33bd65a392": { + "name": "MITRE SAF Security Guidance", + "description": "", + "id": "1bdbbea3-d7c8-4cfb-a10a-8e33bd65a392", + "keysgraphics": true, + "linegraphics": "basic", + "zoom": 1.1, + "background": "transparent", + "lineColor": "transparent", + "isOpen": true, + "main": true, + "diagramItems": { + "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40": { + "referencedItemId": "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "x": 495, + "y": 30, + "gHeight": 240, + "gWidth": 350, + "color": "#ffffff", + "background": "#03a9f4", + "resized": true, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "ae252854-db26-47df-9077-04e929b84447": { + "referencedItemId": "ae252854-db26-47df-9077-04e929b84447", + "x": 978, + "y": 74, + "gHeight": 146, + "gWidth": 255, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "510cb49c-1f0e-4203-bd5d-80c96e661f5e": { + "referencedItemId": "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "x": 543, + "y": 578, + "gHeight": 146, + "gWidth": 253, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "6e2bb99e-5664-4222-b085-611dca238bf8": { + "referencedItemId": "6e2bb99e-5664-4222-b085-611dca238bf8", + "x": 138, + "y": 370, + "gHeight": 171, + "gWidth": 258, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "e4cfe7e8-661f-462c-b51e-401688f089aa": { + "referencedItemId": "e4cfe7e8-661f-462c-b51e-401688f089aa", + "x": 136, + "y": 88, + "gHeight": 110, + "gWidth": 262, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "6aecb762-1a99-493f-987c-133569ac56d9": { + "referencedItemId": "6aecb762-1a99-493f-987c-133569ac56d9", + "x": 150, + "y": 604, + "gHeight": 81, + "gWidth": 231, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "52cf2433-451e-4ba0-8b3d-8624bd967ffb": { + "referencedItemId": "52cf2433-451e-4ba0-8b3d-8624bd967ffb", + "x": 708, + "y": 369, + "gHeight": 135, + "gWidth": 217, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + }, + "3042578a-ef8c-490f-86e5-4cebe82acc7d": { + "referencedItemId": "3042578a-ef8c-490f-86e5-4cebe82acc7d", + "x": 430, + "y": 370, + "gHeight": 92, + "gWidth": 196, + "color": "#ffffff", + "background": "#03a9f4", + "resized": false, + "autoExpand": true, + "backgroundOpacity": "10", + "collapsed": false + } + }, + "scroll": { + "x": 0, + "y": 0 + }, + "type": "erd", + "showHorizontal": true, + "showDescriptions": true, + "showIndicators": true, + "showProgress": true, + "lineWidth": "2", + "boxSize": "0", + "showIndicatorCaptions": true, + "showEstimatedSize": false, + "showSchemaContainer": true, + "showEmbeddedInParents": true, + "showCardinalityCaptions": false, + "showColumns": true, + "showColumnDataTypes": true, + "showSampleData": false, + "showTableIndexes": true, + "showTableDescriptions": false, + "showRelations": true, + "backgroundImage": "na", + "descriptionsColor": "transparent", + "embeddedSpacing": "2", + "showMainIcon": true, + "showLabels": true, + "boxSpacing": "2", + "boxAlign": "center" + } + }, + "diagramsOrder": [], + "order": [ + "6e2bb99e-5664-4222-b085-611dca238bf8", + "c8ba4433-bd1b-468b-b33e-d5c50f1f2b40", + "510cb49c-1f0e-4203-bd5d-80c96e661f5e", + "52cf2433-451e-4ba0-8b3d-8624bd967ffb", + "3042578a-ef8c-490f-86e5-4cebe82acc7d", + "6aecb762-1a99-493f-987c-133569ac56d9", + "e4cfe7e8-661f-462c-b51e-401688f089aa", + "ae252854-db26-47df-9077-04e929b84447", + "4624830c-2ee0-4972-b189-2657e9b7998b", + "a2782a52-3d03-4937-8ccf-9e0a994db294", + "6465776d-da1f-414e-a12c-32ac13b66909", + "46831da2-6151-4803-a00f-c8b7a0fb5cf4", + "e12f9a4e-1035-45c0-bd66-a0b32b825758", + "3627acdc-20c5-462a-9096-da39cd6b9ed8", + "fd560202-d9f1-4e3a-8133-4d207466a3c0", + "8440ea26-76c0-4269-9597-a6995d857b68", + "22f19dfb-22c4-4bd4-9522-2e26dc83c101", + "ab7e56b9-8aa7-429c-97ac-d4e117244aec" + ], + "collapsedTreeItems": [], + "reverseStats": {} +} \ No newline at end of file diff --git a/scripts/database/mitre-saf-security-benchmarks.hcl b/scripts/database/mitre-saf-security-benchmarks.hcl new file mode 100644 index 000000000..004fd4060 --- /dev/null +++ b/scripts/database/mitre-saf-security-benchmarks.hcl @@ -0,0 +1,300 @@ +table "Artifact" { + schema = schema.main + column "artifact_id" { + null = false + type = integer + auto_increment = true + } + column "type_id" { + null = false + type = integer + } + column "owner_id" { + null = false + type = integer + } + column "name" { + null = false + type = varchar + } + column "location" { + null = false + type = varchar + } + column "secondary_location" { + null = true + type = varchar + } + column "created_at" { + null = false + type = date + } + column "raw_data" { + null = true + type = blob + } + primary_key { + columns = [column.artifact_id] + } + foreign_key "artifact_has_a_type" { + columns = [column.type_id] + ref_columns = [table.artifact_types.column.artifact_type_id] + on_update = CASCADE + on_delete = RESTRICT + } + foreign_key "artifact_has_a_owner" { + columns = [column.owner_id] + ref_columns = [table.Organization.column.organization_id] + on_update = CASCADE + on_delete = RESTRICT + } +} +table "Benchmarks" { + schema = schema.main + column "benchmark_id" { + null = false + type = integer + auto_increment = true + } + column "version" { + null = false + type = smallint + } + column "release" { + null = false + type = smallint + } + column "release_date" { + null = false + type = date + } + column "type_id" { + null = false + type = integer + } + column "product_id" { + null = false + type = int + } + column "author_id" { + null = false + type = integer + default = 0 + } + column "sponsor_id" { + null = true + type = integer + default = 0 + } + column "status_id" { + null = false + type = integer + } + primary_key { + columns = [column.benchmark_id] + } + foreign_key "benchmark_has_a_type" { + columns = [column.type_id] + ref_columns = [table.benchmark_type.column.benchmark_type_id] + on_update = CASCADE + on_delete = RESTRICT + } + foreign_key "benchmark_has_a_product" { + columns = [column.product_id] + ref_columns = [table.Products.column.product_id] + on_update = CASCADE + on_delete = RESTRICT + } + foreign_key "benchmark_has_an_author" { + columns = [column.author_id] + ref_columns = [table.Organization.column.organization_id] + on_update = CASCADE + on_delete = RESTRICT + } + foreign_key "benmark_has_a_sponsor" { + columns = [column.sponsor_id] + ref_columns = [table.Organization.column.organization_id] + on_update = CASCADE + on_delete = RESTRICT + } + foreign_key "benchmark_has_a_status" { + columns = [column.status_id] + ref_columns = [table.Statuses.column.status_id] + on_update = CASCADE + on_delete = RESTRICT + } + index "unique_product_version_release_owner" { + unique = true + columns = [column.version, column.release, column.product_id, column.author_id] + } +} +table "Organization" { + schema = schema.main + column "organization_id" { + null = false + type = integer + auto_increment = true + } + column "long_name" { + null = false + type = varchar + } + column "short_name" { + null = false + type = varchar + } + column "uri" { + null = true + type = varchar + } + column "email" { + null = true + type = varchar + } + primary_key { + columns = [column.organization_id] + } + index "unique_org_short_and_long_name" { + unique = true + columns = [column.long_name, column.short_name] + } +} +table "Products" { + schema = schema.main + column "product_id" { + null = false + type = int + } + column "long_name" { + null = false + type = varchar + } + column "short_name" { + null = false + type = varchar + } + column "version" { + null = false + type = real + } + column "release" { + null = false + type = int + } + column "owner_id" { + null = false + type = integer + } + foreign_key "product_has_a_owner" { + columns = [column.owner_id] + ref_columns = [table.Organization.column.organization_id] + on_update = CASCADE + on_delete = RESTRICT + } +} +table "Statuses" { + schema = schema.main + column "status_id" { + null = false + type = integer + auto_increment = true + } + column "name" { + null = false + type = varchar + } + primary_key { + columns = [column.status_id] + } + index "unique_status_id_name" { + unique = true + columns = [column.status_id, column.name] + } +} +table "artifact_types" { + schema = schema.main + column "artifact_type_id" { + null = false + type = integer + auto_increment = true + } + column "type_name" { + null = false + type = varchar + } + column "description" { + null = true + type = text + } + primary_key { + columns = [column.artifact_type_id] + } +} +table "benchmark_artifacts" { + schema = schema.main + column "benchmark_id" { + null = false + type = integer + } + column "artifact_id" { + null = false + type = integer + } + column "is_default" { + null = true + type = int2 + default = 0 + } + primary_key { + columns = [column.benchmark_id, column.artifact_id] + } + foreign_key "benchmark_has_an_artifact" { + columns = [column.benchmark_id] + ref_columns = [table.Benchmarks.column.benchmark_id] + on_update = CASCADE + on_delete = CASCADE + } + foreign_key "artifact_belongs_to_benchmark" { + columns = [column.artifact_id] + ref_columns = [table.Artifact.column.artifact_id] + on_update = CASCADE + on_delete = CASCADE + } + index "unique_benchmark_artificat_default" { + unique = true + columns = [column.benchmark_id, column.artifact_id, column.is_default] + } +} +table "benchmark_type" { + schema = schema.main + column "benchmark_type_id" { + null = false + type = integer + auto_increment = true + } + column "long_name" { + null = false + type = varchar + } + column "short_name" { + null = false + type = varchar + } + column "description" { + null = false + type = text + } + primary_key { + columns = [column.benchmark_type_id] + } + index "unique_bt_long_name" { + unique = true + columns = [column.long_name] + } + index "unique_bt_short_name" { + unique = true + columns = [column.short_name] + } +} +schema "main" { +} diff --git a/scripts/database/mitre-saf-security-benchmarks.pdf b/scripts/database/mitre-saf-security-benchmarks.pdf new file mode 100644 index 000000000..5422c951f Binary files /dev/null and b/scripts/database/mitre-saf-security-benchmarks.pdf differ diff --git a/scripts/database/schema.prisma b/scripts/database/schema.prisma new file mode 100644 index 000000000..aa8049d58 --- /dev/null +++ b/scripts/database/schema.prisma @@ -0,0 +1,294 @@ +/// The datasource block defines the database connection. +/// In this case, we're using SQLite as the provider and the database file is `test.db`. +datasource db { + provider = "sqlite" + /// The url field points to the location of the database file. + /// If the file doesn't exist, Prisma will create it when you run `prisma migrate dev` or `prisma db push`. + url = "file:./test.db" +} +/// The Artifact model represents a single artifact. +/// Each artifact has a unique identifier, a type_id, an owner_id, a name, a location, +/// a secondary location (optional), a creation timestamp, and raw data (optional). +/// The model has relations to the ArtifactTypes and Organization models. +model Artifact { + /// The unique identifier for an artifact. + artifact_id Int @id @default(autoincrement()) + + /// The unique identifier for the type of the artifact. + /// see ArtifactTypes to understand the expected types + type_id Int + + /// The unique identifier for the owner of the artifact. + owner_id Int + + /// The name of the artifact. + name String + + /// The primary location of the artifact. + /// example: 'http://...','','s3://location' + location String + + /// The secondary location of the artifact, if any. + /// example: backup location, or alt download site + secondary_location String @default("") + + /// The timestamp when the artifact was created. + /// Usually a 'published date' style concept, not 'disk/upload create time' + created_at DateTime + + /// The raw data of the artifact, if any. + raw_data Bytes @default("") + + /// The relation to the ArtifactTypes model. + artifact_types ArtifactTypes @relation(fields: [type_id], references: [artifact_type_id]) + + /// The relation to the Organization model. + Organization Organization @relation(fields: [owner_id], references: [organization_id]) + BenchmarkArtifacts BenchmarkArtifacts[] +} + +/// The Benchmarks model represents the different benchmarks. +/// Each benchmark has a unique identifier, a version number, a release number, +/// a release date, type_id, product_id, author_id, sponsor_id (optional) and status_id. +model Benchmarks { + /// The unique identifier for a benchmark. + benchmark_id Int @id @default(autoincrement()) + + /// The version number of the benchmark. + version Int + + /// The release number of the benchmark. + release Int + + /// The release date of the benchmark. + release_date DateTime + + /// The unique identifier for the type of the benchmark. + type_id Int + + /// The unique identifier for the product associated with the benchmark. + product_id Int + + /// The unique identifier for the author of the benchmark. + author_id Int @default(0) + + /// The unique identifier for the sponsor of the benchmark. + sponsor_id Int @default(0) + + /// The unique identifier for the status of the benchmark. + status_id Int + + /// The relation to the BenchmarkType model. + benchmark_type BenchmarkType @relation(fields: [type_id], references: [benchmark_type_id]) + + /// The relation to the Products model. + Products Products @relation(fields: [product_id], references: [product_id]) + + /// The relation to the Organization model for the author. + Author Organization @relation("AuthorRelation", fields: [author_id], references: [organization_id]) + + /// The relation to the Organization model for the sponsor. + Sponsor Organization @relation("SponsorRelation", fields: [sponsor_id], references: [organization_id]) + + /// The relation to the Statuses model. + Status Statuses @relation(fields: [status_id], references: [status_id]) + + /// The relation to the BenchmarkArtifacts model. + /// This field represents a list of all BenchmarkArtifacts associated with this model. + BenchmarkArtifacts BenchmarkArtifacts[] + + /// A unique constraint ensuring that the combination of version, release, product_id, and author_id is unique. + @@unique([version, release, product_id, author_id], name: "unique_product_version_release_owner") +} + +/// The Organization model represents different organizations. +/// Each organization has a unique identifier, a long name, a short name, a URI, and an email. +/// An organization can be an author or a sponsor of multiple benchmarks. +/// A unique constraint ensures that the combination of long_name and short_name is unique. +model Organization { + /// The unique identifier for an organization. + organization_id Int @id @default(autoincrement()) + + /// The long name of the organization. + /// example: + /// - 'The MITRE Corporation', + /// - 'Broadcom/VMWare Corporation', + /// - 'Defense Information Systems Agency' + /// - 'International Business Machines, Corporation' + long_name String + + /// The short name of the organization. + /// example: 'MITRE','VMWare','DISA', IBM + short_name String + + /// The URI of the organization. + uri String @default("None") + + /// The email of the organization. + email String @default("None") + + /// The benchmarks for which the organization is the author. + Authors Benchmarks[] @relation("AuthorRelation") + + /// The benchmarks for which the organization is the sponsor. + Sponsors Benchmarks[] @relation("SponsorRelation") + + /// The artifacts owned by the organization. + Artifact Artifact[] + + /// The products owned by the organization. + Products Products[] + + /// A unique constraint ensuring that the combination of long_name and short_name is unique. + @@unique([long_name, short_name], name: "unique_org_short_and_long_name") +} + +/// +/// The Products model represents the different products. +/// Each product has a unique identifier, a long name, a short name, +/// a version number, and a release number. +/// +/// A product is owned by an Organization and is organized at the version level. +/// Sometimes vendors organize benchmarks only at the version level but sometimes +// they can do it at the version + release level. +/// +/// - Owner: 'RedHat', +/// - name: 'Enterprise Linux', +/// - version: '7', +/// - [optional] release: '4' +/// +/// Some Products are tracked at the Major version only and then version should be 'x' or '' +/// Postres SQL 12.x, for example +/// +model Products { + /// The unique identifier for a product. + product_id Int @id @default(autoincrement()) + + /// The long name of the product. + /// examples: 'Identity Manager', 'Cloud Foundation', 'vSphere' + long_name String + + /// The short name of the product. + /// examples: 'RHEL', 'VCF', 'VIDM', 'vSphere' + /// These will also be used in 'hash / search keys' to help identify products + short_name String + + /// The version number of the product. + version Float + + /// The release number of the product. + release Int + + /// The unique identifier for the organization that owns the product. + owner_id Int + + /// The relation to the Organization model. + /// This field represents the Organization that owns this Product. + Organization Organization @relation(fields: [owner_id], references: [organization_id]) + + /// The relation to the Benchmarks model. + /// This field represents a list of all Benchmarks associated with this Product. + Benchmarks Benchmarks[] +} + +/// The Statuses model represents the different statuses that can be assigned. +/// Each status has a unique identifier and a name. +/// A unique constraint ensures that the combination of status_id and name is unique. +model Statuses { + /// The unique identifier for a status. + status_id Int @id @default(autoincrement()) + + /// The name of the status. + /// example: 'final', 'draft', 'in-review', 'sunset' + name String + + /// The relation to the Benchmarks model. + /// This field represents a list of all Benchmarks associated with this Status. + Benchmarks Benchmarks[] + + /// A unique constraint ensuring that the combination of status_id and name is unique. + @@unique([status_id, name], name: "unique_status_id_name") +} + +/// The ArtifactTypes model represents the different types of artifacts. +/// Each artifact type has a unique identifier, a name, and a description. +model ArtifactTypes { + /// The unique identifier for an artifact type. + artifact_type_id Int @id @default(autoincrement()) + + /// The name of the artifact type. + /// example: XCCDF-File, JSON-File, Zip-Archieve, tar.gz-File, XML-File, SCAP-File + type_name String + + /// A description of the artifact type. + description String @default("") + + /// The relation to the Artifact model. + /// This field represents a list of all Artifacts associated with this ArtifactType. + Artifact Artifact[] +} + +/// The BenchmarkArtifacts model represents the relationship between benchmarks and artifacts. +/// Each BenchmarkArtifacts record has a unique identifier for a benchmark and an artifact. +/// A flag indicates if the artifact is the default for the benchmark. +/// The model has relations to the Benchmarks and Artifact models. +/// The composite primary key for the BenchmarkArtifacts model is a combination of benchmark_id and artifact_id. +/// A unique constraint ensures that a benchmark can only have one default artifact. +model BenchmarkArtifacts { + /// The unique identifier for a benchmark. + benchmark_id Int @default(0) + + /// The unique identifier for an artifact. + artifact_id Int @default(0) + + /// A flag indicating if the artifact is the default for the benchmark. + /// If we move to a real database this should be a BOOL + is_default Int @default(0) + + /// The relation to the Benchmarks model. + Benchmarks Benchmarks @relation(fields: [benchmark_id], references: [benchmark_id]) + + /// The relation to the Artifact model. + Artifact Artifact @relation(fields: [artifact_id], references: [artifact_id]) + + /// The composite primary key for the BenchmarkArtifacts model. + @@id([benchmark_id, artifact_id]) + /// A unique constraint ensuring that a benchmark can only have one default artifact. + @@unique([benchmark_id, artifact_id, is_default], name: "unique_benchmark_artifact_default") +} + +/// The BenchmarkType model represents the different types of benchmarks. +/// Each benchmark type has a unique identifier, a long name, a short name, and a description. +/// The 'long_name' is likely a registered trademark, so it should be unique. +/// The 'short_name' is intended to be used as a lookup key, so it should also be unique. +/// Each BenchmarkType should have a unique combination of 'short_name' and 'long_name'. +model BenchmarkType { + /// The unique identifier for a benchmark type. + benchmark_type_id Int @id @default(autoincrement()) + + /// The long name of the benchmark type. + /// example: + /// - 'Security Technical Implementation Guide' + /// - 'Center for Internet Security Benchmark' + /// - 'Vendor Security/Administration Guide' + /// - 'Best Practice Guide' + long_name String + + /// The short name of the benchmark type. + /// example: 'STIG','CIS','Vendor', 'BP' + short_name String + + /// A description of the benchmark type. + description String + + /// The relation to the Benchmarks model. + /// This field represents a list of all Benchmarks associated with this BenchmarkType. + Benchmarks Benchmarks[] + + /// The 'long_name' is likely a registered trademark, so it should be unique. + @@unique([long_name], name: "unique_bt_long_name") + /// The 'short_name' is intended to be used as a lookup key, so it should also be unique. + @@unique([short_name], name: "unique_bt_short_name") + /// Each Benchmark should have a unique combination of 'short_name' and 'long_name'. + @@unique([long_name, short_name], name: "unique_long_short_name") +} diff --git a/scripts/database/schema/mitre-saf-security-benchmarks.sql b/scripts/database/schema/mitre-saf-security-benchmarks.sql new file mode 100644 index 000000000..0b1cbf6a6 --- /dev/null +++ b/scripts/database/schema/mitre-saf-security-benchmarks.sql @@ -0,0 +1,112 @@ +-- Create "Artifact" table +CREATE TABLE + `Artifact` ( + `artifact_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `type_id` integer NOT NULL, + `owner_id` integer NOT NULL, + `name` varchar NOT NULL, + `location` varchar NOT NULL, + `secondary_location` varchar NULL, + `created_at` date NOT NULL, + `raw_data` BLOB NULL, + CONSTRAINT `artifact_has_a_type` FOREIGN KEY (`type_id`) REFERENCES `artifact_types` (`artifact_type_id`) ON UPDATE CASCADE ON DELETE RESTRICT, + CONSTRAINT `artifact_has_a_owner` FOREIGN KEY (`owner_id`) REFERENCES `Organization` (`organization_id`) ON UPDATE CASCADE ON DELETE RESTRICT + ); + +-- Create "Benchmarks" table +CREATE TABLE + `Benchmarks` ( + `benchmark_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `version` smallint NOT NULL, + `release` smallint NOT NULL, + `release_date` date NOT NULL, + `type_id` integer NOT NULL, + `product_id` int NOT NULL, + `author_id` integer NOT NULL DEFAULT 0, + `sponsor_id` integer NULL DEFAULT 0, + `status_id` integer NOT NULL, + CONSTRAINT `benchmark_has_a_type` FOREIGN KEY (`type_id`) REFERENCES `benchmark_type` (`benchmark_type_id`) ON UPDATE CASCADE ON DELETE RESTRICT, + CONSTRAINT `benchmark_has_a_product` FOREIGN KEY (`product_id`) REFERENCES `Products` (`product_id`) ON UPDATE CASCADE ON DELETE RESTRICT, + CONSTRAINT `benchmark_has_an_author` FOREIGN KEY (`author_id`) REFERENCES `Organization` (`organization_id`) ON UPDATE CASCADE ON DELETE RESTRICT, + CONSTRAINT `benmark_has_a_sponsor` FOREIGN KEY (`sponsor_id`) REFERENCES `Organization` (`organization_id`) ON UPDATE CASCADE ON DELETE RESTRICT, + CONSTRAINT `benchmark_has_a_status` FOREIGN KEY (`status_id`) REFERENCES `Statuses` (`status_id`) ON UPDATE CASCADE ON DELETE RESTRICT + ); + +-- Create index "unique_product_version_release_owner" to table: "Benchmarks" +CREATE UNIQUE INDEX `unique_product_version_release_owner` ON `Benchmarks` (`version`, `release`, `product_id`, `author_id`); + +-- Create "Organization" table +CREATE TABLE + `Organization` ( + `organization_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `long_name` varchar NOT NULL, + `short_name` varchar NOT NULL, + `uri` varchar NULL, + `email` varchar NULL + ); + +-- Create index "unique_org_short_and_long_name" to table: "Organization" +CREATE UNIQUE INDEX `unique_org_short_and_long_name` ON `Organization` (`long_name`, `short_name`); + +-- Create "Products" table +CREATE TABLE + `Products` ( + `product_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `long_name` varchar NOT NULL, + `short_name` varchar NOT NULL, + `version` real NOT NULL, + `release` int NOT NULL, + `owner_id` integer NOT NULL, + CONSTRAINT `product_has_a_owner` FOREIGN KEY (`owner_id`) REFERENCES `Organization` (`organization_id`) ON UPDATE CASCADE ON DELETE RESTRICT + ); + +-- Create "Statuses" table +CREATE TABLE + `Statuses` ( + `status_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `name` varchar NOT NULL + ); + +-- Create index "unique_status_id_name" to table: "Statuses" +CREATE UNIQUE INDEX `unique_status_id_name` ON `Statuses` (`status_id`, `name`); + +-- Create "artifact_types" table +CREATE TABLE + `artifact_types` ( + `artifact_type_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `type_name` varchar NOT NULL, + `description` text NULL + ); + +-- Create "benchmark_artifacts" table +CREATE TABLE + `benchmark_artifacts` ( + `benchmark_id` integer NOT NULL, + `artifact_id` integer NOT NULL, + -- this should become a BOOL if we move off sqlite + `is_default` int2 NULL DEFAULT 0, + PRIMARY KEY (`benchmark_id`, `artifact_id`), + CONSTRAINT `benchmark_has_an_artifact` FOREIGN KEY (`benchmark_id`) REFERENCES `Benchmarks` (`benchmark_id`) ON UPDATE CASCADE ON DELETE CASCADE, + CONSTRAINT `artifact_belongs_to_benchmark` FOREIGN KEY (`artifact_id`) REFERENCES `Artifact` (`artifact_id`) ON UPDATE CASCADE ON DELETE CASCADE + ); + +-- Create index "unique_benchmark_artificat_default" to table: "benchmark_artifacts" +CREATE UNIQUE INDEX `unique_benchmark_artificat_default` ON `benchmark_artifacts` (`benchmark_id`, `artifact_id`, `is_default`); + +-- Create "benchmark_type" table +CREATE TABLE + `benchmark_type` ( + `benchmark_type_id` integer NOT NULL PRIMARY KEY AUTOINCREMENT, + `long_name` varchar NOT NULL, + `short_name` varchar NOT NULL, + `description` text NOT NULL + ); + +-- Create index "unique_bt_long_name" to table: "benchmark_type" +CREATE UNIQUE INDEX `unique_bt_long_name` ON `benchmark_type` (`long_name`); + +-- Create index "unique_bt_short_name" to table: "benchmark_type" +CREATE UNIQUE INDEX `unique_bt_short_name` ON `benchmark_type` (`short_name`); + +-- Create index "unique_long_short_name" on table: "benchmark_type" +CREATE UNIQUE INDEX unique_long_short_name ON `benchmark_type` (`long_name`, `short_name`); \ No newline at end of file diff --git a/scripts/database/test.db b/scripts/database/test.db new file mode 100644 index 000000000..418327662 Binary files /dev/null and b/scripts/database/test.db differ diff --git a/scripts/database/web/allOf-dark.svg b/scripts/database/web/allOf-dark.svg new file mode 100644 index 000000000..1912cb22d --- /dev/null +++ b/scripts/database/web/allOf-dark.svg @@ -0,0 +1,46 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/allOf-light.svg b/scripts/database/web/allOf-light.svg new file mode 100644 index 000000000..0b219d0ce --- /dev/null +++ b/scripts/database/web/allOf-light.svg @@ -0,0 +1,43 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/anyOf-dark.svg b/scripts/database/web/anyOf-dark.svg new file mode 100644 index 000000000..d2c7f93eb --- /dev/null +++ b/scripts/database/web/anyOf-dark.svg @@ -0,0 +1,43 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/anyOf-light.svg b/scripts/database/web/anyOf-light.svg new file mode 100644 index 000000000..e9996ad3e --- /dev/null +++ b/scripts/database/web/anyOf-light.svg @@ -0,0 +1,40 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/ak.svg b/scripts/database/web/assets/ak.svg new file mode 100644 index 000000000..578f8dba8 --- /dev/null +++ b/scripts/database/web/assets/ak.svg @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/fk.svg b/scripts/database/web/assets/fk.svg new file mode 100644 index 000000000..85f8ef275 --- /dev/null +++ b/scripts/database/web/assets/fk.svg @@ -0,0 +1,85 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/ik.svg b/scripts/database/web/assets/ik.svg new file mode 100644 index 000000000..a9d01acdf --- /dev/null +++ b/scripts/database/web/assets/ik.svg @@ -0,0 +1,12 @@ + + + + + + + + + + diff --git a/scripts/database/web/assets/im-line-icons.eot b/scripts/database/web/assets/im-line-icons.eot new file mode 100644 index 000000000..b92244bdd Binary files /dev/null and b/scripts/database/web/assets/im-line-icons.eot differ diff --git a/scripts/database/web/assets/im-line-icons.svg b/scripts/database/web/assets/im-line-icons.svg new file mode 100644 index 000000000..34e3c6172 --- /dev/null +++ b/scripts/database/web/assets/im-line-icons.svg @@ -0,0 +1,158 @@ + + + +Generated by IcoMoon + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/scripts/database/web/assets/im-line-icons.ttf b/scripts/database/web/assets/im-line-icons.ttf new file mode 100644 index 000000000..c683fc93e Binary files /dev/null and b/scripts/database/web/assets/im-line-icons.ttf differ diff --git a/scripts/database/web/assets/im-line-icons.woff b/scripts/database/web/assets/im-line-icons.woff new file mode 100644 index 000000000..fa6a0ec2a Binary files /dev/null and b/scripts/database/web/assets/im-line-icons.woff differ diff --git a/scripts/database/web/assets/index.svg b/scripts/database/web/assets/index.svg new file mode 100644 index 000000000..10cd47077 --- /dev/null +++ b/scripts/database/web/assets/index.svg @@ -0,0 +1,14 @@ + + + + + + + + + + + + diff --git a/scripts/database/web/assets/inter.svg b/scripts/database/web/assets/inter.svg new file mode 100644 index 000000000..2178f71ce --- /dev/null +++ b/scripts/database/web/assets/inter.svg @@ -0,0 +1,12 @@ + + + + + + + + + + diff --git a/scripts/database/web/assets/linked.svg b/scripts/database/web/assets/linked.svg new file mode 100644 index 000000000..272b4da60 --- /dev/null +++ b/scripts/database/web/assets/linked.svg @@ -0,0 +1,29 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.eot b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.eot new file mode 100644 index 000000000..078e134c6 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.eot differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.svg b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.svg new file mode 100644 index 000000000..410561e78 --- /dev/null +++ b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.svg @@ -0,0 +1,336 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.ttf b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.ttf new file mode 100644 index 000000000..c416212a0 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.ttf differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.woff b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.woff new file mode 100644 index 000000000..adaf3a1e5 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.woff differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.woff2 b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.woff2 new file mode 100644 index 000000000..24449199f Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-600.woff2 differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.eot b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.eot new file mode 100644 index 000000000..cd63ec4f2 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.eot differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.svg b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.svg new file mode 100644 index 000000000..8e6b61ade --- /dev/null +++ b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.svg @@ -0,0 +1,334 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.ttf b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.ttf new file mode 100644 index 000000000..885fb68ed Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.ttf differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.woff b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.woff new file mode 100644 index 000000000..46bbd7588 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.woff differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.woff2 b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.woff2 new file mode 100644 index 000000000..c824c3153 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-700.woff2 differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.eot b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.eot new file mode 100644 index 000000000..b411f2e51 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.eot differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.svg b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.svg new file mode 100644 index 000000000..78eb653a7 --- /dev/null +++ b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.svg @@ -0,0 +1,336 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.ttf b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.ttf new file mode 100644 index 000000000..0a0d4838b Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.ttf differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.woff b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.woff new file mode 100644 index 000000000..efb8f0d31 Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.woff differ diff --git a/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.woff2 b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.woff2 new file mode 100644 index 000000000..9b582203f Binary files /dev/null and b/scripts/database/web/assets/open-sans-v17-latin-ext_latin-regular.woff2 differ diff --git a/scripts/database/web/assets/pfk.svg b/scripts/database/web/assets/pfk.svg new file mode 100644 index 000000000..b1ad81b3c --- /dev/null +++ b/scripts/database/web/assets/pfk.svg @@ -0,0 +1,85 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/pk.svg b/scripts/database/web/assets/pk.svg new file mode 100644 index 000000000..427f25ef2 --- /dev/null +++ b/scripts/database/web/assets/pk.svg @@ -0,0 +1,76 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/union.svg b/scripts/database/web/assets/union.svg new file mode 100644 index 000000000..dbf0f679a --- /dev/null +++ b/scripts/database/web/assets/union.svg @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/watermark-meteor.svg b/scripts/database/web/assets/watermark-meteor.svg new file mode 100644 index 000000000..d54133766 --- /dev/null +++ b/scripts/database/web/assets/watermark-meteor.svg @@ -0,0 +1,48 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/watermark-moon.svg b/scripts/database/web/assets/watermark-moon.svg new file mode 100644 index 000000000..5895b0422 --- /dev/null +++ b/scripts/database/web/assets/watermark-moon.svg @@ -0,0 +1,44 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/assets/watermark-perseid.svg b/scripts/database/web/assets/watermark-perseid.svg new file mode 100644 index 000000000..45767fdf4 --- /dev/null +++ b/scripts/database/web/assets/watermark-perseid.svg @@ -0,0 +1,49 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/backgroundImageBricks.svg b/scripts/database/web/backgroundImageBricks.svg new file mode 100644 index 000000000..a48f8ae4c --- /dev/null +++ b/scripts/database/web/backgroundImageBricks.svg @@ -0,0 +1,23 @@ + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/backgroundImageGrid.svg b/scripts/database/web/backgroundImageGrid.svg new file mode 100644 index 000000000..a745d2bd0 --- /dev/null +++ b/scripts/database/web/backgroundImageGrid.svg @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/scripts/database/web/backgroundImageLines.svg b/scripts/database/web/backgroundImageLines.svg new file mode 100644 index 000000000..089664d53 --- /dev/null +++ b/scripts/database/web/backgroundImageLines.svg @@ -0,0 +1,404 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/backgroundImageSquares.svg b/scripts/database/web/backgroundImageSquares.svg new file mode 100644 index 000000000..f60a26a7d --- /dev/null +++ b/scripts/database/web/backgroundImageSquares.svg @@ -0,0 +1,77 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/backgroundImageTriangles.svg b/scripts/database/web/backgroundImageTriangles.svg new file mode 100644 index 000000000..9279ebca4 --- /dev/null +++ b/scripts/database/web/backgroundImageTriangles.svg @@ -0,0 +1,134 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/compare.css b/scripts/database/web/compare.css new file mode 100644 index 000000000..4d7450178 --- /dev/null +++ b/scripts/database/web/compare.css @@ -0,0 +1,186 @@ +.im-code-split { + display: grid; + grid-template-columns: 50% 50%; + grid-gap: 10px; + margin: 10px; +} + +.im-code-fullwidth { + display: block; + margin: 10px; +} + +.im-align-center { + text-align: center; +} + +.im-code-split > div { + display: inline-block; + display: flex; + flex-direction: column; +} + +.im-code-split pre { + flex-grow: 1; + overflow: auto; + color: #ddd; + font-size: 14px; + line-height: 150%; + white-space: pre-wrap; +} + +.im-content-spacer-lg { + height: 25px; + display: block; +} + +.im-content-spacer-md { + height: 15px; + display: block; +} + +.im-content-spacer-sm { + height: 10px; + display: block; +} + +.mm-d-c-c-i { + font-size: 12px; + text-transform: uppercase; + color: #888; + padding: 3px 10px; + background: rgba(0,0,0,0.25); + display: inline-block; + margin: 1px 1px 0 1px; +} + +.mm-d-g-3 .mm-d-c-c-i { + padding: 4px 7px; + font-size: 10px; +} + +.mm-d-g-3 .mm-d-v-s { + background: rgba(0,0,0,0.25); +} + +.mm-title-section { + margin-top: 30px; + font-size: 20px; + color: #ddd; + margin-left: 10px; +} + +.mm-left { + border-bottom: 2px solid darkorange; + color: darkorange !important; +} + +.mm-left-text { + color: darkorange !important; +} + +.mm-right { + border-bottom: 2px solid lightgreen; + color: lightgreen !important; +} + +.mm-right-text { + color: lightgreen !important; +} + +.mm-modified-text { + color: rgb(3, 169, 244) !important; +} + +.mm-side-icon { + margin-right: 4px; +} + +.mm-subtitle { + margin-top: 20px; +} + +.mm-subtitle-col { + text-transform: uppercase; + margin-top: 21px; + font-size: 11px; + padding-left: 10px; +} + +.mm-compare-message { + margin: 10px 0 20px 10px; + padding: 10px; + color: #ccc; + background: rgba(255,255,255,0.05); + font-size: 14px; + font-style: italic; + border: 1px solid rgba(0,0,0,0.2); + box-shadow: 0 3px 6px -6px #000; +} + +.mm-compare-text { + padding: 0 10px; + color: #ccc; + font-size: 14px; + white-space: pre-wrap; +} + +.mm-author { + color: #fff; + margin: 10px 0; +} + +.mm-nav-a { + text-transform: capitalize; +} + +.mm-section-group { + display: none; +} + +@media screen and (max-width: 992px) { + .mm-section { + display: block !important; + } + + #mm-main-navs { + display: none !important; + } + + .mm-main-report-area { + grid-template-rows: 1fr; + } + + .mm-fullpage-wrapper { + max-width: unset; + min-width: unset; + width: unset; + margin: unset; + } + + html, + body { + overflow: unset; + } + + .mm-section-group, + .mm-statistics-group { + border-bottom: 2px solid white; + font-size: 18px; + text-transform: uppercase; + letter-spacing: 1px; + padding: 5px; + text-align: center; + font-weight: 700; + margin: 10px 10px 5px 10px; + color: white; + } + + .mm-section-active { + height: auto; + } + + .mm-section-group { + display: block; + } +} \ No newline at end of file diff --git a/scripts/database/web/datensen-moon-modeler-report.css b/scripts/database/web/datensen-moon-modeler-report.css new file mode 100644 index 000000000..83313d6e1 --- /dev/null +++ b/scripts/database/web/datensen-moon-modeler-report.css @@ -0,0 +1,471 @@ +.mm-main-report-area { + display: grid; + grid-template-rows: 42px 1fr; +} + +#mm-main-navs { + background: #333; + z-index: 6; +} + +#mm-nav-expander { + display: none; + background: #222; +} + +#mm-nav-expander i { + color: white; + cursor: pointer; +} + +.mm-main-hamburger { + padding: 10px; + display: inline-block; + margin-right: auto; +} + +.mm-nav-tabs { + display: flex; + flex-direction: row; + box-shadow: 0px 0px 5px -2px #000; + border-bottom: 1px solid rgba(0,0,0,0.2); + background: linear-gradient(180deg, #222, #222); +} + +.mm-nav-a { + display: inline-block; + padding: 10px 20px; + text-decoration: none; + color: white; + cursor: pointer; +} + +.mm-nav-active { + background: rgb(3, 169, 244); + color: white; +} + +.mm-tab-content { + display: none; +} + +.mm-tab-content-active { + display: block; +} + +.mm-ml-auto { + margin-left: auto; +} + +.mm-mr-auto { + margin-right: auto; +} + +.mm-display-none, .tob { + display: none; +} + +.tob { + color: white; + padding-top: 20px; + padding-left: 20px; +} + +.mm-display-block { + display: block; +} + +.mm-side-hidden { + width: 1px; +} + +#placeholder { + max-width: 60vw; + max-height: 90%; + position: absolute; + top: 100px; + left: 0; + right: 0; + margin: auto; + background: #333; + box-shadow: 0 0 20px -10px #000; + border-radius: 4px; + overflow: hidden; +} + +#mm-content { + overflow: auto; +} + +#mm-side-wrapper { + display: grid; + grid-template-rows: auto 1fr; + height: 100%; + width: 100%; + overflow: hidden; +} + +#mm-report-content { + overflow: hidden; + height: 100%; + width: 100%; + display: grid; + grid-template-columns: minmax(250px, max-content) 1fr; +} + +#mm-report-content.mm-report-content-cols-1 { + grid-template-columns: 1fr; + grid-template-rows: 1fr; +} + + +#mm-content { + height: 100%; + width: 100%; + background: #333; +} + +#mm-side { + background: #404040; + overflow: hidden; +} + +#mm-side-content > div { + display: none; +} + +.mm-section { + display: none; +} + +.mm-section-active { + display: block; + height: 100%; +} + +#mm-side-content { + overflow: auto; +} + +#mm-side-content .mm-sidenav-active { + display: block; +} + + +.mm-sidenav-item-active > div { + background: #222; + color: #fff; + cursor: pointer; +} + +.mm-detail:not(.mm-display-none) { + /*display: grid;*/ +} + +.mm-detail { + padding: 20px 30px 20px 30px; + border-bottom: 1px solid rgba(255, 255, 255, 0.1); +} + +.mm-subsection { + + + padding: 10px; +} + +.mm-props{ + background: rgba(0,0,0,0.1); + padding: 15px; +} + +.mm-subtitle { + color:darkorange; + margin: 2px 8px; + font-size: 12px; + text-transform: uppercase; + +} + +.mm-d-g-3 { + display: grid; + grid-template-columns: minmax(200px, auto) 1fr 1fr; +} + +.mm-d-g-c-m-3 { + grid-column: span 3; +} + +.mm-d-g-4 { + display: grid; + grid-template-columns: repeat(4, auto); +} + +.mm-d-g-c-m-4 { + grid-column: span 4; +} + +.mm-d-g-5 { + display: grid; + grid-template-columns: repeat(5, auto); +} + +.mm-d-g-c-m-5 { + grid-column: span 5; +} + +.mm-d-g-6 { + display: grid; + grid-template-columns: repeat(6, auto); +} + +.mm-d-g-c-m-6 { + grid-column: span 6; +} + + +.mm-d-hor { + display: grid; + grid-template-columns: auto 1fr; +} + +.mm-d-ver { + display: grid; + grid-template-rows: auto auto; + align-self: flex-start; +} + +.mm-d-c { + color: #999; + display: inline-block; + font-size: 12px; + font-weight: 300; + padding: 5px 8px 1px 8px; + text-transform: uppercase; +} + +.mm-d-v { + color: #fff; + display: inline-block; + font-size: 14px; + font-weight: 300; + padding: 1px 8px; + align-self: end; + background: rgba(0,0,0,0.15); + height: auto; + margin: 1px 1px 0 1px; + min-height: 20px; +} + +.mm-d-c-i { + color: #999; + display: block; + font-size: 10px; + font-weight: 300; + padding: 1px 8px 1px 8px; + position: relative; + top: 3px; + text-transform: uppercase; + align-self: end; +} + +.mm-d-v-i { + color: #fff; + display: inline-block; + font-size: 24px; + font-weight: 300; + padding: 1px 8px 1px 8px; + align-self: end; +} + +.mm-d-v-i:after { + content: ""; + width: auto; + height: 2px; + background: rgb(3, 169, 244); + margin-top: 2px; + display: block; + +} + +.mm-d-c-l { + color: #999; + display: block; + font-size: 10px; + font-weight: 300; + padding: 4px 8px 6px 8px; + position: relative; + top: 3px; + text-transform: uppercase; + align-self: end; +} + +.mm-d-v-l { + color: #fff; + display: inline-block; + font-size: 14px; + font-weight: 300; + padding: 1px 8px 15px 8px; + align-self: end; + white-space: pre-wrap; +} + +.mm-d-v-s { + + position: relative; + padding-left: 20px; + width: -webkit-fill-available; + width: -moz-available; +} + +.mm-d-v-s:before { + content: " "; + width: 4px; + height: 4px; + background: darkorange; + position: absolute; + left: 8px; + top: 10px; + display: inline-block; +} + +.mm-g-s-2 { + grid-column: span 2; +} + + +.mm-spacer-xs { + height: 0; + background: #333; + display: none; +} + +.mm-d-i { + padding: 10px; +} + +.mm-modal-fix { + display: grid; + grid-template-rows: 52px 1fr 56px; + border-radius: 5px; + user-select: none; + max-height: 85vh; + max-width: 60vw; +} + +.mm-no { + color: rgba(255,255,255,0.6); + font-style: italic; +} + +.mm-yes { + color: rgba(255,255,255,1); +} + +.mm-props .mm-d-v { + background: transparent; +} + + +.im-btn-default { + padding: 8px 16px; + border: 1px solid transparent; + + font-size: 12px; + border-radius: 20px; + text-transform: uppercase; + color: white; + background-color: #2196f3; + transition: background-color 0.3s; + cursor: pointer; + } + + +a, a.active, a.visited { + color:rgb(3, 169, 244); + text-decoration: none; +} + +.mm-fullpage-wrapper { + max-width: 85vw; + min-width: 50vh; + width: 80vw; + margin: 50px auto; + color: #eee; +} + +.mm-header-1 { + font-size: 26px; + font-family: "Open Sans", "Exo"; +} + +.mm-header-1::after { + content: " "; + display: block; + height: 1px; + margin-top: 21px; + background: linear-gradient(90deg, rgba(255, 255, 255, 0), rgba(255, 255, 255, 0), #4caf50, palevioletred, red, orange, #2196f3, rgba(255, 255, 255, 0), rgba(255, 255, 255, 0)); + width: 100%; +} + +.mm-align-center { + text-align: center; +} + +pre { + background: rgba(0,0,0,0.1); + padding: 10px 20px; + margin: 1px 0; + white-space: pre-wrap; +} + +.mm-description { + color: yellowgreen; +} + +#mm-search { + background: rgba(0,0,0,0.1); + box-shadow: 0 0 10px -3px #000; + z-index: 2; +} + +@media screen and (max-width: 992px) { + #mm-nav-expander { + display: block; + } + + .mm-nav-tabs { + display: flex; + flex-direction: column; + } + + .mm-nav-a { + display: none; + padding: 5px 10px; + } + + .mm-ml-auto { + margin-left: 0; + } + + #mm-report-content { + grid-template-columns: 1fr; + grid-template-rows: 1fr 1px; + } + + #mm-side { + height: auto; + } + + #placeholder { + max-width: 90vw; + top: 50px; + } + + .mm-modal-fix { + max-width: 90vw; + } + + .mm-detail { + padding: 10px; + } +} \ No newline at end of file diff --git a/scripts/database/web/else-dark.svg b/scripts/database/web/else-dark.svg new file mode 100644 index 000000000..907ee3587 --- /dev/null +++ b/scripts/database/web/else-dark.svg @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/else-light.svg b/scripts/database/web/else-light.svg new file mode 100644 index 000000000..907ee3587 --- /dev/null +++ b/scripts/database/web/else-light.svg @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/guidancedb.dbml b/scripts/database/web/guidancedb.dbml new file mode 100644 index 000000000..f9a2a4303 --- /dev/null +++ b/scripts/database/web/guidancedb.dbml @@ -0,0 +1,16 @@ +// Use DBML to define your database structure +// Docs: https://dbml.dbdiagram.io/docs + +Table Benchmarks { + id integer [pk, increment] + title varchar[256] + vendor text + release int + version int + release_date date +} + +Table Test { + id int [pk, increment] +} + diff --git a/scripts/database/web/if-dark.svg b/scripts/database/web/if-dark.svg new file mode 100644 index 000000000..09fa21779 --- /dev/null +++ b/scripts/database/web/if-dark.svg @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/if-light.svg b/scripts/database/web/if-light.svg new file mode 100644 index 000000000..09fa21779 --- /dev/null +++ b/scripts/database/web/if-light.svg @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/im.css b/scripts/database/web/im.css new file mode 100644 index 000000000..5451901c1 --- /dev/null +++ b/scripts/database/web/im.css @@ -0,0 +1,536 @@ +@charset "UTF-8"; +@font-face { + font-family: "im-line-icons"; + src: url("./assets/im-line-icons.eot"); + src: url("./assets/im-line-icons.eot?#iefix") format("embedded-opentype"), url("./assets/im-line-icons.ttf") format("truetype"), url("./assets/im-line-icons.woff") format("woff"), url("./assets/im-line-icons.svg") format("svg"); + font-weight: normal; + font-style: normal; +} +[class^=im-icon-], +[class*=" im-icon-"] { + /* use !important to prevent issues with browser extensions that change fonts */ + font-family: "im-line-icons" !important; + speak: none; + font-style: normal; + font-weight: normal; + font-variant: normal; + text-transform: none; + line-height: 1; + /* Better Font Rendering =========== */ + -webkit-font-smoothing: antialiased; + -moz-osx-font-smoothing: grayscale; +} + +.im-icon-toolbar { + font-size: 16px; + align-self: center; + justify-content: center; + text-align: center; +} + +.im-icon-12 { + font-size: 12px; + align-self: center; + justify-content: center; + text-align: center; + color: #666; +} + +.im-icon-16 { + font-size: 16px; + align-self: center; + justify-content: center; + text-align: center; + color: #ccc; +} + +.im-icon-20 { + font-size: 20px; + align-self: center; + text-align: center; + justify-content: center; + color: #ccc; +} + +.im-icon-sm, +.im-icon-sm-disabled { + padding-top: 0; + text-align: center; + display: flex; + border-radius: 2px; + justify-content: center; + transition: 0.3s background-color; +} + +.im-icon-sm:hover { + background-color: rgba(0, 0, 0, 0.2); + transition: 0.3s background-color; +} + +.im-icon-key { + height: 16px; + width: 16px; + margin-right: 2px; + margin-left: 2px; + vertical-align: text-bottom; + padding-bottom: 1px; +} + + +.im-icon-AddRelationCursor:before { + content: "\e91a"; +} +.im-icon-AddTableCursor:before { + content: "\e93b"; +} +.im-icon-ArrowCursor:before { + content: "\e93c"; +} +.im-icon-Add:before { + content: "\e98c"; +} +.im-icon-AlignBottom:before { + content: "\e960"; +} +.im-icon-AlignHorizontalCenter:before { + content: "\e961"; +} +.im-icon-AlignLeft:before { + content: "\e962"; +} +.im-icon-AlignRight:before { + content: "\e963"; +} +.im-icon-AlignTop:before { + content: "\e964"; +} +.im-icon-AlignVerticalCenter:before { + content: "\e965"; +} +.im-icon-Arrow:before { + content: "\e941"; +} +.im-icon-Bottom:before { + content: "\e930"; +} +.im-icon-Comment:before { + content: "\e972"; +} +.im-icon-Composite:before { + content: "\e98d"; +} +.im-icon-Configuration:before { + content: "\e92e"; +} +.im-icon-Copy:before { + content: "\e942"; +} +.im-icon-DisplayMode:before { + content: "\e970"; +} +.im-icon-Edit:before { + content: "\e91b"; +} +.im-icon-Edu:before { + content: "\e974"; +} +.im-icon-Hamburger:before { + content: "\e966"; +} +.im-icon-HamburgerBold:before { + content: "\e967"; +} +.im-icon-Hidden:before { + content: "\e91c"; +} +.im-icon-Layout:before { + content: "\e943"; +} +.im-icon-Left:before { + content: "\e91d"; +} +.im-icon-Line:before { + content: "\e975"; +} +.im-icon-LineMode:before { + content: "\e94c"; +} +.im-icon-New:before { + content: "\e91e"; +} +.im-icon-Note:before { + content: "\e948"; +} +.im-icon-Open:before { + content: "\e91f"; +} +.im-icon-Paste:before { + content: "\e944"; +} +.im-icon-Projects:before { + content: "\e94d"; +} +.im-icon-Query:before { + content: "\e931"; +} +.im-icon-Redo:before { + content: "\e945"; +} +.im-icon-Relation:before { + content: "\e920"; +} +.im-icon-RelationDashed:before { + content: "\e94e"; +} +.im-icon-Right:before { + content: "\e921"; +} +.im-icon-Save:before { + content: "\e922"; +} +.im-icon-Script:before { + content: "\e946"; +} +.im-icon-ShowChildren:before { + content: "\e923"; +} +.im-icon-ShowData:before { + content: "\e924"; +} +.im-icon-ShowDescription:before { + content: "\e925"; +} +.im-icon-ShowMetadata:before { + content: "\e926"; +} +.im-icon-ShowParents:before { + content: "\e927"; +} +.im-icon-Table:before { + content: "\e928"; +} +.im-icon-TextNote:before { + content: "\e986"; +} +.im-icon-Top:before { + content: "\e936"; +} +.im-icon-TopDiagram:before { + content: "\e937"; +} +.im-icon-Trash:before { + content: "\e929"; +} +.im-icon-Type:before { + content: "\e949"; +} +.im-icon-Undo:before { + content: "\e947"; +} +.im-icon-User:before { + content: "\e92f"; +} +.im-icon-Visibility:before { + content: "\e92a"; +} +.im-icon-export:before { + content: "\e971"; +} +.im-icon-Add16:before { + content: "\e97b"; +} +.im-icon-AddToDiagram:before { + content: "\e989"; +} +.im-icon-AlignBottom16:before { + content: "\e968"; +} +.im-icon-AlignHorizontalCenter16:before { + content: "\e969"; +} +.im-icon-AlignLeft16:before { + content: "\e96a"; +} +.im-icon-AlignRight16:before { + content: "\e96b"; +} +.im-icon-AlignTop16:before { + content: "\e96c"; +} +.im-icon-AlignVerticalCenter16:before { + content: "\e96d"; +} +.im-icon-ArrowDown16:before { + content: "\e900"; +} +.im-icon-ArrowLeft16:before { + content: "\e93d"; +} +.im-icon-ArrowRight16:before { + content: "\e93e"; +} +.im-icon-ArrowUp16:before { + content: "\e901"; +} +.im-icon-Bottom16:before { + content: "\e932"; +} +.im-icon-CheckBox:before { + content: "\e92c"; +} +.im-icon-CheckBoxChecked:before { + content: "\e92d"; +} +.im-icon-Cloud16:before { + content: "\e94f"; +} +.im-icon-Collapse16:before { + content: "\e902"; +} +.im-icon-CollapseCircle16:before { + content: "\e903"; +} +.im-icon-Comment16:before { + content: "\e973"; +} +.im-icon-Compare:before { + content: "\e977"; +} +.im-icon-Configuration16:before { + content: "\e93f"; +} +.im-icon-Convert:before { + content: "\e978"; +} +.im-icon-Cross16:before { + content: "\e904"; +} +.im-icon-CrossCircle16:before { + content: "\e905"; +} +.im-icon-Daten:before { + content: "\e950"; +} +.im-icon-Diff:before { + content: "\e979"; +} +.im-icon-DotsHorizontal16:before { + content: "\e906"; +} +.im-icon-DotsVerticall16:before { + content: "\e907"; +} +.im-icon-DotsVerticallDouble16:before { + content: "\e95e"; +} +.im-icon-Download16:before { + content: "\e951"; +} +.im-icon-Edit16:before { + content: "\e908"; +} +.im-icon-Equal:before { + content: "\e97a"; +} +.im-icon-Error16:before { + content: "\e952"; +} +.im-icon-ErrorCircleFill16:before { + content: "\e953"; +} +.im-icon-ErrorFill16:before { + content: "\e954"; +} +.im-icon-Expand16:before { + content: "\e909"; +} +.im-icon-ExpandCircle16:before { + content: "\e90a"; +} +.im-icon-FullCircle:before { + content: "\e93a"; +} +.im-icon-Hidden16:before { + content: "\e90b"; +} +.im-icon-Info16:before { + content: "\e955"; +} +.im-icon-InfoFill16:before { + content: "\e956"; +} +.im-icon-Insecure:before { + content: "\e98b"; +} +.im-icon-Interface:before { + content: "\e987"; +} +.im-icon-Left16:before { + content: "\e90c"; +} +.im-icon-Line16:before { + content: "\e976"; +} +.im-icon-Linked:before { + content: "\e988"; +} +.im-icon-LockResize:before { + content: "\e98a"; +} +.im-icon-Mail16:before { + content: "\e957"; +} +.im-icon-Merge:before { + content: "\e97c"; +} +.im-icon-Meteor:before { + content: "\e958"; +} +.im-icon-MinusCircle16:before { + content: "\e933"; +} +.im-icon-Moon:before { + content: "\e959"; +} +.im-icon-Move16:before { + content: "\e95f"; +} +.im-icon-New16:before { + content: "\e90d"; +} +.im-icon-No:before { + content: "\e97d"; +} +.im-icon-NotInDiagram:before { + content: "\e98e"; +} +.im-icon-Note16:before { + content: "\e94a"; +} +.im-icon-Open16:before { + content: "\e90e"; +} +.im-icon-Perseid:before { + content: "\e98f"; +} +.im-icon-PlusCircle16:before { + content: "\e934"; +} +.im-icon-Problem16:before { + content: "\e95a"; +} +.im-icon-ProblemFill16:before { + content: "\e95b"; +} +.im-icon-Query16:before { + content: "\e935"; +} +.im-icon-Relation16:before { + content: "\e90f"; +} +.im-icon-RemoveFromDiagram:before { + content: "\e990"; +} +.im-icon-Reset:before { + content: "\e991"; +} +.im-icon-ResetName:before { + content: "\e992"; +} +.im-icon-ResizeBottomRight16:before { + content: "\e940"; +} +.im-icon-Right16:before { + content: "\e910"; +} +.im-icon-SameHeight16:before { + content: "\e96e"; +} +.im-icon-SameWidth16:before { + content: "\e96f"; +} +.im-icon-Save16:before { + content: "\e911"; +} +.im-icon-Search16:before { + content: "\e92b"; +} +.im-icon-Secure:before { + content: "\e993"; +} +.im-icon-ShowChildren16:before { + content: "\e912"; +} +.im-icon-ShowData16:before { + content: "\e913"; +} +.im-icon-ShowDescription16:before { + content: "\e914"; +} +.im-icon-ShowMetadata16:before { + content: "\e915"; +} +.im-icon-ShowParents16:before { + content: "\e916"; +} +.im-icon-Table16:before { + content: "\e917"; +} +.im-icon-Top16:before { + content: "\e938"; +} +.im-icon-TopDiagram16:before { + content: "\e939"; +} +.im-icon-Trash16:before { + content: "\e918"; +} +.im-icon-Type16:before { + content: "\e94b"; +} +.im-icon-Union:before { + content: "\e994"; +} +.im-icon-Update:before { + content: "\e97e"; +} +.im-icon-UpdateCloud:before { + content: "\e97f"; +} +.im-icon-UpdateDatabase:before { + content: "\e980"; +} +.im-icon-UpdateFromCloud:before { + content: "\e981"; +} +.im-icon-UpdateFromDatabase:before { + content: "\e982"; +} +.im-icon-UpdateFromSource:before { + content: "\e983"; +} +.im-icon-UpdateSource:before { + content: "\e984"; +} +.im-icon-Visibility16:before { + content: "\e919"; +} +.im-icon-Warning16:before { + content: "\e95c"; +} +.im-icon-WarningFill16:before { + content: "\e95d"; +} +.im-icon-Yes:before { + content: "\e985"; +} +.im-icon-ZoomFit:before { + content: "\e995"; +} + + +/* overwrites */ + +.im-icon-DotsHorizontal16, .im-icon-DotsVertical16 { + display: none; +} diff --git a/scripts/database/web/index.html b/scripts/database/web/index.html new file mode 100644 index 000000000..1f0c2830d --- /dev/null +++ b/scripts/database/web/index.html @@ -0,0 +1,3259 @@ + + + + + + + + + + + + + + + + Report for MITRE SAF Security Benchmarks made in Luna Modeler + + + + + +
+
+
+
+ + +
+
+
+
+ +
+
+
+
+
+ + +
+
+
+
+
+
Benchmarks
+
+
+
+
+
+
Key
+
benchmark_id    
+
INTEGER
+
NN
+
+
+
+
+
version    
+
SMALLINT
+
NN
+
+
+
+
+
release    
+
SMALLINT
+
NN
+
+
+
+
+
release_date    
+
DATE
+
NN
+
+
+
+
Key
+
type_id    
+
INTEGER
+
NN
+
+
+
+
Key
+
author_id    
+
INTEGER
+
NN
+
+
+
+
Key
+
sponsor_id    
+
INTEGER
+
+
+
+
+
Key
+
status_id    
+
INTEGER
+
NN
+
+
+
+
Key
+
Products_product_id    
+
INT
+
NN
+
+
+
+
+
+
Key
+
unique_product_version_release_owner
+
+
+
+
+
A collection of Security Benchmarks that are publied by + Autors
+
+
+
+
+
+
+
+
+
+
benchmark_type
+
+
+
+
+
+
Key
+
benchmark_type_id    
+
INTEGER
+
NN
+
+
+
+
+
long_name    
+
VARCHAR
+
NN
+
+
+
+
+
short_name    
+
VARCHAR
+
NN
+
+
+
+
+
description    
+
TEXT
+
NN
+
+
+
+
+
+
Key
+
unique_bt_long_name
+
+
+
Key
+
unique_bt_short_name
+
+
+
+
+
Describes the kind of benchmark to include: + - Security Technical Implementation Gudie (stig) + - Security Requirements Guide (srg) + - Center for Internet Security Benchmark (cis) + - Vendor Guidance (vendor)
+
+
+
+
+
+
+
+
+
+
Organization
+
+
+
+
+
+
Key
+
organization_id    
+
INTEGER
+
NN
+
+
+
+
+
long_name    
+
VARCHAR
+
NN
+
+
+
+
+
short_name    
+
VARCHAR
+
NN
+
+
+
+
+
uri    
+
VARCHAR
+
+
+
+
+
+
email    
+
VARCHAR
+
+
+
+
+
+
+
Key
+
unique_org_short_and_long_name
+
+
+
+
+
List of organizations or gorups that author or manage + security guidance
+
+
+
+
+
+
+
+
+
+
Artifact
+
+
+
+
+
+
Key
+
artifact_id    
+
INTEGER
+
NN
+
+
+
+
Key
+
type_id    
+
INTEGER
+
NN
+
+
+
+
Key
+
owner_id    
+
INTEGER
+
NN
+
+
+
+
+
name    
+
VARCHAR
+
NN
+
+
+
+
+
location    
+
VARCHAR
+
NN
+
+
+
+
+
secondary_location    
+
VARCHAR
+
+
+
+
+
+
created_at    
+
DATE
+
NN
+
+
+
+
+
raw_data    
+
BLOB
+
+
+
+
+
+
+
Collection of file artifacts related to the Benchmark, + their data and where they are stored.
+
+
+
+
+
+
+
+
+
+
benchmark_artifacts
+
+
+
+
+
+
Key
+
benchmark_id    
+
INTEGER
+
NN
+
+
+
+
Key
+
artifact_id    
+
INTEGER
+
NN
+
+
+
+
+
is_default    
+
INT2
+
+
+
+
+
+
+
Key
+
unique_benchmark_artificat_default
+
+
+
+
+
+
+
+
+
+
+
+
artifact_types
+
+
+
+
+
+
Key
+
artifact_type_id    
+
INTEGER
+
NN
+
+
+
+
+
type_name    
+
VARCHAR
+
NN
+
+
+
+
+
description    
+
TEXT
+
+
+
+
+
+
+
A Collection of kinds of Artifacts that vendors produce, + such as documents, security validation content, XCCDF Files, SCAP Files, inspec profiles, + ansible playbooks, chef recipies
+
+
+
+
+
+
+
+
+
+
Products
+
+
+
+
+
+
Key
+
product_id    
+
INTEGER
+
NN
+
+
+
+
+
long_name    
+
VARCHAR
+
NN
+
+
+
+
+
short_name    
+
VARCHAR
+
NN
+
+
+
+
+
version    
+
REAL
+
NN
+
+
+
+
+
release    
+
INT
+
NN
+
+
+
+
Key
+
owner_id    
+
INTEGER
+
NN
+
+
+
+
+
+
A collection of products and services that are tracked + via the Benchmarks. A product is owned by an Author and is organized at the version level by + autor.id. Sometimes vendors organize benchmarks only at the version level but sometimes they + can do it at the version + release level. + + For example, Author: 'RedHat', name: 'Enterprise Linux', version: '7', [optional] release: '4' +
+
+
+
+
+
+
+
+
+
+
Statuses
+
+
+
+
+
+
Key
+
status_id    
+
INTEGER
+
NN
+
+
+
+
+
name    
+
VARCHAR
+
NN
+
+
+
+
+
+
Key
+
unique_status_id_name
+
+
+
+
+
Collection of statuses that can applly to a Benckmark or + Artifact
+
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +  +  + + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + + + +  +  + + + + + + + +
+
+
+
+
+
+
Documentation for project MITRE SAF Security Benchmarks
+
+
MITRE SAF Security Benchmarks
+ +
+
Project
+
+
Name
+
MITRE SAF Security Benchmarks
+
+
+
+
Description
+
+
The Security Benchmarks databse is a collection of Government, Industry and Vendor + Security Guidance Benchmarks and their artiefacts.
+
+
+
+
Diagram
+
+
Name
+
MITRE SAF Security Guidance
+
+
+
+
Author
+
+
+
The Security Automation Frameowrk Team
The MITRE + Coroporation
https://saf.mitre.org
+
+
+
+
Report
+
+
Generated
+
12/17/2023 | 2:34:45 PM
+
+
+
+
+
+
tables
+
+
+
Name
+
Benchmarks
+
+
+
+
Description
+
+
A collection of Security Benchmarks that are publied by Autors
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
benchmark_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autogenerated] Autogenerated primary key of the vendor published security + guidance document
+
+
+
+
+
+
version
+
SMALLINT
+
+
Yes
+
+
+
+
Description
+
+
The benchmark version number
+
+
+
+
+
+
release
+
SMALLINT
+
+
Yes
+
+
+
+
Description
+
+
The benchmark release number
+
+
+
+
+
+
release_date
+
DATE
+
+
Yes
+
+
+
+
Description
+
+
The date that the benchmark was published by the Autor
+
+
+
+
+
+
type_id
+
INTEGER
+
+
Yes
+
+
+
+
Description
+
+
[autoincrement] id of the benchmark type
+
+
+
+
+
+
author_id
+
INTEGER
+
+
Yes
+
+
+
Default value
+
0
+
+
Description
+
+
Integer id of the organization that authored the benchmark
+
+
+
+
+
+
sponsor_id
+
INTEGER
+
+
+
+
+
Default value
+
0
+
+
Description
+
+
Integer id of the organization that supported the development of the benchmark +
+
+
+
+
+
+
status_id
+
INTEGER
+
+
Yes
+
+
+
+
Description
+
+
[autogenerated] id of the status type
+
+
+
+
+
+
Products_product_id
+
INT
+
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autoincrement] The int id of the product
+
+
+
+
+
+
Indexes
+
unique_product_version_release_owner
+
+
Column name
+
version
+
+
+
+
+
Column name
+
release
+
+
+
+
+
Column name
+
author_id
+
+
+
+
+
Unique
+
Yes
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
benchmark_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_a_type +
+
benchmark_type
+
Benchmarks
+
+
+
+
benchmark_has_a_product +
+
Products
+
Benchmarks
+
+
+
+
benchmark_has_an_author +
+
Organization
+
Benchmarks
+
+
+
+
benmark_has_a_sponsor +
+
Organization
+
Benchmarks
+
+
+
+
benchmark_has_an_artifact +
+
Benchmarks
+
benchmark_artifacts +
+
+
+
+
benchmark_has_a_status +
+
Statuses
+
Benchmarks
+
+
+
+
+
+
Name
+
benchmark_type
+
+
+
+
Description
+
+
Describes the kind of benchmark to include: + - Security Technical Implementation Gudie (stig) + - Security Requirements Guide (srg) + - Center for Internet Security Benchmark (cis) + - Vendor Guidance (vendor)
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
benchmark_type_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autoincrement] id of the benchmark type
+
+
+
+
+
+
long_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The full name of the Benchmark type
+
+
+
+
+
+
short_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The short name name of the benchmark type
+
+
+
+
+
+
description
+
TEXT
+
+
Yes
+
+
+
+
Description
+
+
The full text description of the guidane type
+
+
+
+
+
+
Indexes
+
unique_bt_long_name
+
+
Column name
+
long_name
+
+
+
+
+
Unique
+
Yes
+
+
unique_bt_short_name
+
+
Column name
+
short_name
+
+
+
+
+
Unique
+
Yes
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
benchmark_type_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_a_type +
+
benchmark_type
+
Benchmarks
+
+
+
+
+
+
Name
+
Organization
+
+
+
+
Description
+
+
List of organizations or gorups that author or manage security guidance
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
organization_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
Integer id of the author of the benchmark
+
+
+
+
+
+
long_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The full text name of the author, vendor or agency.
+
+
+
+
+
+
short_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The short text name of the author, vendor or agency
+
+
+
+
+
+
uri
+
VARCHAR
+
+
+
+
+
+
Description
+
+
The primary uri of the author, vendor or agency
+
+
+
+
+
+
email
+
VARCHAR
+
+
+
+
+
+
Description
+
+
[optional] The email of the autor
+
+
+
+
+
+
Indexes
+
unique_org_short_and_long_name
+
+
Column name
+
long_name
+
+
+
+
+
Column name
+
short_name
+
+
+
+
+
Unique
+
Yes
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
organization_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
product_has_a_owner +
+
Organization
+
Products
+
+
+
+
benchmark_has_an_author +
+
Organization
+
Benchmarks
+
+
+
+
benmark_has_a_sponsor +
+
Organization
+
Benchmarks
+
+
+
+
artifact_has_a_owner +
+
Organization
+
Artifact
+
+
+
+
+
+
Name
+
Artifact
+
+
+
+
Description
+
+
Collection of file artifacts related to the Benchmark, their data and where they are + stored.
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
artifact_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autogenerated] The id of the artifact.
+
+
+
+
+
+
type_id
+
INTEGER
+
+
Yes
+
+
+
+
owner_id
+
INTEGER
+
+
Yes
+
+
+
+
Description
+
+
Integer id of the creator or owner of the artifact
+
+
+
+
+
+
name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
Filename that the artifact is stored as on the target location
+
+
+
+
+
+
location
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The URI path of the artifact
+
+
+
+
+
+
secondary_location
+
VARCHAR
+
+
+
+
+
+
Description
+
+
[optional] A file path, uri or other location you can find the reference besides + the default location.
+
+
+
+
+
+
created_at
+
DATE
+
+
Yes
+
+
+
+
raw_data
+
BLOB
+
+
+
+
+
+
Description
+
+
[optional] The raw data of the Artifact
+
+
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
artifact_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
artifact_has_a_type +
+
artifact_types
+
Artifact
+
+
+
+
artifact_belongs_to_benchmark +
+
Artifact
+
benchmark_artifacts +
+
+
+
+
artifact_has_a_owner +
+
Organization
+
Artifact
+
+
+
+
+
+
Name
+
benchmark_artifacts
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
benchmark_id
+
INTEGER
+
Yes
+
Yes
+
+
+
+
Description
+
+
[autogenerated] Autogenerated primary key of the vendor published security + guidance document
+
+
+
+
+
+
artifact_id
+
INTEGER
+
Yes
+
Yes
+
+
+
+
Description
+
+
[autogenerated] The id of the artifact.
+
+
+
+
+
+
is_default
+
INT2
+
+
+
+
+
Default value
+
0
+
+
Description
+
+
[optional] Boolean like indicator of if this artifact is the 'primary artifact' + for the Benchmark it belongs to.
+
+
+
+
+
+
Indexes
+
unique_benchmark_artificat_default
+
+
Column name
+
benchmark_id
+
+
+
+
+
Column name
+
artifact_id
+
+
+
+
+
Column name
+
is_default
+
+
+
+
+
Unique
+
Yes
+
+
Description
+
+
Allows only one artifact to be the default artifact related to a benchmark.
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
benchmark_id
+
Column in Primary key
+
artifact_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_an_artifact +
+
Benchmarks
+
benchmark_artifacts +
+
+
+
+
artifact_belongs_to_benchmark +
+
Artifact
+
benchmark_artifacts +
+
+
+
+
+
+
Name
+
artifact_types
+
+
+
+
Description
+
+
A Collection of kinds of Artifacts that vendors produce, such as documents, security + validation content, XCCDF Files, SCAP Files, inspec profiles, ansible playbooks, chef recipies
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
artifact_type_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autoincrement] The int id of the artifact kind
+
+
+
+
+
+
type_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The simple name of the artifact
+
+
+
+
+
+
description
+
TEXT
+
+
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
artifact_type_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
artifact_has_a_type +
+
artifact_types
+
Artifact
+
+
+
+
+
+
Name
+
Products
+
+
+
+
Description
+
+
A collection of products and services that are tracked via the Benchmarks. A product + is owned by an Author and is organized at the version level by autor.id. Sometimes vendors organize + benchmarks only at the version level but sometimes they can do it at the version + release level. + + For example, Author: 'RedHat', name: 'Enterprise Linux', version: '7', [optional] release: '4'
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
product_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autoincrement] The int id of the product
+
+
+
+
+
+
long_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The long name of the product, many products have longer formal name, such as: + VMware Identity Manager 3.3.x DoD STIG Compliance and Automation or VMware Cloud Foundation 5.x. - + if there is no difference it is expected 'short_name' and 'full_name' wil be the same.
+
+
+
+
+
+
short_name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
The common name of the product or service - sometimes called the 'short name' - + for example: + RHEL for Red Hat Enterprise Linux + VIDM for VMware Identity Manager + vSphere for VMware vSphere +
+
+
+
+
+
+
version
+
REAL
+
+
Yes
+
+
+
+
Description
+
+
The version of the project
+
+
+
+
+
+
release
+
INT
+
+
Yes
+
+
+
+
owner_id
+
INTEGER
+
+
Yes
+
+
+
+
Description
+
+
Integer id of the organization that ownes or manages the product
+
+
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
product_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
product_has_a_owner +
+
Organization
+
Products
+
+
+
+
benchmark_has_a_product +
+
Products
+
Benchmarks
+
+
+
+
+
+
Name
+
Statuses
+
+
+
+
Description
+
+
Collection of statuses that can applly to a Benckmark or Artifact
+
+
+
Columns
+
+
Name
+
Data type
+
Key
+
Not Null
+
+
+
+
status_id
+
INTEGER
+
Yes
+
Yes
+
+
+
Autoincrement
+
Yes
+
+
Description
+
+
[autogenerated] id of the status type
+
+
+
+
+
+
name
+
VARCHAR
+
+
Yes
+
+
+
+
Description
+
+
Text based name for the status
+
+
+
+
+
+
Indexes
+
unique_status_id_name
+
+
Column name
+
status_id
+
+
+
+
+
Column name
+
name
+
+
+
+
+
Unique
+
Yes
+
+
Description
+
+
Ensures that the tuple (status_id, name) is unique in the table, so we can only have + one status name called 'abc'
+
+
+
+
Keys
+
Primary key
+
+
Column in Primary key
+
status_id
+
+
+
+
Relations
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_a_status +
+
Statuses
+
Benchmarks
+
+
+
+
+
+ +
+
relationships
+
+
+
Name
+
artifact_has_a_type
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
artifact_has_a_type +
+
artifact_types
+
Artifact
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in artifact_types
+
Column in Artifact
+
Primary key
+
artifact_type_id
+
type_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
product_has_a_owner
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
product_has_a_owner +
+
Organization
+
Products
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Optional
+
+
+
+
Key and columns
+
+
Key name
+
Column in Organization
+
Column in Products
+
Primary key
+
organization_id
+
owner_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
benchmark_has_a_type
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_a_type +
+
benchmark_type
+
Benchmarks
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in benchmark_type
+
Column in Benchmarks
+
Primary key
+
benchmark_type_id
+
type_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
benchmark_has_a_product
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_a_product +
+
Products
+
Benchmarks
+
Cardinality type:
+
One to
+
one
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in Products
+
Column in Benchmarks
+
Primary key
+
product_id
+
Products_product_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
benchmark_has_an_author
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_an_author +
+
Organization
+
Benchmarks
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in Organization
+
Column in Benchmarks
+
Primary key
+
organization_id
+
author_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
benmark_has_a_sponsor
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
benmark_has_a_sponsor +
+
Organization
+
Benchmarks
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Optional
+
Optional
+
+
+
+
Key and columns
+
+
Key name
+
Column in Organization
+
Column in Benchmarks
+
Primary key
+
organization_id
+
sponsor_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
benchmark_has_an_artifact
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_an_artifact +
+
Benchmarks
+
benchmark_artifacts +
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in Benchmarks
+
Column in benchmark_artifacts
+
Primary key
+
benchmark_id
+
benchmark_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Cascade
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
artifact_belongs_to_benchmark
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
artifact_belongs_to_benchmark +
+
Artifact
+
benchmark_artifacts +
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in Artifact
+
Column in benchmark_artifacts
+
Primary key
+
artifact_id
+
artifact_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Cascade
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
artifact_has_a_owner
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
artifact_has_a_owner +
+
Organization
+
Artifact
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in Organization
+
Column in Artifact
+
Primary key
+
organization_id
+
owner_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
Name
+
benchmark_has_a_status
+
+
+
+
Name
+
Source
+
Target
+
+
+
+
benchmark_has_a_status +
+
Statuses
+
Benchmarks
+
Cardinality type:
+
One to
+
many
+
Ordinality:
+
Mandatory
+
Mandatory
+
+
+
+
Key and columns
+
+
Key name
+
Column in Statuses
+
Column in Benchmarks
+
Primary key
+
status_id
+
status_id
+
+
+
+
Properties
+
+
Rerefential integrity - parent delete
+
Restrict
+
Referential integrity - parent update
+
Cascade
+
+
+
+
+
+
+
+
+
+ +
+
+
Details
+
+
+
+
+ +
+
+
+ + + + \ No newline at end of file diff --git a/scripts/database/web/lists.css b/scripts/database/web/lists.css new file mode 100644 index 000000000..f1a54441b --- /dev/null +++ b/scripts/database/web/lists.css @@ -0,0 +1,94 @@ +.im-list { + list-style-type: none; + padding: 0; + margin: 0; + padding-bottom: 0; +} + +.im-list-item:hover { + background: #2196f3; + /*color: #fff;*/ + background: rgba(0, 0, 0, 0.02); +} + +.im-list-item > div { + /*background: rgba(255, 255, 255, 0.2);*/ + padding: 3px 10px 3px 10px; + font-size: 13px; + text-decoration: none; + display: block; + color: #eee; + border-bottom: 1px solid transparent; + /*transition: color 0.3s;*/ + margin-right: auto; + flex: 1; + overflow: hidden; + /*transition: background-color 0.4s;*/ + cursor: pointer; + border-radius: 2px; +} + + + +.im-list-item-nochk a { + padding: 3px 10px 3px 26px; +} + +.im-list-item:hover { + background: #2196f3; + color: #fff; +} + +.im-list-item i { + color: #ccc; +} + +.im-list-item:hover, +.im-list-item:hover a, +.im-list-item:hover div, +.im-list-item:hover i { + background: #111; + color: #fff; + /*color: #fff;*/ +} + +li.sel-item, +.sel-item-list-multi { + color: black; + background: #333; + color: #fff; +} + +li.sel-item a, +li.sel-item-list-multi a, +li.sel-item div i, +li.sel-item-list-multi div i { + color: #fff; +} + +.im-rel { + display: flex; + flex-direction: row; + flex-grow: 1; + margin: 0 2px; + border-radius: 2px; +} + +.im-list-btn-chk { + width: 12px; + display: block; + cursor: pointer; + align-self: center; +} + +.im-list-btn { + width: 22px; + display: block; + padding: 0 5px 0 0px; + cursor: pointer; + align-self: center; +} + +.im-list-btn i { + color: #ccc; +} \ No newline at end of file diff --git a/scripts/database/web/modals.css b/scripts/database/web/modals.css new file mode 100644 index 000000000..6f65ede3d --- /dev/null +++ b/scripts/database/web/modals.css @@ -0,0 +1,208 @@ +.modal-wrapper { + position: absolute; + top: 0; + left: 0; + display: block; + height: 100vh; + width: 100vw; + z-index: 999; + overflow: auto; + animation: toDark 1s forwards; +} + +.modal { + position: absolute; + top: 50px; + margin: auto; + left: 20vw; + right: 20vw; + width: 60vw; + background: #444; + z-index: 999; + box-shadow: 0 0 15px 0 #000; + /*animation: fromRight 0.5s;*/ + resize: both; + overflow: hidden; + display: grid; + grid-template-rows: 52px 1fr 56px; + min-width: 950px; + border-radius: 5px; + user-select: none; + max-height: 80vh; + min-height: 500px; +} + +.modal-confirm { + top: 20vh; + left: 25vw; + right: 25vw; + width: 50vw; + min-height: 250px; + min-width: 620px; + max-height: 800px; + border-radius: 5px; +} + +.modal-header { + height: 28px; + padding: 14px 20px 10px 20px; + font-size: 20px; + border-bottom: 0; + background: #222; + user-select: none; + z-index: 3; + color: #eee; + text-align: center; +} + +.modal-header::after { + content: " "; + display: block; + height: 1px; + margin-top: 11px; + position: relative; + left: 0; + background: linear-gradient(90deg, rgba(255, 255, 255, 0), rgba(255, 255, 255, 0), #4caf50, palevioletred, red, orange, #2196f3, rgba(255, 255, 255, 0), rgba(255, 255, 255, 0)); + width: 100%; +} + +.modal-content { + /*padding: 5px 20px 20px 20px;*/ + min-height: 100px; + color: #eee; + overflow: auto; + max-height: 500px; +} + +.modal-content-notabs { + font-size: 12px; +} + +.modal-content-confirm { + min-height: 0px; + background: #444; + color: #eee; + padding: 30px; + padding-bottom: 40px; + font-size: 13px; + overflow: auto; +} + +.modal-footer { + border-top: 0; + padding: 12px 14px 8px 14px; + text-align: right; + font-size: 14px; + color: #eee; + background: #222; +} + +.modal .im-tabs-tablist { + padding-left: 2px; +} + +.modal-content .newColForm { + margin: 2px; + border-radius: 2px; + border: 0px solid #fff; + background: #393939; +} + +.modal-content .im-cat-header { + border: 1px solid rgba(255, 255, 255, 0.1); +} + +.modal-content .im-tabs-area { + padding-top: 20px; + padding: 20px; +} + +.modal-toolbar { + position: fixed; + position: absolute; + right: 85px; + padding: 0; + background: transparent; + z-index: 100; + text-align: right; + max-width: 450px; + bottom: 13px; + display: flex; +} + +.modal-toolbar button { + display: flex; + flex-direction: row; + margin-left: auto; + margin-right: 12px; +} + +.modal-toolbar i { + color: #fff; + margin-right: 5px; +} + +.im-feedback-title { + font-size: 18px; +} + +.im-feedback-subtitle { + font-size: 14px; +} + +.im-feedback-grid { + display: grid; + grid-template-columns: 180px 1fr; + grid-row-gap: 3px; + grid-column-gap: 3px; + justify-content: stretch; + justify-items: stretch; + padding-bottom: 3px; +} + +.im-feedback-content textarea { + min-height: 180px !important; +} + +.im-items-selection, +.im-items-selection-header { + display: grid; + grid-template-columns: 20px 3fr 1fr 1fr; + column-gap: 5px; + row-gap: 0; + margin-bottom: 0; + margin-left: 30px; + margin-right: 40px; + padding: 3px 10px; + font-size: 13px; + border-radius: 2px; +} + +.im-items-selection:hover { + background: #222; + color: #fff; + cursor: pointer; +} + +.im-items-selection div { + padding-top: 1px; +} + +.im-diagram-items-modal { + position: sticky; + top: 0px; + background: #444; + box-shadow: 0 0 8px -4px #000; + padding-top: 4px; + padding-bottom: 4px; + z-index: 2; + margin-bottom: 8px; +} + +.im-diagram-items-modal .im-search-bar { + margin: 0px 50px 8px 50px; + position: absolute; + top: -50px; + right: 50px; + z-index: 999100; +} \ No newline at end of file diff --git a/scripts/database/web/not-dark.svg b/scripts/database/web/not-dark.svg new file mode 100644 index 000000000..1e53de679 --- /dev/null +++ b/scripts/database/web/not-dark.svg @@ -0,0 +1,37 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/not-light.svg b/scripts/database/web/not-light.svg new file mode 100644 index 000000000..0fe1f12ba --- /dev/null +++ b/scripts/database/web/not-light.svg @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/oneOf-dark.svg b/scripts/database/web/oneOf-dark.svg new file mode 100644 index 000000000..13ad7ee07 --- /dev/null +++ b/scripts/database/web/oneOf-dark.svg @@ -0,0 +1,38 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/oneOf-light.svg b/scripts/database/web/oneOf-light.svg new file mode 100644 index 000000000..d96c4ff27 --- /dev/null +++ b/scripts/database/web/oneOf-light.svg @@ -0,0 +1,35 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/scrollbars.css b/scripts/database/web/scrollbars.css new file mode 100644 index 000000000..9d8c1c4c4 --- /dev/null +++ b/scripts/database/web/scrollbars.css @@ -0,0 +1,29 @@ +div::-webkit-scrollbar, +textarea::-webkit-scrollbar { + width: 10px; + height: 10px; + margin-left: 5px; +} + +div::-webkit-scrollbar-thumb, +textarea::-webkit-scrollbar-thumb { + background: #2d2d2d; + border-radius: 0px; +} + +div::-webkit-scrollbar-track, +textarea::-webkit-scrollbar-track { + background: #585858; + border-radius: 0px; +} + +div::-webkit-scrollbar-corner, +textarea::-webkit-scrollbar-corner { + background: #585858; +} + +div, +textarea { + scrollbar-color: #202020 #585858; + /*scrollbar-width: thin;*/ +} \ No newline at end of file diff --git a/scripts/database/web/searchbar.css b/scripts/database/web/searchbar.css new file mode 100644 index 000000000..55c99fcc5 --- /dev/null +++ b/scripts/database/web/searchbar.css @@ -0,0 +1,66 @@ +input { +border-radius: 2px; +padding: 0 2px; +font-family: "Open Sans"; +background: #646464; +color: #fff; +min-width: 40px; +width: auto; +} + +.im-search-bar { + height: 20px; + display: grid; + grid-template-columns: 10px 1fr 24px 10px; + grid-template-rows: 1fr; + align-content: center; + align-items: center; + padding-top: 2px; + padding-bottom: 2px; + border-radius: 100px; + border: 0px solid #646464; + margin: 7px 7px; + background: #646464; +} + +.im-search-fixed-width { + max-width: 500px; + position: absolute; + margin-left: auto; + margin-right: auto; + left: 0; + right: 0; + text-align: center; + top: 10px; + z-index: 100; +} + +.im-search-bar input, +.im-search-bar input:focus, +.im-search-bar input:hover { + display: inline-block; + border: 0px; +} + +.im-search-bar input { + width: auto; + min-width: 40px; +} + +.im-search-bar input::placeholder { + color: #000; + font-style: italic; +} + +.im-search-bar .im-search-button { + align-self: center; + justify-self: right; + width: 24px; + text-align: right; + cursor: pointer; + padding-top: 4px; +} + +.im-search-fixed-width > .im-search-button { + padding-top: 0; +} diff --git a/scripts/database/web/style.css b/scripts/database/web/style.css new file mode 100644 index 000000000..72af80379 --- /dev/null +++ b/scripts/database/web/style.css @@ -0,0 +1,1827 @@ +@font-face { + font-family: "Open Sans"; + font-style: normal; + font-weight: 400; + src: url("./assets/open-sans-v17-latin-ext_latin-regular.eot"); /* IE9 Compat Modes */ + src: local("Open Sans Regular"), local("OpenSans-Regular"), + url("./assets/open-sans-v17-latin-ext_latin-regular.eot?#iefix") + format("embedded-opentype"), + /* IE6-IE8 */ url("./assets/open-sans-v17-latin-ext_latin-regular.woff2") + format("woff2"), + /* Super Modern Browsers */ + url("./assets/open-sans-v17-latin-ext_latin-regular.woff") + format("woff"), + /* Modern Browsers */ + url("./assets/open-sans-v17-latin-ext_latin-regular.ttf") + format("truetype"), + /* Safari, Android, iOS */ + url("./assets/open-sans-v17-latin-ext_latin-regular.svg#OpenSans") + format("svg"); /* Legacy iOS */ +} + +/* open-sans-600 - latin-ext_latin */ +@font-face { + font-family: "Open Sans"; + font-style: normal; + font-weight: 600; + src: url("./assets/open-sans-v17-latin-ext_latin-600.eot"); /* IE9 Compat Modes */ + src: local("Open Sans SemiBold"), local("OpenSans-SemiBold"), + url("./assets/open-sans-v17-latin-ext_latin-600.eot?#iefix") + format("embedded-opentype"), + /* IE6-IE8 */ url("./assets/open-sans-v17-latin-ext_latin-600.woff2") + format("woff2"), + /* Super Modern Browsers */ + url("./assets/open-sans-v17-latin-ext_latin-600.woff") format("woff"), + /* Modern Browsers */ + url("./assets/open-sans-v17-latin-ext_latin-600.ttf") + format("truetype"), + /* Safari, Android, iOS */ + url("./assets/open-sans-v17-latin-ext_latin-600.svg#OpenSans") + format("svg"); /* Legacy iOS */ +} + +/* open-sans-700 - latin-ext_latin */ +@font-face { + font-family: "Open Sans"; + font-style: normal; + font-weight: 700; + src: url("./assets/open-sans-v17-latin-ext_latin-700.eot"); /* IE9 Compat Modes */ + src: local("Open Sans Bold"), local("OpenSans-Bold"), + url("./assets/open-sans-v17-latin-ext_latin-700.eot?#iefix") + format("embedded-opentype"), + /* IE6-IE8 */ url("./assets/open-sans-v17-latin-ext_latin-700.woff2") + format("woff2"), + /* Super Modern Browsers */ + url("./assets/open-sans-v17-latin-ext_latin-700.woff") format("woff"), + /* Modern Browsers */ + url("./assets/open-sans-v17-latin-ext_latin-700.ttf") + format("truetype"), + /* Safari, Android, iOS */ + url("./assets/open-sans-v17-latin-ext_latin-700.svg#OpenSans") + format("svg"); /* Legacy iOS */ +} + +html, body { + margin: 0; + overflow: hidden; +} + +html, +body, +#root, +.app-layout, +.aside-left, +.aside-right, +.diagram { + height: 100%; + width: 100%; +} + +.diagram { + overflow: auto; + background: #333; +} + +.main-area { + height: 100%; + width: 100%; +} + +html, +body, +div, +p, +span, +a, +td, +ul, +li { + font-family: "Open Sans", "Exo"; +} + + +h1, +h2, +h3, +h4, +h5, +h6 { + padding: 4px 0; + margin: 0; + font-family: "Open Sans", "Exo"; + font-weight: 400; +} + +h1 strong, +h1 b, +h2 strong, +h2 b, +h3 strong, +h3 b, +h4 strong, +h4 b, +h5 strong, +h5 b, +h6 strong, +h6 b { + font-weight: 700; +} + +p { + padding: 1px 0; + font-size: 12px; +} + +.diagram { + position: relative; +} + +.t { + position: relative; + border-radius: 3px; + box-shadow: 4px 4px 8px -8px black; + border: 1px solid rgba(0, 0, 0, 0.3); + z-index: 10 !important; + margin: 1px; + display: flex; + flex-direction: column; + min-height: 44px; + min-width: 150px; + min-width: fit-content; +} + +path { + z-index: 10 !important; +} + +.t-max-content { + min-width: max-content; +} + +.t-fixed-min { + min-width: 150px; +} + + +.drgbl:after { + content: ""; + display: inline-block; + opacity: 0; + height: 20px; + width: 1px; + position: absolute; + bottom: -20px; + left: 0; +} + +.im-n { + position: relative; + border-radius: 3px; + border: 1px solid transparent; + z-index: 5; + margin: 1px; + display: flex; + flex-direction: column; + min-height: 24px; + min-width: 50px; +} + +.im-n-sa { + position: absolute; + border-radius: 3px; + border: 1px solid transparent; + z-index: 1; + margin: 1px; + display: flex; + flex-direction: column; + min-width: 150px; + min-height: 50px; + top: 0; + left: 0; +} + +.im-n-sa > div { + padding:10px; + padding-top: 30px; +} + +.im-n-sa-type { + min-width: 150px; + min-height: 50px; +} + +.im-n-sa-type > div { + padding:10px; + padding-top: 30px; +} + +.im-n-sa-header { + position: absolute; + border-radius: 3px; + border: 1px solid transparent; + z-index: 10; + display: flex; + flex-direction: column; + top: 0; + left: 0; + width: 100%; + background: rgba(0, 0, 0, 0.15); + pointer-events: all !important; + cursor: move; + min-width: 150px; + min-height: 24px !important; + max-height: 24px; + +} + +.im-n-sa-header-text { + padding: 4px 10px; + font-size: 12px; +} + +.im-n-other { + position: relative; + border-radius: 3px; + border: 1px solid transparent; + z-index: 8; + margin: 1px; + display: flex; + flex-direction: column; + min-width: 150px; + min-height: 44px; +} + +.sel-item-sa { + z-index: 2; +} + +.im-n img { + max-width: 100%; +} + +.im-tp { + position: absolute; + background: #fff; + border-radius: 3px; + box-shadow: 4px 4px 8px -8px black; + border: 1px dashed #666; + overflow: auto; + z-index: 1; + margin: 1px; + display: flex; + flex-direction: column; + background: #f9f9f9; +} + +.t a, +.im-n a, +.im-tp a { + text-decoration: none; + color: black; +} + +#mainHtmlCanvas { + transform-origin: 0 0; +} + +.watermark { + opacity: 0.25; + width: 200px; + height: 200px; +} + +.dGraphicsHeader { + display: flex; + border-bottom: 1px solid rgba(0, 0, 0, 0.15); + font-size: 14px; + cursor: pointer; + background: #666; + flex-grow: 0; + flex-shrink: 0; + color: #fff; + height: 22px; + min-width: fit-content; + white-space: nowrap; +} + +.dTableName { + padding: 3px 0 1px 3px; + user-select: none; + font-weight: 700; + text-shadow: 0 0 1px #000; +} + +.dTableNameLight { + padding: 3px 0 1px 3px; + user-select: none; + font-weight: 700; +} + +.dGraphicsLeftTop { + margin-right: auto; + padding: 2px 4px; +} + +.dGraphicsRightTop { + margin-left: auto; + padding: 2px 4px; +} + +.im-tp .dGraphicsHeader { + display: flex; + border-bottom: 1px solid rgba(0, 0, 0, 0.15); + font-size: 15px; + cursor: pointer; + background: #666; + flex-grow: 0; + flex-shrink: 0; + color: #fff; +} + +.im-tp .dTableName { + padding: 1px 0 1px 0; + cursor: move; + user-select: none; + text-align: left; +} + +.t a.gr { + background: #404040; + display: flex; + flex-direction: column; + height: 100%; + user-select: none; + flex-grow: 1; + overflow: hidden; + cursor: pointer; +} + +.dCols, +.im-n-text { + padding: 2px 4px; + font-size: 13px; + overflow: auto; + min-height: auto; + min-width: auto; + color: #fff; + background: #404040; + user-select: none; + flex-grow: 1; + cursor: pointer; +} + +.dCols-report { + margin-top: 20px; + grid-column: span 4; + padding: 15px; + border: 1px solid rgba(0, 0, 0, 0.1); +} + +.im-n-text { + overflow: hidden; +} + +.im-n-text-nowrap div, +.im-n-text-nowrap p, +.im-n-text-nowrap h1, +.im-n-text-nowrap h2, +.im-n-text-nowrap h3, +.im-n-text-nowrap h4, +.im-n-text-nowrap h5, +.im-n-text-nowrap h6, +.im-n-text-nowrap ul, +.im-n-text-nowrap ol { + white-space: nowrap; +} + +.im-table-columns-displayed { + opacity: 1; +} + +.im-table-columns-hidden { + opacity: 0; + max-height: 1px; + overflow: hidden; +} + +.im-table-descriptions-hidden, +.im-table-indexes-hidden +{ + display: none; +} + +.im-table-descriptions-displayed { + display: block; + margin-top: 5px; + margin-bottom: 3px; +} + +.im-table-indexes-displayed { + margin-top: 5px; + padding-top: 5px; + border-top: 1px solid rgba(0, 0, 0, 0.3); + color: #ccc; +} + +.im-table-descriptions-displayed { + padding: 5px; + position: absolute; + top: 100%; + margin-bottom: 40px; +} + +.im-table-descriptions-displayed div, +.im-table-descriptions-hidden div { + white-space: pre-wrap; + word-wrap: break-word; + word-break: break-word; + + font-size: 12px; +} + +.dCols-desc pre { + white-space: pre-wrap; + padding: 5px; + font-size: 13px; + font-family: "Courier New", Courier, monospace; + overflow: auto; + margin: 0; + color: beige; +} + +.dCols-desc-nowrap pre { + white-space: revert; +} + + +.im-n-text p { + margin: 0; +} + +.im-n-text a { + color: #2196f3; + cursor: pointer !important; +} + +pre.im-n-text { + padding: 0; + margin: 0; + font-family: "Open sans"; +} + +.im-tp-text { + padding: 5px 4px 2px 4px; + font-size: 13px; + overflow: auto; + min-height: auto; + min-width: auto; + color: #555; + user-select: none; + flex-grow: 1; +} + +.dRow { + display: grid; + grid-template-columns: 25px fit-content(150px) 1fr minmax(auto, 24px); + border-radius: 2px; + min-height: 18px; +} + +.dRow-thin { + grid-template-columns: 5px fit-content(150px) 1fr auto 200px 200px; +} + +#diagram .dRow-thin { + grid-template-columns: 5px fit-content(150px) 1fr minmax(auto, 24px); +} + +.dCol { + margin-right: 0; + font-size: 12px; + min-height: 17px; +} + +.dItem { + font-size: 12px; + min-height: 17px; + padding: 0 2px 0; +} + +.dCol:nth-of-type(2), +.dCol:nth-of-type(3) { + white-space: nowrap; + margin-right: 0; + font-weight: 400; + margin-right: 0px; +} + +.dCol:nth-of-type(3) { + font-style: italic; + color: #ddd; + padding-left: 4px; + padding-right: 10px; + text-align: right; + margin-left: 10px; +} + +.dCol:last-of-type { + margin-right: auto; + padding-left: 5px; +} + + +.t:hover:not(.sel-item-diagram), +.im-n:hover:not(.sel-item-diagram) { + transition: box-shadow 0.4s; +} + +.sel-item-diagram, +.sel-item-diagram-multi, +.sel-item-diagram:hover { + z-index: 100; + outline: none; + outline-offset: 0px; + border: 1px solid transparent; +} + +.res { + display: none; +} + +.sel-item-diagram-multi .res { + display: none; +} + +.sel-item-diagram .res { + display: block; +} + +marker path { + stroke-width: 1; +} + +path { + fill: none; + stroke-width: 1; + cursor: pointer; +} + +circle.relationCardinality { + fill: #585858; + stroke: #ddd; + stroke-width: 1; +} + +#svgMain { + position: absolute; + background: linear-gradient(45deg, #f2f2f2, #ddd, #f2f2f2, #eee); + background: #585858; + border: 0; + z-index: 2; +} + +.sel-relation-diagram { + stroke: #000; +} + +.sel-relation-diagram-arrow { + fill: #000; +} + +.relation-diagram-bg { + stroke: rgba(0, 0, 0, 0.01); + stroke-width: 5px; + z-index: 0; +} + +.sel-relation-diagram-bg { + stroke: #3faaff; +} + +text, +tspan { + user-select: none; + cursor: pointer; +} + +.rbelongs { + /*stroke-dasharray: 3;*/ +} + +.rboth { + /*stroke-dasharray: 10, 5, 2, 2, 2, 5;*/ +} + + +.rCardinality { + font-size: 10px; + fill: #eee; + color: #eee; +} + +.rCardinalityBg { + font-size: 10px; + stroke-width: 4px; + fill: #333; + stroke:#333; +} +.im-t-c { + display: table-cell; +} + +.im-t-c:not(:nth-of-type(1)):not(:nth-of-type(3)) { + padding-right: 4px; +} + +.im-mini { + font-size: 11px; + padding-bottom: 1px; +} + + +.im-mini-PK, .im-mini-PI { + background: #ff0000; + font-size: 10px; + padding: 0 2px; + border-radius: 2px; + margin-right: 5px; + color: #fff; + text-align: center; + position: relative; + top: 2px; +} + +.im-mini-PFK, .im-mini-PL { + background: #2196f3; + font-size: 10px; + padding: 0 2px; + border-radius: 2px; + margin-right: 5px; + color: #fff; + text-align: center; + position: relative; + top: 2px; +} + +.im-mini-FK { + background: #4caf50; + font-size: 10px; + padding: 0 2px; + border-radius: 2px; + margin-right: 5px; + color: #fff; + text-align: center; + position: relative; + top: 2px; +} +.im-mini-IX { + background: #8F5D00; + font-size: 10px; + padding: 0 2px; + border-radius: 2px; + margin-right: 5px; + color: #fff; + text-align: center; + position: relative; + top: 2px; +} + +.im-mini-AK, .im-mini-AI { + background: #B20DA2; + font-size: 10px; + padding: 0 2px; + border-radius: 2px; + margin-right: 5px; + color: #fff; + text-align: center; + position: relative; + top: 2px; +} + +.im-embedded { + margin-left: 0; + padding-left: 0; + grid-column: span 4; + border-radius: 2px; +} + +.im-embedded-thin { + background: rgba(0, 0, 0, 0.15); + margin-left: 14px; + padding-left: 0px; +} + +.im-col-list { + color: limegreen; + padding-right: 1px; + padding-left: 1px; + font-style: normal; +} + +.im-col-object-left { + color: goldenrod; + padding-right: 1px; + font-style: normal; + display: inline-block; +} + +.im-col-object-right { + color: goldenrod; + padding-left: 1px; + font-style: normal; + display: inline-block; +} + +.im-select-decorator { + position: absolute; + height: 100px; + width: 100px; + left: 50px; + top: 50px; + border: 2px dotted #ccc; + z-index: 9999; +} + +.im-other-object { + display: flex; + align-items: center; + justify-content: center; + flex-direction: column; + padding: 1px 4px; +} + +.im-other-object-type { + display: flex; + align-items: center; + justify-content: center; + font-size: 8px; + opacity: 0.6; + text-transform: uppercase; +} + +.im-backgroundImageGrid { + background-image: url(backgroundImageGrid.svg); +} + +.im-backgroundImageSquares { + background-image: url(backgroundImageSquares.svg); +} + +.im-backgroundImageTriangles { + background-image: url(backgroundImageTriangles.svg); +} + +.im-backgroundImageBricks { + background-image: url(backgroundImageBricks.svg); +} + +.im-z-index-8 { + z-index: 8; +} + +.sel-item-diagram-multi.im-z-index-4,.im-z-index-4 { + z-index: 4 !important; + pointer-events: none; +} + +.sel-item-diagram-multi.im-z-index-4 div,.im-z-index-4 div { + visibility: hidden; +} + +.im-dropdown ul li.im-dropdown-icon-empty { + display: grid; + grid-template-columns: 21px 1fr; +} + + + +.forcedLineColor { + stroke: white !important; +} + +polygon.forcedPolygonFill, circle.forcedPolygonFill, tspan.forcedPolygonFill { + fill: white !important; + stroke-width: 0; +} + +.forcedTransparentFill { + fill: rgb(51, 51, 51) !important; + +} + +.im-icon-ResizeBottomRight16 { + display: none; +} + +.tree__wrapper { + position: absolute; + top: 0; + left: 0; + right: 0; + bottom: 0; + height: max-content; + width: max-content; + z-index: 10; +} + +.tree__wrapper * { + box-sizing: border-box; +} + +.tree__spacer { + height: 40px; + width: 100%; + display: block; +} + +.tree__mini__toolbar { + position: sticky; + top: 0; + width: 100%; + left: 0; + right: 0; + margin: auto; + height: 24px; + background: #282828; + z-index: 9999; + display: flex; + box-shadow: 0px 0px 5px -2px #000; + border-bottom: 1px solid rgba(255, 255, 255, 0.1); + border-left: 1px solid rgba(255, 255, 255, 0.1); + border-right: 1px solid rgba(255, 255, 255, 0.1); + border-bottom-left-radius: 5px; + border-bottom-right-radius: 5px; +} + +.tree__item__root { + display: flex; + color: #eee; + position: relative; + margin-bottom: 0; + padding: 0; +} + +.tree__item__root__wrapper { + display: flex; + margin: 15px 20px; +} + +.tree__item__hidden__caption__text { + padding-left: 10px; + font-size: 12px; + width: max-content; + display: inline-block; + color: #999; + padding-top: 4px; +} + +.tree__item__hidden__caption__text::after { + font-family: "im-line-icons" !important; + content: ""; + background: transparent; + width: 20px; + height: 100%; + color: #999; + position: absolute; + top: 4px; + left: auto; + opacity: 0.6; + font-size: 10px; + padding-left: 5px; + padding-top: 4px; +} + +.tree__item__root__name { + font-size: 12px; + display: inline-block; + width: fit-content; + align-self: center; + padding: 0; + border: 1px solid transparent; + background: #404040; + padding: 1px 8px 1px 5px; + width: max-content; + min-width: 50px; +} + +.tree__item { + display: flex; + margin: 0px 0px 0px 0px; + width: fit-content; + font-size: 10px; + position: relative; + padding-left: 20px; + padding-top: 3px; + padding-bottom: 3px; +} + +.tree__item:not(.t__tree__item__single__line):first-of-type::before { + content: " "; + position: absolute; + left: 2px; + top: 50%; + height: 50%; + width: 0; + border-left: thin solid #eee; +} + +.tree__item:not(.t__tree__item__single__line):last-of-type::before { + content: " "; + position: absolute; + left: 2px; + top: 0%; + height: 50%; + width: 0; + border-left: thin solid #eee; +} + +.tree__item.t__tree__item__single__line { + padding-left: 0 !important; +} + +.tree__item__single__line::before { + content: " "; + width: 0px; + height: 0; + background: transparent; + position: absolute; + top: 50%; + left: -21px; + border-bottom: thin solid #eee; +} + +.tree__item__first__line::before { + content: " "; + width: 21px; + height: 0; + position: absolute; + top: 50%; + left: -21px; + border-top: thin solid #eee; +} + +.tree__item__last__line::before { + content: " "; + width: 21px; + height: 0; + position: absolute; + top: 50%; + left: -21px; + border-top: thin solid #eee; +} + +.tree__item__middle__line::before { + content: " "; + width: 20px; + height: 0; + position: absolute; + top: 50%; + left: -21px; + border-top: thin solid #eee; +} + +.t__tree__item__middle__line::before { + content: " "; + position: absolute; + left: 2px; + top: 0%; + height: 100%; + width: 0; + border-left: thin solid #eee; +} + +.tree__spec { + white-space: pre-wrap; + font-style: normal; + color: #ccc; + background: #333; + padding: 3px 4px 0px 4px; + font-size: 10px; + border-radius: 4px; + margin-top: 1px; +} + +.tree__prop__key { + color: goldenrod; + max-width: 180px; + text-overflow: ellipsis; + display: inline-block; + overflow: hidden; + white-space: nowrap; + width: auto; + padding-right: 10px; +} + +.tree__prop__value { + color: #ccc; + max-width: 180px; + text-overflow: ellipsis; + display: inline-block; + overflow: hidden; +} + +.tree__prop__comment { + color: limegreen; + max-width: 180px; + display: inline-block; + overflow: hidden; + padding-left: 2px; + font-size: 11px; + border-radius: 4px; + padding-right: 5px; +} + +.tree__item__named { + display: inline-block; + width: fit-content; + align-self: center; + padding: 0; + border: thin solid transparent; + position: relative; + margin-right: 28px; +} + +.tree__expander__icon__left > i.im-icon-MinusCircle16::after { + content: " "; + width: 15px; + height: 0; + position: absolute; + top: 50%; + left: 100%; + background: transparent; + border-bottom: thin solid #eee; +} + +.tree__item__bg { + background: #404040; + border: thin dashed rgba(255, 255, 255, 0.2); + box-shadow: 4px 4px 8px -8px black; + padding: 3px; + width: max-content; + position: relative; +} + +.tree__item__spec__bg span { + padding: 3px; + display: inline-block; +} + +.tree__item__required { + border: thin solid rgba(255, 255, 255, 0.2); +} + +.tree_padding_sm { + padding: 3px; +} + +.tree__item__sub { + display: inline-block; + margin: 0; + left: 0px; + position: relative; + align-self: center; +} + +.group { + /*background: url(bg-vertical.svg);*/ + background-repeat: repeat-y; + background-position-x: 20px; + background-position-y: center; + background-size: 1px 100%; +} + +.tree__expander__icon { + align-self: center; + position: relative; + left: -6px; + top: 1; + background: #404040; + border-radius: 100%; + box-shadow: 4px 4px 8px -6px black; + cursor: pointer; + padding: 1px; + width: 15px; + height: 15px; + z-index: 999; +} + +.tree__expander__icon__left { + align-self: center; + display: block; + cursor: pointer; + padding: 1px; + width: 15px; + height: 15px; + z-index: 999; + position: absolute; + right: -15px; + top: 0; + bottom: 0; + margin: auto; +} + +.tree__expander__icon__left i.im-icon-FullCircle { + position: absolute; + top: 0px; + left: -5px; + width: 15px; + height: 15px; + color: #404040; + } + + .tree__expander__icon__left i.im-icon-MinusCircle16, .tree__expander__icon__left i.im-icon-PlusCircle16 { + position: relative; + left: -6px; + background: transparent; + border-radius: 100%; + color: #fff; +} + +.tree__flex__rows { + display: flex; + font-size: 11px; +} + +.tree__flex { + display: flex; +} + +.tree__select { + padding: 0; + width: 100%; + max-width: 100% !important; +} + +.tree__select option { + padding: 1px; + width: 80px; +} + +.tree__input { + width: 100%; + min-width: 60px; + border: thin solid transparent; + border-bottom-color: transparent; + border-bottom-style: solid; + border-bottom-width: 1px; + border-radius: 2px; + padding: 0 2px; + font-family: "Open Sans"; + font-size: 12px; +} + +.tree__item input, .tree__item__rootbox input { + background: #404040; + border-bottom: 1px solid transparent; + margin-bottom: 0; +} + +.tree__item__box { + display: grid; + grid-template-columns: 1fr; + grid-gap: 4px; +} + +.tree__item__rootbox { + display: grid; + grid-template-columns: 15px 1fr; + grid-gap: 0; +} + +.tree__item__type { + text-align: center; +} + +.tree__item__req { + display: inline-block; + align-self: right; + background: rgba(0, 0, 0, 0.2); + margin: 0 4px; + padding: 1px 4px 1px 4px; + border-radius: 4px; + color: #eee; +} + +.tree__item__last { + display: grid; + grid-template-columns: 1fr auto; +} + +.tree__item__last > div > div { + margin: 1px 4px 4px 4px; +} + + .tree__item__last > div > span:first-of-type { + margin: 1px 0px 1px 4px; + padding-top: 3px; +} + + +.tree__required { + color: #eee; + padding-right: 2px; + display: inline-block; + font-style: normal; + font-size: 9px; +} + +.tree__item__inputwrapper { + padding-right: 5px; + display: grid; + grid-template-columns: 1fr; + font-size: 11px; + color: #eee; +} + +.tree__condition__wrapper .tree__item__inputwrapper { + padding-right: 0; +} +.tree__condition__wrapper .tree__item__last { + padding-left: 0; +} + +.tree__key__inputwrapper .tree__input { + color: #ccc; +} + +.tree__key__inputwrapper { + padding-right: 3px; + padding-left: 2px; + display: grid; + grid-template-columns: auto 1fr; + font-size: 10px; + color: #eee; +} + +.tree__item__icon { + font-size: 11px; + position: relative; + top: 1px; +} + +.tree__icon__array { + font-size: 11px; + color: limegreen; + padding-right: 4px; + padding-left: 1px; + font-style: normal; +} + +.tree__icon__array__mini { + font-size: 8px; + color: limegreen; + padding-right: 2px; + padding-left: 1px; + position: relative; + bottom: 1px; + font-style: italic; +} + +.tree__icon__multi { + font-size: 11px; + color: white; + padding-right: 4px; + padding-left: 1px; + font-style: normal; +} + +.tree__icon__array i.im-icon-DotsVerticallDouble16 { + font-size: 10px; + color: limegreen; + padding: 0; + position: relative; + top: 1px; +} + +.tree__icon__pattern { + font-size: 10px; + color: #999; + padding-right: 4px; + font-style: normal; + display: inline-block; + align-self: center; +} + +.tree__icon__object { + font-size: 10px; + color: goldenrod; + padding-right: 4px; + font-style: normal; + display: inline-block; + align-self: center; +} + +.tree__icon__object__mini { + font-size: 8px; + color: goldenrod; + padding-right: 2px; + position: relative; + bottom: 1px; + font-style: italic; +} + +.tree__icon__object i.im-icon-ArrowLeft16 { + font-size: 9px; + color: goldenrod; + padding: 0; + position: relative; + top: 1px; +} + +.tree__icon__ref i.im-icon-Type { + font-size: 9px; + color: #2196f3; + padding: 0; + position: relative; + top: 1px; +} + +.tree__icon__ref i.im-icon-Table { + font-size: 9px; + color: goldenrod; + padding: 0; + position: relative; + top: 1px; +} + +.tree__icon__object i.im-icon-Table { + font-size: 9px; + color: #eee; + padding: 0; + position: relative; + top: 1px; +} + +.tree__icon__object i.im-icon-DotsVerticallDouble16 { + font-size: 10px; + color: goldenrod; + padding: 0; + position: relative; + top: 1px; +} + +.tree__icon__condition { + background: darkmagenta; + color: rgba(255, 255, 255, 0.7); + padding-right: 1px; + font-style: normal; + display: inline-block; + font-size: 9px; + padding: 2px 4px; + min-width: 25px; + text-align: center; + border-radius: 5px; + bottom: 0; + position: relative; + top: -3px; + width: auto; + margin: 0 5px; + text-transform: uppercase; +} + +.tree__icon__def { + color: goldenrod; + padding-right: 1px; + font-style: normal; + display: inline-block; +} + +.tree__icon__referenced { + color: #2196f3; + padding-right: 4px; + font-style: normal; + display: inline-block; + font-size: 13px; +} + +.tree__ref__key { + color: #2196f3; + font-size: 11px; + max-width: 180px; + text-overflow: ellipsis; + display: inline-block; + overflow: hidden; +} + +.tree__datatype__name { + color: #999; + padding-left: 2px; + padding-right: 10px; + text-align: left; + margin-left: 0px; + font-size: 11px; +} + +.tree__item__index { + color: #eee; + opacity: 0.8; +} + +.tree__item__hidden { + padding-right: 10px; + opacity: 0; + font-size: 12px; + line-height: 0; + padding-left: 3px; +} + +.tree__item__hidden__caption { + opacity: 0; + position: sticky; + top: -2px; + bottom: unset; + height: 24px; + align-self: center; + z-index: -1; + width: 2px; +} + +.tree__item__root svg { + position: absolute; + width: 45px; + height: 100%; + left: -5px; + top: 5px; +} + +.tree__item__root line, +.tree__item__root path { + stroke-width: 1; + stroke: #fff; +} + +#diagram-tree { + margin: 30px; + position: relative; +} + +#diagram-tree svg { + margin: 2px; +} + +#diagram-tree .im-mw-sm, #diagram-tree input.im-mw-sm, #diagram-tree select.im-mw-sm { + min-width: fit-content !important; + width: fit-content !important; +} + +#diagram #svgMain { + top: 0px; + left: 0px; + background: transparent; + position: absolute; + height: 100%; +} + +#diagram #mainHtmlCanvas { + height: 100%; + transform-origin: 0 0; +} + +#diagram { + height: 100%; + width: 100%; + position: relative; +} + +.im-position-top-2 { + position: relative; + top: -2px; +} + +.tree__key { + width: max-content; + align-self: center; + position: relative; + left: -1px; + background-position: -3px center; + background-repeat: no-repeat; + background-size: 28px 24px; + stroke: #ddd !important; + font-size: 10px; + color: #ccc; + box-shadow: 4px 4px 8px -8px black; +} + +.tree__key__text { + color: #ccc; + font-size: 10px; + background: #404040; + border-radius: 8px; + min-width: 28px; + padding: 2px 5px 2px 5px; +} + +.tree__key__text__mini { + font-size: 12px; + border-radius: 4px; + min-width: 28px; + min-height: 12px; + padding: 1px 6px 1px 0; + text-align: center; + color: #ccc; +} + +.tree__mini__selected { + background: #0267b7; + border-radius: 4px; + position: relative; + left: -3px; + padding-left: 3px; + padding-right: 1px !important; + color: white; + max-height: 16px; +} + +.im-arrow .tree__mini__clickable, .im-Arrow .tree__mini__clickable { + cursor: pointer; +} + +.im-arrow .tree__mini__clickable:hover, .im-Arrow .tree__mini__clickable:hover { + background: #222; + border-radius: 4px; + position: relative; + left: -3px; + padding-left: 3px; + padding-right: 1px !important; + color: white !important; + max-height: 16px; +} + +.tree__mini__selected .tree__key__text__mini { + color: white; +} + +.tree__choice, .tree__condition { + width: max-content; + align-self: center; + position: relative; + left: -1px; + background-position: -3px center; + background-repeat: no-repeat; + background-size: 28px 24px; + padding-left: 13px; + font-size: 10px; + color: rgba(255, 255, 255, 0.8); +} + +.tree__choice__mini { + background-size: 20px 16px; + background-position: -1px center; + padding-left: 12px; + background-repeat: no-repeat; + font-style: italic; +} + +.tree__choice__oneOf { + background-image: url(oneOf-dark.svg); +} + +.tree__choice__allOf { + background-image: url(allOf-dark.svg); +} + +.tree__choice__anyOf { + background-image: url(anyOf-dark.svg); +} + +.tree__choice__not { + background-image: url(not-dark.svg); +} + +.tree__choice__wrapper { + background: darkgreen; + border-radius: 11px; + padding: 0 3px; +} + +.tree__choice__text { + font-size: 10px; + background: darkgreen; + border-radius: 11px; + min-width: 28px; + padding: 5px 9px 3px 7px; + text-align: center; +} + +.tree__choice__text__mini { + font-size: 10px; + background: darkgreen; + border-radius: 4px; + min-width: 28px; + min-height: 12px; + padding: 1px 6px 0px 4px; + text-align: center; + color: rgba(255, 255, 255, 0.8); + font-style: italic; +} + +.tree__condition { + background-position: 0 center; + padding-left: 16px; +} + +.tree__condition__if { + background-image: url(if-dark.svg); + color: white; +} + +.tree__condition__then { + background-image: url(then-dark.svg); + color: white; +} + +.tree__condition__else { + background-image: url(else-dark.svg); + color: white; +} + +.tree__condition__wrapper { + border-radius: 11px; + padding: 0 3px; + overflow: hidden; + background: #404040; + box-shadow: 4px 4px 8px -8px black; +} + +.tree__condition__text { + font-size: 10px; + background: darkmagenta; + border-radius: 11px; + min-width: 24px; + padding: 5px 9px 3px 7px; + text-align: center; + color: white; +} + +.tree__condition__text__mini { + font-size: 10px; + background: darkmagenta; + border-radius: 4px; + min-width: 28px; + min-height: 12px; + padding: 1px 6px 0px 4px; + text-align: center; + color: rgba(255, 255, 255, 0.8); + font-style: italic; +} + +input::placeholder { + color: #ccc; + font-style: italic; + opacity: 0.5; +} + +.tree__bg__referenced, .tree__bg__subschema { + background: rgba(0, 0, 0, 0.1); + border: thin dashed rgba(255, 255, 255, 0.2); + padding: 15px 2px 15px 20px; + position: relative; +} + +.tree__bg__referenced:before { + content: "Definition"; + position: absolute; + top: 3px; + left: 5px; + color: #eee; + opacity: 0.3; + font-size: 8px; + text-transform: uppercase; +} + +.tree__subschema { + position: relative; +} + +.tree__subschema::before { + content: "Subschema"; + position: absolute; + top: 5px; + left: 5px; + color: #eee; + opacity: 0.3; + font-size: 8px; + text-transform: uppercase; +} + +.tree__bg__subschema::before { + content: " "; + width: 20px; + height: 0; + position: absolute; + top: calc(50% - 0.5px); + left: 0px; + border-top: thin solid #eee; + margin-bottom: 1px; +} + +.tree__schema:before { + content: "Schema"; + position: absolute; + top: -15px; + left: 1px; + color: #eee; + opacity: 0.5; + font-size: 8px; + text-transform: uppercase; +} + +.tree__definition:before { + content: "Subschema"; + position: absolute; + top: -15px; + left: 1px; + color: #eee; + opacity: 0.5; + font-size: 8px; + text-transform: uppercase; +} + +.tree__ref:before { + content: "External ref"; + position: absolute; + top: -15px; + left: 1px; + color: #eee; + opacity: 0.5; + font-size: 8px; + text-transform: uppercase; +} + +.tree__condition__wrapper .tree__prop__comment { + background: #333; + border-bottom-left-radius: 8px; + border-bottom-right-radius: 8px; + padding: 3px 7px 2px 4px; + text-align: left; +} + +.tree__item__hidden__caption[sticky-active] { + opacity: 1; + z-index: 9999; +} + +@media print { + .mm-freeware #mainHtmlCanvas div.tree__item:nth-child(3n) .tree__item__bg::after, .mm-trial #mainHtmlCanvas div.tree__item:nth-child(3n) .tree__item__bg::after { + content: " Trial "; + display: inline-block; + position: absolute; + top: 1px; + left: 1px; + right: 1px; + bottom: 1px; + background: rgba(0, 0, 0, 0.8); + color: white; + padding: 0; + text-align: center; + padding-top: 5px; + } +} + + +.dCols-report .tree__flex__rows { + overflow-wrap: break-word; +} + +.sel-item-diagram-multi { + box-shadow: none; + outline: 0; +} + +.sel-item-diagram, .sel-item-diagram:hover { + outline: 0; + box-shadow: 4px 4px 8px -8px black; + border: 1px solid rgba(0, 0, 0, 0.3); +} + +/**/ +.im-display-none { + display: none; +} + +.im-display-flex { + display: flex; + flex-grow: 1; + justify-content: center; +} + +.im-display-inline-block { + display: inline-block; +} + +.tree__input, .tree__input:focus, .tree__input:focus-visible { + outline: none; +} + +.tree__empty_decorator { + display: inline-block; + min-width: 6px; +} + +.im-text-opacity-50 { + opacity: 0.4; +} + +.mm-section-group { + display: none; +} \ No newline at end of file diff --git a/scripts/database/web/then-dark.svg b/scripts/database/web/then-dark.svg new file mode 100644 index 000000000..4c8678e41 --- /dev/null +++ b/scripts/database/web/then-dark.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database/web/then-light.svg b/scripts/database/web/then-light.svg new file mode 100644 index 000000000..328aff41d --- /dev/null +++ b/scripts/database/web/then-light.svg @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/database_creation.py b/scripts/database_creation.py new file mode 100644 index 000000000..abc128484 --- /dev/null +++ b/scripts/database_creation.py @@ -0,0 +1,106 @@ +# import asyncio +import os + +# import libsql_client + +# atlas schema apply --to file://database/schema --dev-url "sqlite://dev?mode=memory" --url sqlite://database/test.db + +print("Install `atlas-cli`, then run: ") +print( + 'atlas schema apply --to file://database/schema --dev-url "sqlite://dev?mode=memory" --url sqlite://database/test.db"' +) + +print('Atlas can help us manage changes to the DB more easily') + +# url = os.getenv("URL", "file:security_guidance.db") +# async with libsql_client.create_client(url) as client: +# #import ipdb; ipdb.set_trace() +# await client.batch( +# [ +# """ +# CREATE TABLE "Organization"( +# organization_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, +# short_name VARCHAR NOT NULL, +# uri VARCHAR, +# email VARCHAR, +# long_name VARCHAR NOT NULL +# ); +# """, + +# """ +# CREATE TABLE artifact_types +# (type_name VARCHAR NOT NULL, artifact_type_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, description TEXT); +# """, + +# """ +# CREATE TABLE benchmark_type( +# short_name VARCHAR NOT NULL, +# description TEXT NOT NULL, +# benchmark_type_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, +# long_name VARCHAR NOT NULL +# ); +# """, + +# """ +# CREATE TABLE "Artifact"( +# artifact_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, +# name VARCHAR NOT NULL, +# location VARCHAR NOT NULL, +# created_at DATE NOT NULL, +# secondary_location VARCHAR, +# raw_data BLOB, +# type_id INTEGER NOT NULL, +# organization_id INTEGER NOT NULL, +# CONSTRAINT "type_Artifact" FOREIGN KEY (type_id) REFERENCES artifact_types (artifact_type_id), +# CONSTRAINT "organization_id_Artifact" FOREIGN KEY (organization_id) REFERENCES "Organization" (organization_id) +# ); +# """, + +# """ +# CREATE TABLE "Products"( +# short_name VARCHAR NOT NULL, +# version REAL NOT NULL, +# author_id INT NOT NULL, +# "release" INT NOT NULL, +# long_name VARCHAR NOT NULL, +# product_id INT NOT NULL, +# organization_id INTEGER NOT NULL, +# CONSTRAINT "organization_id_Products" FOREIGN KEY (organization_id) REFERENCES "Organization" (organization_id) +# ); +# """, + +# """ +# CREATE TABLE "Statuses"(status_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, name VARCHAR NOT NULL); +# """, + +# """ +# CREATE TABLE "Benchmarks"( +# benchmark_id INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, +# version SMALLINT NOT NULL, +# "release" SMALLINT NOT NULL, +# release_date DATE NOT NULL, +# type_id INTEGER NOT NULL, +# product_id INT NOT NULL, +# author_id INTEGER NOT NULL, +# sponsor_id INTEGER NOT NULL, +# status_id INTEGER NOT NULL, +# CONSTRAINT "benchmark_type_id_Benchmarks" FOREIGN KEY (type_id) REFERENCES benchmark_type (benchmark_type_id), +# CONSTRAINT "product_id_Benchmarks" FOREIGN KEY (product_id) REFERENCES "Products" (product_id), +# CONSTRAINT "organization_id_Benchmarks" FOREIGN KEY (author_id) REFERENCES "Organization" (organization_id), +# CONSTRAINT "organization_id_Benchmarks" FOREIGN KEY (sponsor_id) REFERENCES "Organization" (organization_id), +# CONSTRAINT "status_id_Benchmarks" FOREIGN KEY (status_id) REFERENCES "Statuses" (status_id) +# ); +# """, + +# """ +# CREATE TABLE benchmark_artifacts( +# "default" INT2, +# benchmark_id INTEGER NOT NULL, +# artifact_id INTEGER NOT NULL, +# PRIMARY KEY(benchmark_id, artifact_id), +# CONSTRAINT benchmark_id_benchmark_artifacts FOREIGN KEY (benchmark_id) REFERENCES "Benchmarks" (benchmark_id), +# CONSTRAINT artifact_id_benchmark_artifacts FOREIGN KEY (artifact_id) REFERENCES "Artifact" (artifact_id) +# ); +# """, +# ] +# ) diff --git a/scripts/update.py b/scripts/update.py new file mode 100644 index 000000000..4572f799d --- /dev/null +++ b/scripts/update.py @@ -0,0 +1,122 @@ +import requests +from bs4 import BeautifulSoup +from difflib import SequenceMatcher +import re +import os +import shutil +import tempfile +import xml.etree.ElementTree as ET +from io import BytesIO +import zipfile +from stig_parser import convert_stig + +URL = "https://public.cyber.mil/stigs/downloads/" +HEADERS = { + 'Access-Control-Allow-Origin': '*', + 'Access-Control-Allow-Methods': 'GET', + 'Access-Control-Allow-Headers': 'Content-Type', + 'Access-Control-Max-Age': '3600', + 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' +} +DOWNLOAD_DIR = "downloads" +EXTRACT_DIR = "extracted" +DB_FILE = "stigs.db" +SQLITE_DB_FILE = 'security_guidance.db' +EXCLUDE_KEYWORDS = ['scc', 'library', '.msi.zip', 'srg_stig_applicability_guide', 'stigapplicabilityguide', 'stigviewer', 'u_cci_list', 'overview', 'scap', 'ansible', 'u_draft_cci', 'srg', 'gpo', 'chef', 'dsc', 'u_apache_2-2', 'u_mot_solutions', 'u_multifunction_device', 'u_storage_area', 'u_ms_exchange', 'u_exchange', 'u_airwatch'] + +EXTRACTED_ROWS = [] + +# Function to download and extract STIGs and SRGs +def download_and_extract_stigs(): + response = requests.get(URL, HEADERS, verify=False) + soup = BeautifulSoup(response.content, 'html.parser') + + # Find all rows in the table and download links + rows = soup.find_all('tr') + for row in rows: + title_col = row.find('td', class_='title_column') + size_col = row.find('td', class_='size_column') + updated_col = row.find('td', class_='updated_column') + + if title_col and size_col and updated_col: + title = title_col.get_text(strip=True) + size = size_col.get_text(strip=True) + datePublished = updated_col.get_text(strip=True) + anchor = title_col.find('a') + + if anchor and 'href' in anchor.attrs: + url = anchor['href'] + else: + url = 'None' + + # Check if the url contains the excluded keywords, and the file is only a zip file + if url.lower().endswith('.zip') and not any(keyword in url.lower() for keyword in EXCLUDE_KEYWORDS): + existing_artifact = session.query(Artifact).filter(Artifact.location == url).first() + zip_filename = os.path.join(DOWNLOAD_DIR, url.split('/')[-1]) + + # Check if the file already exists + if not existing_artifact: + print(f"Downloading {title} - {url}") + zip_response = requests.get(url) + + # "Description": "xxxxxxx", + # Save the zip file + with open(zip_filename, 'wb') as f: + f.write(zip_response.content) + json_results = convert_stig(zip_filename) + + urlTitle = title + urlsize = size + urldatePublished = datePublished + urlUrl = url + id = json_results['Id'] + title = json_results['Title'] + status = json_results['Status'] + description = json_results['Description'] + version = json_results['Version'] + release = json_results['Release'] + benchmarkDate = json_results['BenchmarkDate'] + releaseInfo = json_results['ReleaseInfo'] + publisher = json_results['Publisher'] + source = json_results['Source'] + notice = json_results['Notice'] + + insert_benchmark_data(id, title, status, description, version, release, benchmarkDate, publisher, source, notice, urlUrl) + + # Extract only the XML files from the zip file + with zipfile.ZipFile(zip_filename) as zip_ref: + for file in zip_ref.namelist(): + if file.endswith('.xml'): + # Create a temporary directory + with tempfile.TemporaryDirectory() as temp_dir: + zip_ref.extract(file, temp_dir) + # Move the file to the desired directory + shutil.move(os.path.join(temp_dir, file), os.path.join(EXTRACT_DIR, os.path.basename(file))) + else: + print(f"Skipping excluded file: {title} - {url}") + +def insert_benchmark_data(id, title, status, description, version, release, datePublished, publisher, source, notice, url): + new_benchmark = Benchmark(version=version, release=release, release_date=datePublished) + new_product = Products(long_name=title, short_name=id, version=version, release=release) + new_organizaiton = Organization(short_name=publisher) + new_statuses = Statuses(name=status) + new_artifact = Artifact(name=title, location=url) + new_artifact_type = ArtifactTypes(type_name=title, description=description) + session.add(new_benchmark) + session.add(new_product) + session.add(new_organizaiton) + session.add(new_statuses) + session.add(new_artifact) + session.add(new_artifact_type) + session.commit() + +def main(): + if not os.path.exists(DOWNLOAD_DIR): + os.makedirs(DOWNLOAD_DIR) + if not os.path.exists(EXTRACT_DIR): + os.makedirs(EXTRACT_DIR) + + download_and_extract_stigs() + +if __name__ == "__main__": + main() diff --git a/security_guidance.db b/security_guidance.db new file mode 100644 index 000000000..101d6bcb5 Binary files /dev/null and b/security_guidance.db differ diff --git a/sqlalcamey/Makefile b/sqlalcamey/Makefile new file mode 100644 index 000000000..d4bb2cbb9 --- /dev/null +++ b/sqlalcamey/Makefile @@ -0,0 +1,20 @@ +# Minimal makefile for Sphinx documentation +# + +# You can set these variables from the command line, and also +# from the environment for the first two. +SPHINXOPTS ?= +SPHINXBUILD ?= sphinx-build +SOURCEDIR = . +BUILDDIR = _build + +# Put it first so that "make" without argument is like "make help". +help: + @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) + +.PHONY: help Makefile + +# Catch-all target: route all unknown targets to Sphinx using the new +# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). +%: Makefile + @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) diff --git a/sqlalcamey/TODO b/sqlalcamey/TODO new file mode 100644 index 000000000..dfce6e224 --- /dev/null +++ b/sqlalcamey/TODO @@ -0,0 +1 @@ +# https://github.com/vikpe/python-package-starter diff --git a/sqlalcamey/_build/doctrees/environment.pickle b/sqlalcamey/_build/doctrees/environment.pickle new file mode 100644 index 000000000..9048f06f8 Binary files /dev/null and b/sqlalcamey/_build/doctrees/environment.pickle differ diff --git a/sqlalcamey/_build/doctrees/index.doctree b/sqlalcamey/_build/doctrees/index.doctree new file mode 100644 index 000000000..f6feecbc0 Binary files /dev/null and b/sqlalcamey/_build/doctrees/index.doctree differ diff --git a/sqlalcamey/_build/html/.buildinfo b/sqlalcamey/_build/html/.buildinfo new file mode 100644 index 000000000..e7bd17b7e --- /dev/null +++ b/sqlalcamey/_build/html/.buildinfo @@ -0,0 +1,4 @@ +# Sphinx build info version 1 +# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done. +config: ba27abf035787a10a65f9674097a6490 +tags: 645f666f9bcd5a90fca523b33c5a78b7 diff --git a/sqlalcamey/_build/html/_sources/index.rst.txt b/sqlalcamey/_build/html/_sources/index.rst.txt new file mode 100644 index 000000000..8e57a483a --- /dev/null +++ b/sqlalcamey/_build/html/_sources/index.rst.txt @@ -0,0 +1,20 @@ +.. MITRE SAF Security Guidance Database documentation master file, created by + sphinx-quickstart on Mon Dec 18 01:56:18 2023. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +Welcome to MITRE SAF Security Guidance Database's documentation! +================================================================ + +.. toctree:: + :maxdepth: 2 + :caption: Contents: + + + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` diff --git a/sqlalcamey/_build/html/_static/alabaster.css b/sqlalcamey/_build/html/_static/alabaster.css new file mode 100644 index 000000000..517d0b29c --- /dev/null +++ b/sqlalcamey/_build/html/_static/alabaster.css @@ -0,0 +1,703 @@ +@import url("basic.css"); + +/* -- page layout ----------------------------------------------------------- */ + +body { + font-family: Georgia, serif; + font-size: 17px; + background-color: #fff; + color: #000; + margin: 0; + padding: 0; +} + + +div.document { + width: 940px; + margin: 30px auto 0 auto; +} + +div.documentwrapper { + float: left; + width: 100%; +} + +div.bodywrapper { + margin: 0 0 0 220px; +} + +div.sphinxsidebar { + width: 220px; + font-size: 14px; + line-height: 1.5; +} + +hr { + border: 1px solid #B1B4B6; +} + +div.body { + background-color: #fff; + color: #3E4349; + padding: 0 30px 0 30px; +} + +div.body > .section { + text-align: left; +} + +div.footer { + width: 940px; + margin: 20px auto 30px auto; + font-size: 14px; + color: #888; + text-align: right; +} + +div.footer a { + color: #888; +} + +p.caption { + font-family: inherit; + font-size: inherit; +} + + +div.relations { + display: none; +} + + +div.sphinxsidebar a { + color: #444; + text-decoration: none; + border-bottom: 1px dotted #999; +} + +div.sphinxsidebar a:hover { + border-bottom: 1px solid #999; +} + +div.sphinxsidebarwrapper { + padding: 18px 10px; +} + +div.sphinxsidebarwrapper p.logo { + padding: 0; + margin: -10px 0 0 0px; + text-align: center; +} + +div.sphinxsidebarwrapper h1.logo { + margin-top: -10px; + text-align: center; + margin-bottom: 5px; + text-align: left; +} + +div.sphinxsidebarwrapper h1.logo-name { + margin-top: 0px; +} + +div.sphinxsidebarwrapper p.blurb { + margin-top: 0; + font-style: normal; +} + +div.sphinxsidebar h3, +div.sphinxsidebar h4 { + font-family: Georgia, serif; + color: #444; + font-size: 24px; + font-weight: normal; + margin: 0 0 5px 0; + padding: 0; +} + +div.sphinxsidebar h4 { + font-size: 20px; +} + +div.sphinxsidebar h3 a { + color: #444; +} + +div.sphinxsidebar p.logo a, +div.sphinxsidebar h3 a, +div.sphinxsidebar p.logo a:hover, +div.sphinxsidebar h3 a:hover { + border: none; +} + +div.sphinxsidebar p { + color: #555; + margin: 10px 0; +} + +div.sphinxsidebar ul { + margin: 10px 0; + padding: 0; + color: #000; +} + +div.sphinxsidebar ul li.toctree-l1 > a { + font-size: 120%; +} + +div.sphinxsidebar ul li.toctree-l2 > a { + font-size: 110%; +} + +div.sphinxsidebar input { + border: 1px solid #CCC; + font-family: Georgia, serif; + font-size: 1em; +} + +div.sphinxsidebar hr { + border: none; + height: 1px; + color: #AAA; + background: #AAA; + + text-align: left; + margin-left: 0; + width: 50%; +} + +div.sphinxsidebar .badge { + border-bottom: none; +} + +div.sphinxsidebar .badge:hover { + border-bottom: none; +} + +/* To address an issue with donation coming after search */ +div.sphinxsidebar h3.donation { + margin-top: 10px; +} + +/* -- body styles ----------------------------------------------------------- */ + +a { + color: #004B6B; + text-decoration: underline; +} + +a:hover { + color: #6D4100; + text-decoration: underline; +} + +div.body h1, +div.body h2, +div.body h3, +div.body h4, +div.body h5, +div.body h6 { + font-family: Georgia, serif; + font-weight: normal; + margin: 30px 0px 10px 0px; + padding: 0; +} + +div.body h1 { margin-top: 0; padding-top: 0; font-size: 240%; } +div.body h2 { font-size: 180%; } +div.body h3 { font-size: 150%; } +div.body h4 { font-size: 130%; } +div.body h5 { font-size: 100%; } +div.body h6 { font-size: 100%; } + +a.headerlink { + color: #DDD; + padding: 0 4px; + text-decoration: none; +} + +a.headerlink:hover { + color: #444; + background: #EAEAEA; +} + +div.body p, div.body dd, div.body li { + line-height: 1.4em; +} + +div.admonition { + margin: 20px 0px; + padding: 10px 30px; + background-color: #EEE; + border: 1px solid #CCC; +} + +div.admonition tt.xref, div.admonition code.xref, div.admonition a tt { + background-color: #FBFBFB; + border-bottom: 1px solid #fafafa; +} + +div.admonition p.admonition-title { + font-family: Georgia, serif; + font-weight: normal; + font-size: 24px; + margin: 0 0 10px 0; + padding: 0; + line-height: 1; +} + +div.admonition p.last { + margin-bottom: 0; +} + +div.highlight { + background-color: #fff; +} + +dt:target, .highlight { + background: #FAF3E8; +} + +div.warning { + background-color: #FCC; + border: 1px solid #FAA; +} + +div.danger { + background-color: #FCC; + border: 1px solid #FAA; + -moz-box-shadow: 2px 2px 4px #D52C2C; + -webkit-box-shadow: 2px 2px 4px #D52C2C; + box-shadow: 2px 2px 4px #D52C2C; +} + +div.error { + background-color: #FCC; + border: 1px solid #FAA; + -moz-box-shadow: 2px 2px 4px #D52C2C; + -webkit-box-shadow: 2px 2px 4px #D52C2C; + box-shadow: 2px 2px 4px #D52C2C; +} + +div.caution { + background-color: #FCC; + border: 1px solid #FAA; +} + +div.attention { + background-color: #FCC; + border: 1px solid #FAA; +} + +div.important { + background-color: #EEE; + border: 1px solid #CCC; +} + +div.note { + background-color: #EEE; + border: 1px solid #CCC; +} + +div.tip { + background-color: #EEE; + border: 1px solid #CCC; +} + +div.hint { + background-color: #EEE; + border: 1px solid #CCC; +} + +div.seealso { + background-color: #EEE; + border: 1px solid #CCC; +} + +div.topic { + background-color: #EEE; +} + +p.admonition-title { + display: inline; +} + +p.admonition-title:after { + content: ":"; +} + +pre, tt, code { + font-family: 'Consolas', 'Menlo', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace; + font-size: 0.9em; +} + +.hll { + background-color: #FFC; + margin: 0 -12px; + padding: 0 12px; + display: block; +} + +img.screenshot { +} + +tt.descname, tt.descclassname, code.descname, code.descclassname { + font-size: 0.95em; +} + +tt.descname, code.descname { + padding-right: 0.08em; +} + +img.screenshot { + -moz-box-shadow: 2px 2px 4px #EEE; + -webkit-box-shadow: 2px 2px 4px #EEE; + box-shadow: 2px 2px 4px #EEE; +} + +table.docutils { + border: 1px solid #888; + -moz-box-shadow: 2px 2px 4px #EEE; + -webkit-box-shadow: 2px 2px 4px #EEE; + box-shadow: 2px 2px 4px #EEE; +} + +table.docutils td, table.docutils th { + border: 1px solid #888; + padding: 0.25em 0.7em; +} + +table.field-list, table.footnote { + border: none; + -moz-box-shadow: none; + -webkit-box-shadow: none; + box-shadow: none; +} + +table.footnote { + margin: 15px 0; + width: 100%; + border: 1px solid #EEE; + background: #FDFDFD; + font-size: 0.9em; +} + +table.footnote + table.footnote { + margin-top: -15px; + border-top: none; +} + +table.field-list th { + padding: 0 0.8em 0 0; +} + +table.field-list td { + padding: 0; +} + +table.field-list p { + margin-bottom: 0.8em; +} + +/* Cloned from + * https://github.com/sphinx-doc/sphinx/commit/ef60dbfce09286b20b7385333d63a60321784e68 + */ +.field-name { + -moz-hyphens: manual; + -ms-hyphens: manual; + -webkit-hyphens: manual; + hyphens: manual; +} + +table.footnote td.label { + width: .1px; + padding: 0.3em 0 0.3em 0.5em; +} + +table.footnote td { + padding: 0.3em 0.5em; +} + +dl { + margin-left: 0; + margin-right: 0; + margin-top: 0; + padding: 0; +} + +dl dd { + margin-left: 30px; +} + +blockquote { + margin: 0 0 0 30px; + padding: 0; +} + +ul, ol { + /* Matches the 30px from the narrow-screen "li > ul" selector below */ + margin: 10px 0 10px 30px; + padding: 0; +} + +pre { + background: #EEE; + padding: 7px 30px; + margin: 15px 0px; + line-height: 1.3em; +} + +div.viewcode-block:target { + background: #ffd; +} + +dl pre, blockquote pre, li pre { + margin-left: 0; + padding-left: 30px; +} + +tt, code { + background-color: #ecf0f3; + color: #222; + /* padding: 1px 2px; */ +} + +tt.xref, code.xref, a tt { + background-color: #FBFBFB; + border-bottom: 1px solid #fff; +} + +a.reference { + text-decoration: none; + border-bottom: 1px dotted #004B6B; +} + +/* Don't put an underline on images */ +a.image-reference, a.image-reference:hover { + border-bottom: none; +} + +a.reference:hover { + border-bottom: 1px solid #6D4100; +} + +a.footnote-reference { + text-decoration: none; + font-size: 0.7em; + vertical-align: top; + border-bottom: 1px dotted #004B6B; +} + +a.footnote-reference:hover { + border-bottom: 1px solid #6D4100; +} + +a:hover tt, a:hover code { + background: #EEE; +} + + +@media screen and (max-width: 870px) { + + div.sphinxsidebar { + display: none; + } + + div.document { + width: 100%; + + } + + div.documentwrapper { + margin-left: 0; + margin-top: 0; + margin-right: 0; + margin-bottom: 0; + } + + div.bodywrapper { + margin-top: 0; + margin-right: 0; + margin-bottom: 0; + margin-left: 0; + } + + ul { + margin-left: 0; + } + + li > ul { + /* Matches the 30px from the "ul, ol" selector above */ + margin-left: 30px; + } + + .document { + width: auto; + } + + .footer { + width: auto; + } + + .bodywrapper { + margin: 0; + } + + .footer { + width: auto; + } + + .github { + display: none; + } + + + +} + + + +@media screen and (max-width: 875px) { + + body { + margin: 0; + padding: 20px 30px; + } + + div.documentwrapper { + float: none; + background: #fff; + } + + div.sphinxsidebar { + display: block; + float: none; + width: 102.5%; + margin: 50px -30px -20px -30px; + padding: 10px 20px; + background: #333; + color: #FFF; + } + + div.sphinxsidebar h3, div.sphinxsidebar h4, div.sphinxsidebar p, + div.sphinxsidebar h3 a { + color: #fff; + } + + div.sphinxsidebar a { + color: #AAA; + } + + div.sphinxsidebar p.logo { + display: none; + } + + div.document { + width: 100%; + margin: 0; + } + + div.footer { + display: none; + } + + div.bodywrapper { + margin: 0; + } + + div.body { + min-height: 0; + padding: 0; + } + + .rtd_doc_footer { + display: none; + } + + .document { + width: auto; + } + + .footer { + width: auto; + } + + .footer { + width: auto; + } + + .github { + display: none; + } +} + + +/* misc. */ + +.revsys-inline { + display: none!important; +} + +/* Make nested-list/multi-paragraph items look better in Releases changelog + * pages. Without this, docutils' magical list fuckery causes inconsistent + * formatting between different release sub-lists. + */ +div#changelog > div.section > ul > li > p:only-child { + margin-bottom: 0; +} + +/* Hide fugly table cell borders in ..bibliography:: directive output */ +table.docutils.citation, table.docutils.citation td, table.docutils.citation th { + border: none; + /* Below needed in some edge cases; if not applied, bottom shadows appear */ + -moz-box-shadow: none; + -webkit-box-shadow: none; + box-shadow: none; +} + + +/* relbar */ + +.related { + line-height: 30px; + width: 100%; + font-size: 0.9rem; +} + +.related.top { + border-bottom: 1px solid #EEE; + margin-bottom: 20px; +} + +.related.bottom { + border-top: 1px solid #EEE; +} + +.related ul { + padding: 0; + margin: 0; + list-style: none; +} + +.related li { + display: inline; +} + +nav#rellinks { + float: right; +} + +nav#rellinks li+li:before { + content: "|"; +} + +nav#breadcrumbs li+li:before { + content: "\00BB"; +} + +/* Hide certain items when printing */ +@media print { + div.related { + display: none; + } +} \ No newline at end of file diff --git a/sqlalcamey/_build/html/_static/basic.css b/sqlalcamey/_build/html/_static/basic.css new file mode 100644 index 000000000..30fee9d0f --- /dev/null +++ b/sqlalcamey/_build/html/_static/basic.css @@ -0,0 +1,925 @@ +/* + * basic.css + * ~~~~~~~~~ + * + * Sphinx stylesheet -- basic theme. + * + * :copyright: Copyright 2007-2023 by the Sphinx team, see AUTHORS. + * :license: BSD, see LICENSE for details. + * + */ + +/* -- main layout ----------------------------------------------------------- */ + +div.clearer { + clear: both; +} + +div.section::after { + display: block; + content: ''; + clear: left; +} + +/* -- relbar ---------------------------------------------------------------- */ + +div.related { + width: 100%; + font-size: 90%; +} + +div.related h3 { + display: none; +} + +div.related ul { + margin: 0; + padding: 0 0 0 10px; + list-style: none; +} + +div.related li { + display: inline; +} + +div.related li.right { + float: right; + margin-right: 5px; +} + +/* -- sidebar --------------------------------------------------------------- */ + +div.sphinxsidebarwrapper { + padding: 10px 5px 0 10px; +} + +div.sphinxsidebar { + float: left; + width: 230px; + margin-left: -100%; + font-size: 90%; + word-wrap: break-word; + overflow-wrap : break-word; +} + +div.sphinxsidebar ul { + list-style: none; +} + +div.sphinxsidebar ul ul, +div.sphinxsidebar ul.want-points { + margin-left: 20px; + list-style: square; +} + +div.sphinxsidebar ul ul { + margin-top: 0; + margin-bottom: 0; +} + +div.sphinxsidebar form { + margin-top: 10px; +} + +div.sphinxsidebar input { + border: 1px solid #98dbcc; + font-family: sans-serif; + font-size: 1em; +} + +div.sphinxsidebar #searchbox form.search { + overflow: hidden; +} + +div.sphinxsidebar #searchbox input[type="text"] { + float: left; + width: 80%; + padding: 0.25em; + box-sizing: border-box; +} + +div.sphinxsidebar #searchbox input[type="submit"] { + float: left; + width: 20%; + border-left: none; + padding: 0.25em; + box-sizing: border-box; +} + + +img { + border: 0; + max-width: 100%; +} + +/* -- search page ----------------------------------------------------------- */ + +ul.search { + margin: 10px 0 0 20px; + padding: 0; +} + +ul.search li { + padding: 5px 0 5px 20px; + background-image: url(file.png); + background-repeat: no-repeat; + background-position: 0 7px; +} + +ul.search li a { + font-weight: bold; +} + +ul.search li p.context { + color: #888; + margin: 2px 0 0 30px; + text-align: left; +} + +ul.keywordmatches li.goodmatch a { + font-weight: bold; +} + +/* -- index page ------------------------------------------------------------ */ + +table.contentstable { + width: 90%; + margin-left: auto; + margin-right: auto; +} + +table.contentstable p.biglink { + line-height: 150%; +} + +a.biglink { + font-size: 1.3em; +} + +span.linkdescr { + font-style: italic; + padding-top: 5px; + font-size: 90%; +} + +/* -- general index --------------------------------------------------------- */ + +table.indextable { + width: 100%; +} + +table.indextable td { + text-align: left; + vertical-align: top; +} + +table.indextable ul { + margin-top: 0; + margin-bottom: 0; + list-style-type: none; +} + +table.indextable > tbody > tr > td > ul { + padding-left: 0em; +} + +table.indextable tr.pcap { + height: 10px; +} + +table.indextable tr.cap { + margin-top: 10px; + background-color: #f2f2f2; +} + +img.toggler { + margin-right: 3px; + margin-top: 3px; + cursor: pointer; +} + +div.modindex-jumpbox { + border-top: 1px solid #ddd; + border-bottom: 1px solid #ddd; + margin: 1em 0 1em 0; + padding: 0.4em; +} + +div.genindex-jumpbox { + border-top: 1px solid #ddd; + border-bottom: 1px solid #ddd; + margin: 1em 0 1em 0; + padding: 0.4em; +} + +/* -- domain module index --------------------------------------------------- */ + +table.modindextable td { + padding: 2px; + border-collapse: collapse; +} + +/* -- general body styles --------------------------------------------------- */ + +div.body { + min-width: 360px; + max-width: 800px; +} + +div.body p, div.body dd, div.body li, div.body blockquote { + -moz-hyphens: auto; + -ms-hyphens: auto; + -webkit-hyphens: auto; + hyphens: auto; +} + +a.headerlink { + visibility: hidden; +} + +a:visited { + color: #551A8B; +} + +h1:hover > a.headerlink, +h2:hover > a.headerlink, +h3:hover > a.headerlink, +h4:hover > a.headerlink, +h5:hover > a.headerlink, +h6:hover > a.headerlink, +dt:hover > a.headerlink, +caption:hover > a.headerlink, +p.caption:hover > a.headerlink, +div.code-block-caption:hover > a.headerlink { + visibility: visible; +} + +div.body p.caption { + text-align: inherit; +} + +div.body td { + text-align: left; +} + +.first { + margin-top: 0 !important; +} + +p.rubric { + margin-top: 30px; + font-weight: bold; +} + +img.align-left, figure.align-left, .figure.align-left, object.align-left { + clear: left; + float: left; + margin-right: 1em; +} + +img.align-right, figure.align-right, .figure.align-right, object.align-right { + clear: right; + float: right; + margin-left: 1em; +} + +img.align-center, figure.align-center, .figure.align-center, object.align-center { + display: block; + margin-left: auto; + margin-right: auto; +} + +img.align-default, figure.align-default, .figure.align-default { + display: block; + margin-left: auto; + margin-right: auto; +} + +.align-left { + text-align: left; +} + +.align-center { + text-align: center; +} + +.align-default { + text-align: center; +} + +.align-right { + text-align: right; +} + +/* -- sidebars -------------------------------------------------------------- */ + +div.sidebar, +aside.sidebar { + margin: 0 0 0.5em 1em; + border: 1px solid #ddb; + padding: 7px; + background-color: #ffe; + width: 40%; + float: right; + clear: right; + overflow-x: auto; +} + +p.sidebar-title { + font-weight: bold; +} + +nav.contents, +aside.topic, +div.admonition, div.topic, blockquote { + clear: left; +} + +/* -- topics ---------------------------------------------------------------- */ + +nav.contents, +aside.topic, +div.topic { + border: 1px solid #ccc; + padding: 7px; + margin: 10px 0 10px 0; +} + +p.topic-title { + font-size: 1.1em; + font-weight: bold; + margin-top: 10px; +} + +/* -- admonitions ----------------------------------------------------------- */ + +div.admonition { + margin-top: 10px; + margin-bottom: 10px; + padding: 7px; +} + +div.admonition dt { + font-weight: bold; +} + +p.admonition-title { + margin: 0px 10px 5px 0px; + font-weight: bold; +} + +div.body p.centered { + text-align: center; + margin-top: 25px; +} + +/* -- content of sidebars/topics/admonitions -------------------------------- */ + +div.sidebar > :last-child, +aside.sidebar > :last-child, +nav.contents > :last-child, +aside.topic > :last-child, +div.topic > :last-child, +div.admonition > :last-child { + margin-bottom: 0; +} + +div.sidebar::after, +aside.sidebar::after, +nav.contents::after, +aside.topic::after, +div.topic::after, +div.admonition::after, +blockquote::after { + display: block; + content: ''; + clear: both; +} + +/* -- tables ---------------------------------------------------------------- */ + +table.docutils { + margin-top: 10px; + margin-bottom: 10px; + border: 0; + border-collapse: collapse; +} + +table.align-center { + margin-left: auto; + margin-right: auto; +} + +table.align-default { + margin-left: auto; + margin-right: auto; +} + +table caption span.caption-number { + font-style: italic; +} + +table caption span.caption-text { +} + +table.docutils td, table.docutils th { + padding: 1px 8px 1px 5px; + border-top: 0; + border-left: 0; + border-right: 0; + border-bottom: 1px solid #aaa; +} + +th { + text-align: left; + padding-right: 5px; +} + +table.citation { + border-left: solid 1px gray; + margin-left: 1px; +} + +table.citation td { + border-bottom: none; +} + +th > :first-child, +td > :first-child { + margin-top: 0px; +} + +th > :last-child, +td > :last-child { + margin-bottom: 0px; +} + +/* -- figures --------------------------------------------------------------- */ + +div.figure, figure { + margin: 0.5em; + padding: 0.5em; +} + +div.figure p.caption, figcaption { + padding: 0.3em; +} + +div.figure p.caption span.caption-number, +figcaption span.caption-number { + font-style: italic; +} + +div.figure p.caption span.caption-text, +figcaption span.caption-text { +} + +/* -- field list styles ----------------------------------------------------- */ + +table.field-list td, table.field-list th { + border: 0 !important; +} + +.field-list ul { + margin: 0; + padding-left: 1em; +} + +.field-list p { + margin: 0; +} + +.field-name { + -moz-hyphens: manual; + -ms-hyphens: manual; + -webkit-hyphens: manual; + hyphens: manual; +} + +/* -- hlist styles ---------------------------------------------------------- */ + +table.hlist { + margin: 1em 0; +} + +table.hlist td { + vertical-align: top; +} + +/* -- object description styles --------------------------------------------- */ + +.sig { + font-family: 'Consolas', 'Menlo', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace; +} + +.sig-name, code.descname { + background-color: transparent; + font-weight: bold; +} + +.sig-name { + font-size: 1.1em; +} + +code.descname { + font-size: 1.2em; +} + +.sig-prename, code.descclassname { + background-color: transparent; +} + +.optional { + font-size: 1.3em; +} + +.sig-paren { + font-size: larger; +} + +.sig-param.n { + font-style: italic; +} + +/* C++ specific styling */ + +.sig-inline.c-texpr, +.sig-inline.cpp-texpr { + font-family: unset; +} + +.sig.c .k, .sig.c .kt, +.sig.cpp .k, .sig.cpp .kt { + color: #0033B3; +} + +.sig.c .m, +.sig.cpp .m { + color: #1750EB; +} + +.sig.c .s, .sig.c .sc, +.sig.cpp .s, .sig.cpp .sc { + color: #067D17; +} + + +/* -- other body styles ----------------------------------------------------- */ + +ol.arabic { + list-style: decimal; +} + +ol.loweralpha { + list-style: lower-alpha; +} + +ol.upperalpha { + list-style: upper-alpha; +} + +ol.lowerroman { + list-style: lower-roman; +} + +ol.upperroman { + list-style: upper-roman; +} + +:not(li) > ol > li:first-child > :first-child, +:not(li) > ul > li:first-child > :first-child { + margin-top: 0px; +} + +:not(li) > ol > li:last-child > :last-child, +:not(li) > ul > li:last-child > :last-child { + margin-bottom: 0px; +} + +ol.simple ol p, +ol.simple ul p, +ul.simple ol p, +ul.simple ul p { + margin-top: 0; +} + +ol.simple > li:not(:first-child) > p, +ul.simple > li:not(:first-child) > p { + margin-top: 0; +} + +ol.simple p, +ul.simple p { + margin-bottom: 0; +} + +aside.footnote > span, +div.citation > span { + float: left; +} +aside.footnote > span:last-of-type, +div.citation > span:last-of-type { + padding-right: 0.5em; +} +aside.footnote > p { + margin-left: 2em; +} +div.citation > p { + margin-left: 4em; +} +aside.footnote > p:last-of-type, +div.citation > p:last-of-type { + margin-bottom: 0em; +} +aside.footnote > p:last-of-type:after, +div.citation > p:last-of-type:after { + content: ""; + clear: both; +} + +dl.field-list { + display: grid; + grid-template-columns: fit-content(30%) auto; +} + +dl.field-list > dt { + font-weight: bold; + word-break: break-word; + padding-left: 0.5em; + padding-right: 5px; +} + +dl.field-list > dd { + padding-left: 0.5em; + margin-top: 0em; + margin-left: 0em; + margin-bottom: 0em; +} + +dl { + margin-bottom: 15px; +} + +dd > :first-child { + margin-top: 0px; +} + +dd ul, dd table { + margin-bottom: 10px; +} + +dd { + margin-top: 3px; + margin-bottom: 10px; + margin-left: 30px; +} + +.sig dd { + margin-top: 0px; + margin-bottom: 0px; +} + +.sig dl { + margin-top: 0px; + margin-bottom: 0px; +} + +dl > dd:last-child, +dl > dd:last-child > :last-child { + margin-bottom: 0; +} + +dt:target, span.highlighted { + background-color: #fbe54e; +} + +rect.highlighted { + fill: #fbe54e; +} + +dl.glossary dt { + font-weight: bold; + font-size: 1.1em; +} + +.versionmodified { + font-style: italic; +} + +.system-message { + background-color: #fda; + padding: 5px; + border: 3px solid red; +} + +.footnote:target { + background-color: #ffa; +} + +.line-block { + display: block; + margin-top: 1em; + margin-bottom: 1em; +} + +.line-block .line-block { + margin-top: 0; + margin-bottom: 0; + margin-left: 1.5em; +} + +.guilabel, .menuselection { + font-family: sans-serif; +} + +.accelerator { + text-decoration: underline; +} + +.classifier { + font-style: oblique; +} + +.classifier:before { + font-style: normal; + margin: 0 0.5em; + content: ":"; + display: inline-block; +} + +abbr, acronym { + border-bottom: dotted 1px; + cursor: help; +} + +.translated { + background-color: rgba(207, 255, 207, 0.2) +} + +.untranslated { + background-color: rgba(255, 207, 207, 0.2) +} + +/* -- code displays --------------------------------------------------------- */ + +pre { + overflow: auto; + overflow-y: hidden; /* fixes display issues on Chrome browsers */ +} + +pre, div[class*="highlight-"] { + clear: both; +} + +span.pre { + -moz-hyphens: none; + -ms-hyphens: none; + -webkit-hyphens: none; + hyphens: none; + white-space: nowrap; +} + +div[class*="highlight-"] { + margin: 1em 0; +} + +td.linenos pre { + border: 0; + background-color: transparent; + color: #aaa; +} + +table.highlighttable { + display: block; +} + +table.highlighttable tbody { + display: block; +} + +table.highlighttable tr { + display: flex; +} + +table.highlighttable td { + margin: 0; + padding: 0; +} + +table.highlighttable td.linenos { + padding-right: 0.5em; +} + +table.highlighttable td.code { + flex: 1; + overflow: hidden; +} + +.highlight .hll { + display: block; +} + +div.highlight pre, +table.highlighttable pre { + margin: 0; +} + +div.code-block-caption + div { + margin-top: 0; +} + +div.code-block-caption { + margin-top: 1em; + padding: 2px 5px; + font-size: small; +} + +div.code-block-caption code { + background-color: transparent; +} + +table.highlighttable td.linenos, +span.linenos, +div.highlight span.gp { /* gp: Generic.Prompt */ + user-select: none; + -webkit-user-select: text; /* Safari fallback only */ + -webkit-user-select: none; /* Chrome/Safari */ + -moz-user-select: none; /* Firefox */ + -ms-user-select: none; /* IE10+ */ +} + +div.code-block-caption span.caption-number { + padding: 0.1em 0.3em; + font-style: italic; +} + +div.code-block-caption span.caption-text { +} + +div.literal-block-wrapper { + margin: 1em 0; +} + +code.xref, a code { + background-color: transparent; + font-weight: bold; +} + +h1 code, h2 code, h3 code, h4 code, h5 code, h6 code { + background-color: transparent; +} + +.viewcode-link { + float: right; +} + +.viewcode-back { + float: right; + font-family: sans-serif; +} + +div.viewcode-block:target { + margin: -1px -10px; + padding: 0 10px; +} + +/* -- math display ---------------------------------------------------------- */ + +img.math { + vertical-align: middle; +} + +div.body div.math p { + text-align: center; +} + +span.eqno { + float: right; +} + +span.eqno a.headerlink { + position: absolute; + z-index: 1; +} + +div.math:hover a.headerlink { + visibility: visible; +} + +/* -- printout stylesheet --------------------------------------------------- */ + +@media print { + div.document, + div.documentwrapper, + div.bodywrapper { + margin: 0 !important; + width: 100%; + } + + div.sphinxsidebar, + div.related, + div.footer, + #top-link { + display: none; + } +} \ No newline at end of file diff --git a/sqlalcamey/_build/html/_static/custom.css b/sqlalcamey/_build/html/_static/custom.css new file mode 100644 index 000000000..2a924f1d6 --- /dev/null +++ b/sqlalcamey/_build/html/_static/custom.css @@ -0,0 +1 @@ +/* This file intentionally left blank. */ diff --git a/sqlalcamey/_build/html/_static/doctools.js b/sqlalcamey/_build/html/_static/doctools.js new file mode 100644 index 000000000..d06a71d75 --- /dev/null +++ b/sqlalcamey/_build/html/_static/doctools.js @@ -0,0 +1,156 @@ +/* + * doctools.js + * ~~~~~~~~~~~ + * + * Base JavaScript utilities for all Sphinx HTML documentation. + * + * :copyright: Copyright 2007-2023 by the Sphinx team, see AUTHORS. + * :license: BSD, see LICENSE for details. + * + */ +"use strict"; + +const BLACKLISTED_KEY_CONTROL_ELEMENTS = new Set([ + "TEXTAREA", + "INPUT", + "SELECT", + "BUTTON", +]); + +const _ready = (callback) => { + if (document.readyState !== "loading") { + callback(); + } else { + document.addEventListener("DOMContentLoaded", callback); + } +}; + +/** + * Small JavaScript module for the documentation. + */ +const Documentation = { + init: () => { + Documentation.initDomainIndexTable(); + Documentation.initOnKeyListeners(); + }, + + /** + * i18n support + */ + TRANSLATIONS: {}, + PLURAL_EXPR: (n) => (n === 1 ? 0 : 1), + LOCALE: "unknown", + + // gettext and ngettext don't access this so that the functions + // can safely bound to a different name (_ = Documentation.gettext) + gettext: (string) => { + const translated = Documentation.TRANSLATIONS[string]; + switch (typeof translated) { + case "undefined": + return string; // no translation + case "string": + return translated; // translation exists + default: + return translated[0]; // (singular, plural) translation tuple exists + } + }, + + ngettext: (singular, plural, n) => { + const translated = Documentation.TRANSLATIONS[singular]; + if (typeof translated !== "undefined") + return translated[Documentation.PLURAL_EXPR(n)]; + return n === 1 ? singular : plural; + }, + + addTranslations: (catalog) => { + Object.assign(Documentation.TRANSLATIONS, catalog.messages); + Documentation.PLURAL_EXPR = new Function( + "n", + `return (${catalog.plural_expr})` + ); + Documentation.LOCALE = catalog.locale; + }, + + /** + * helper function to focus on search bar + */ + focusSearchBar: () => { + document.querySelectorAll("input[name=q]")[0]?.focus(); + }, + + /** + * Initialise the domain index toggle buttons + */ + initDomainIndexTable: () => { + const toggler = (el) => { + const idNumber = el.id.substr(7); + const toggledRows = document.querySelectorAll(`tr.cg-${idNumber}`); + if (el.src.substr(-9) === "minus.png") { + el.src = `${el.src.substr(0, el.src.length - 9)}plus.png`; + toggledRows.forEach((el) => (el.style.display = "none")); + } else { + el.src = `${el.src.substr(0, el.src.length - 8)}minus.png`; + toggledRows.forEach((el) => (el.style.display = "")); + } + }; + + const togglerElements = document.querySelectorAll("img.toggler"); + togglerElements.forEach((el) => + el.addEventListener("click", (event) => toggler(event.currentTarget)) + ); + togglerElements.forEach((el) => (el.style.display = "")); + if (DOCUMENTATION_OPTIONS.COLLAPSE_INDEX) togglerElements.forEach(toggler); + }, + + initOnKeyListeners: () => { + // only install a listener if it is really needed + if ( + !DOCUMENTATION_OPTIONS.NAVIGATION_WITH_KEYS && + !DOCUMENTATION_OPTIONS.ENABLE_SEARCH_SHORTCUTS + ) + return; + + document.addEventListener("keydown", (event) => { + // bail for input elements + if (BLACKLISTED_KEY_CONTROL_ELEMENTS.has(document.activeElement.tagName)) return; + // bail with special keys + if (event.altKey || event.ctrlKey || event.metaKey) return; + + if (!event.shiftKey) { + switch (event.key) { + case "ArrowLeft": + if (!DOCUMENTATION_OPTIONS.NAVIGATION_WITH_KEYS) break; + + const prevLink = document.querySelector('link[rel="prev"]'); + if (prevLink && prevLink.href) { + window.location.href = prevLink.href; + event.preventDefault(); + } + break; + case "ArrowRight": + if (!DOCUMENTATION_OPTIONS.NAVIGATION_WITH_KEYS) break; + + const nextLink = document.querySelector('link[rel="next"]'); + if (nextLink && nextLink.href) { + window.location.href = nextLink.href; + event.preventDefault(); + } + break; + } + } + + // some keyboard layouts may need Shift to get / + switch (event.key) { + case "/": + if (!DOCUMENTATION_OPTIONS.ENABLE_SEARCH_SHORTCUTS) break; + Documentation.focusSearchBar(); + event.preventDefault(); + } + }); + }, +}; + +// quick alias for translations +const _ = Documentation.gettext; + +_ready(Documentation.init); diff --git a/sqlalcamey/_build/html/_static/documentation_options.js b/sqlalcamey/_build/html/_static/documentation_options.js new file mode 100644 index 000000000..7e4c114f2 --- /dev/null +++ b/sqlalcamey/_build/html/_static/documentation_options.js @@ -0,0 +1,13 @@ +const DOCUMENTATION_OPTIONS = { + VERSION: '', + LANGUAGE: 'en', + COLLAPSE_INDEX: false, + BUILDER: 'html', + FILE_SUFFIX: '.html', + LINK_SUFFIX: '.html', + HAS_SOURCE: true, + SOURCELINK_SUFFIX: '.txt', + NAVIGATION_WITH_KEYS: false, + SHOW_SEARCH_SUMMARY: true, + ENABLE_SEARCH_SHORTCUTS: true, +}; \ No newline at end of file diff --git a/sqlalcamey/_build/html/_static/file.png b/sqlalcamey/_build/html/_static/file.png new file mode 100644 index 000000000..a858a410e Binary files /dev/null and b/sqlalcamey/_build/html/_static/file.png differ diff --git a/sqlalcamey/_build/html/_static/language_data.js b/sqlalcamey/_build/html/_static/language_data.js new file mode 100644 index 000000000..250f5665f --- /dev/null +++ b/sqlalcamey/_build/html/_static/language_data.js @@ -0,0 +1,199 @@ +/* + * language_data.js + * ~~~~~~~~~~~~~~~~ + * + * This script contains the language-specific data used by searchtools.js, + * namely the list of stopwords, stemmer, scorer and splitter. + * + * :copyright: Copyright 2007-2023 by the Sphinx team, see AUTHORS. + * :license: BSD, see LICENSE for details. + * + */ + +var stopwords = ["a", "and", "are", "as", "at", "be", "but", "by", "for", "if", "in", "into", "is", "it", "near", "no", "not", "of", "on", "or", "such", "that", "the", "their", "then", "there", "these", "they", "this", "to", "was", "will", "with"]; + + +/* Non-minified version is copied as a separate JS file, is available */ + +/** + * Porter Stemmer + */ +var Stemmer = function() { + + var step2list = { + ational: 'ate', + tional: 'tion', + enci: 'ence', + anci: 'ance', + izer: 'ize', + bli: 'ble', + alli: 'al', + entli: 'ent', + eli: 'e', + ousli: 'ous', + ization: 'ize', + ation: 'ate', + ator: 'ate', + alism: 'al', + iveness: 'ive', + fulness: 'ful', + ousness: 'ous', + aliti: 'al', + iviti: 'ive', + biliti: 'ble', + logi: 'log' + }; + + var step3list = { + icate: 'ic', + ative: '', + alize: 'al', + iciti: 'ic', + ical: 'ic', + ful: '', + ness: '' + }; + + var c = "[^aeiou]"; // consonant + var v = "[aeiouy]"; // vowel + var C = c + "[^aeiouy]*"; // consonant sequence + var V = v + "[aeiou]*"; // vowel sequence + + var mgr0 = "^(" + C + ")?" + V + C; // [C]VC... is m>0 + var meq1 = "^(" + C + ")?" + V + C + "(" + V + ")?$"; // [C]VC[V] is m=1 + var mgr1 = "^(" + C + ")?" + V + C + V + C; // [C]VCVC... is m>1 + var s_v = "^(" + C + ")?" + v; // vowel in stem + + this.stemWord = function (w) { + var stem; + var suffix; + var firstch; + var origword = w; + + if (w.length < 3) + return w; + + var re; + var re2; + var re3; + var re4; + + firstch = w.substr(0,1); + if (firstch == "y") + w = firstch.toUpperCase() + w.substr(1); + + // Step 1a + re = /^(.+?)(ss|i)es$/; + re2 = /^(.+?)([^s])s$/; + + if (re.test(w)) + w = w.replace(re,"$1$2"); + else if (re2.test(w)) + w = w.replace(re2,"$1$2"); + + // Step 1b + re = /^(.+?)eed$/; + re2 = /^(.+?)(ed|ing)$/; + if (re.test(w)) { + var fp = re.exec(w); + re = new RegExp(mgr0); + if (re.test(fp[1])) { + re = /.$/; + w = w.replace(re,""); + } + } + else if (re2.test(w)) { + var fp = re2.exec(w); + stem = fp[1]; + re2 = new RegExp(s_v); + if (re2.test(stem)) { + w = stem; + re2 = /(at|bl|iz)$/; + re3 = new RegExp("([^aeiouylsz])\\1$"); + re4 = new RegExp("^" + C + v + "[^aeiouwxy]$"); + if (re2.test(w)) + w = w + "e"; + else if (re3.test(w)) { + re = /.$/; + w = w.replace(re,""); + } + else if (re4.test(w)) + w = w + "e"; + } + } + + // Step 1c + re = /^(.+?)y$/; + if (re.test(w)) { + var fp = re.exec(w); + stem = fp[1]; + re = new RegExp(s_v); + if (re.test(stem)) + w = stem + "i"; + } + + // Step 2 + re = /^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/; + if (re.test(w)) { + var fp = re.exec(w); + stem = fp[1]; + suffix = fp[2]; + re = new RegExp(mgr0); + if (re.test(stem)) + w = stem + step2list[suffix]; + } + + // Step 3 + re = /^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/; + if (re.test(w)) { + var fp = re.exec(w); + stem = fp[1]; + suffix = fp[2]; + re = new RegExp(mgr0); + if (re.test(stem)) + w = stem + step3list[suffix]; + } + + // Step 4 + re = /^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/; + re2 = /^(.+?)(s|t)(ion)$/; + if (re.test(w)) { + var fp = re.exec(w); + stem = fp[1]; + re = new RegExp(mgr1); + if (re.test(stem)) + w = stem; + } + else if (re2.test(w)) { + var fp = re2.exec(w); + stem = fp[1] + fp[2]; + re2 = new RegExp(mgr1); + if (re2.test(stem)) + w = stem; + } + + // Step 5 + re = /^(.+?)e$/; + if (re.test(w)) { + var fp = re.exec(w); + stem = fp[1]; + re = new RegExp(mgr1); + re2 = new RegExp(meq1); + re3 = new RegExp("^" + C + v + "[^aeiouwxy]$"); + if (re.test(stem) || (re2.test(stem) && !(re3.test(stem)))) + w = stem; + } + re = /ll$/; + re2 = new RegExp(mgr1); + if (re.test(w) && re2.test(w)) { + re = /.$/; + w = w.replace(re,""); + } + + // and turn initial Y back to y + if (firstch == "y") + w = firstch.toLowerCase() + w.substr(1); + return w; + } +} + diff --git a/sqlalcamey/_build/html/_static/minus.png b/sqlalcamey/_build/html/_static/minus.png new file mode 100644 index 000000000..d96755fda Binary files /dev/null and b/sqlalcamey/_build/html/_static/minus.png differ diff --git a/sqlalcamey/_build/html/_static/plus.png b/sqlalcamey/_build/html/_static/plus.png new file mode 100644 index 000000000..7107cec93 Binary files /dev/null and b/sqlalcamey/_build/html/_static/plus.png differ diff --git a/sqlalcamey/_build/html/_static/pygments.css b/sqlalcamey/_build/html/_static/pygments.css new file mode 100644 index 000000000..57c7df37b --- /dev/null +++ b/sqlalcamey/_build/html/_static/pygments.css @@ -0,0 +1,84 @@ +pre { line-height: 125%; } +td.linenos .normal { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; } +span.linenos { color: inherit; background-color: transparent; padding-left: 5px; padding-right: 5px; } +td.linenos .special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; } +span.linenos.special { color: #000000; background-color: #ffffc0; padding-left: 5px; padding-right: 5px; } +.highlight .hll { background-color: #ffffcc } +.highlight { background: #f8f8f8; } +.highlight .c { color: #8f5902; font-style: italic } /* Comment */ +.highlight .err { color: #a40000; border: 1px solid #ef2929 } /* Error */ +.highlight .g { color: #000000 } /* Generic */ +.highlight .k { color: #004461; font-weight: bold } /* Keyword */ +.highlight .l { color: #000000 } /* Literal */ +.highlight .n { color: #000000 } /* Name */ +.highlight .o { color: #582800 } /* Operator */ +.highlight .x { color: #000000 } /* Other */ +.highlight .p { color: #000000; font-weight: bold } /* Punctuation */ +.highlight .ch { color: #8f5902; font-style: italic } /* Comment.Hashbang */ +.highlight .cm { color: #8f5902; font-style: italic } /* Comment.Multiline */ +.highlight .cp { color: #8f5902 } /* Comment.Preproc */ +.highlight .cpf { color: #8f5902; font-style: italic } /* Comment.PreprocFile */ +.highlight .c1 { color: #8f5902; font-style: italic } /* Comment.Single */ +.highlight .cs { color: #8f5902; font-style: italic } /* Comment.Special */ +.highlight .gd { color: #a40000 } /* Generic.Deleted */ +.highlight .ge { color: #000000; font-style: italic } /* Generic.Emph */ +.highlight .ges { color: #000000 } /* Generic.EmphStrong */ +.highlight .gr { color: #ef2929 } /* Generic.Error */ +.highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */ +.highlight .gi { color: #00A000 } /* Generic.Inserted */ +.highlight .go { color: #888888 } /* Generic.Output */ +.highlight .gp { color: #745334 } /* Generic.Prompt */ +.highlight .gs { color: #000000; font-weight: bold } /* Generic.Strong */ +.highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */ +.highlight .gt { color: #a40000; font-weight: bold } /* Generic.Traceback */ +.highlight .kc { color: #004461; font-weight: bold } /* Keyword.Constant */ +.highlight .kd { color: #004461; font-weight: bold } /* Keyword.Declaration */ +.highlight .kn { color: #004461; font-weight: bold } /* Keyword.Namespace */ +.highlight .kp { color: #004461; font-weight: bold } /* Keyword.Pseudo */ +.highlight .kr { color: #004461; font-weight: bold } /* Keyword.Reserved */ +.highlight .kt { color: #004461; font-weight: bold } /* Keyword.Type */ +.highlight .ld { color: #000000 } /* Literal.Date */ +.highlight .m { color: #990000 } /* Literal.Number */ +.highlight .s { color: #4e9a06 } /* Literal.String */ +.highlight .na { color: #c4a000 } /* Name.Attribute */ +.highlight .nb { color: #004461 } /* Name.Builtin */ +.highlight .nc { color: #000000 } /* Name.Class */ +.highlight .no { color: #000000 } /* Name.Constant */ +.highlight .nd { color: #888888 } /* Name.Decorator */ +.highlight .ni { color: #ce5c00 } /* Name.Entity */ +.highlight .ne { color: #cc0000; font-weight: bold } /* Name.Exception */ +.highlight .nf { color: #000000 } /* Name.Function */ +.highlight .nl { color: #f57900 } /* Name.Label */ +.highlight .nn { color: #000000 } /* Name.Namespace */ +.highlight .nx { color: #000000 } /* Name.Other */ +.highlight .py { color: #000000 } /* Name.Property */ +.highlight .nt { color: #004461; font-weight: bold } /* Name.Tag */ +.highlight .nv { color: #000000 } /* Name.Variable */ +.highlight .ow { color: #004461; font-weight: bold } /* Operator.Word */ +.highlight .pm { color: #000000; font-weight: bold } /* Punctuation.Marker */ +.highlight .w { color: #f8f8f8; text-decoration: underline } /* Text.Whitespace */ +.highlight .mb { color: #990000 } /* Literal.Number.Bin */ +.highlight .mf { color: #990000 } /* Literal.Number.Float */ +.highlight .mh { color: #990000 } /* Literal.Number.Hex */ +.highlight .mi { color: #990000 } /* Literal.Number.Integer */ +.highlight .mo { color: #990000 } /* Literal.Number.Oct */ +.highlight .sa { color: #4e9a06 } /* Literal.String.Affix */ +.highlight .sb { color: #4e9a06 } /* Literal.String.Backtick */ +.highlight .sc { color: #4e9a06 } /* Literal.String.Char */ +.highlight .dl { color: #4e9a06 } /* Literal.String.Delimiter */ +.highlight .sd { color: #8f5902; font-style: italic } /* Literal.String.Doc */ +.highlight .s2 { color: #4e9a06 } /* Literal.String.Double */ +.highlight .se { color: #4e9a06 } /* Literal.String.Escape */ +.highlight .sh { color: #4e9a06 } /* Literal.String.Heredoc */ +.highlight .si { color: #4e9a06 } /* Literal.String.Interpol */ +.highlight .sx { color: #4e9a06 } /* Literal.String.Other */ +.highlight .sr { color: #4e9a06 } /* Literal.String.Regex */ +.highlight .s1 { color: #4e9a06 } /* Literal.String.Single */ +.highlight .ss { color: #4e9a06 } /* Literal.String.Symbol */ +.highlight .bp { color: #3465a4 } /* Name.Builtin.Pseudo */ +.highlight .fm { color: #000000 } /* Name.Function.Magic */ +.highlight .vc { color: #000000 } /* Name.Variable.Class */ +.highlight .vg { color: #000000 } /* Name.Variable.Global */ +.highlight .vi { color: #000000 } /* Name.Variable.Instance */ +.highlight .vm { color: #000000 } /* Name.Variable.Magic */ +.highlight .il { color: #990000 } /* Literal.Number.Integer.Long */ \ No newline at end of file diff --git a/sqlalcamey/_build/html/_static/searchtools.js b/sqlalcamey/_build/html/_static/searchtools.js new file mode 100644 index 000000000..7918c3fab --- /dev/null +++ b/sqlalcamey/_build/html/_static/searchtools.js @@ -0,0 +1,574 @@ +/* + * searchtools.js + * ~~~~~~~~~~~~~~~~ + * + * Sphinx JavaScript utilities for the full-text search. + * + * :copyright: Copyright 2007-2023 by the Sphinx team, see AUTHORS. + * :license: BSD, see LICENSE for details. + * + */ +"use strict"; + +/** + * Simple result scoring code. + */ +if (typeof Scorer === "undefined") { + var Scorer = { + // Implement the following function to further tweak the score for each result + // The function takes a result array [docname, title, anchor, descr, score, filename] + // and returns the new score. + /* + score: result => { + const [docname, title, anchor, descr, score, filename] = result + return score + }, + */ + + // query matches the full name of an object + objNameMatch: 11, + // or matches in the last dotted part of the object name + objPartialMatch: 6, + // Additive scores depending on the priority of the object + objPrio: { + 0: 15, // used to be importantResults + 1: 5, // used to be objectResults + 2: -5, // used to be unimportantResults + }, + // Used when the priority is not in the mapping. + objPrioDefault: 0, + + // query found in title + title: 15, + partialTitle: 7, + // query found in terms + term: 5, + partialTerm: 2, + }; +} + +const _removeChildren = (element) => { + while (element && element.lastChild) element.removeChild(element.lastChild); +}; + +/** + * See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#escaping + */ +const _escapeRegExp = (string) => + string.replace(/[.*+\-?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string + +const _displayItem = (item, searchTerms, highlightTerms) => { + const docBuilder = DOCUMENTATION_OPTIONS.BUILDER; + const docFileSuffix = DOCUMENTATION_OPTIONS.FILE_SUFFIX; + const docLinkSuffix = DOCUMENTATION_OPTIONS.LINK_SUFFIX; + const showSearchSummary = DOCUMENTATION_OPTIONS.SHOW_SEARCH_SUMMARY; + const contentRoot = document.documentElement.dataset.content_root; + + const [docName, title, anchor, descr, score, _filename] = item; + + let listItem = document.createElement("li"); + let requestUrl; + let linkUrl; + if (docBuilder === "dirhtml") { + // dirhtml builder + let dirname = docName + "/"; + if (dirname.match(/\/index\/$/)) + dirname = dirname.substring(0, dirname.length - 6); + else if (dirname === "index/") dirname = ""; + requestUrl = contentRoot + dirname; + linkUrl = requestUrl; + } else { + // normal html builders + requestUrl = contentRoot + docName + docFileSuffix; + linkUrl = docName + docLinkSuffix; + } + let linkEl = listItem.appendChild(document.createElement("a")); + linkEl.href = linkUrl + anchor; + linkEl.dataset.score = score; + linkEl.innerHTML = title; + if (descr) { + listItem.appendChild(document.createElement("span")).innerHTML = + " (" + descr + ")"; + // highlight search terms in the description + if (SPHINX_HIGHLIGHT_ENABLED) // set in sphinx_highlight.js + highlightTerms.forEach((term) => _highlightText(listItem, term, "highlighted")); + } + else if (showSearchSummary) + fetch(requestUrl) + .then((responseData) => responseData.text()) + .then((data) => { + if (data) + listItem.appendChild( + Search.makeSearchSummary(data, searchTerms) + ); + // highlight search terms in the summary + if (SPHINX_HIGHLIGHT_ENABLED) // set in sphinx_highlight.js + highlightTerms.forEach((term) => _highlightText(listItem, term, "highlighted")); + }); + Search.output.appendChild(listItem); +}; +const _finishSearch = (resultCount) => { + Search.stopPulse(); + Search.title.innerText = _("Search Results"); + if (!resultCount) + Search.status.innerText = Documentation.gettext( + "Your search did not match any documents. Please make sure that all words are spelled correctly and that you've selected enough categories." + ); + else + Search.status.innerText = _( + `Search finished, found ${resultCount} page(s) matching the search query.` + ); +}; +const _displayNextItem = ( + results, + resultCount, + searchTerms, + highlightTerms, +) => { + // results left, load the summary and display it + // this is intended to be dynamic (don't sub resultsCount) + if (results.length) { + _displayItem(results.pop(), searchTerms, highlightTerms); + setTimeout( + () => _displayNextItem(results, resultCount, searchTerms, highlightTerms), + 5 + ); + } + // search finished, update title and status message + else _finishSearch(resultCount); +}; + +/** + * Default splitQuery function. Can be overridden in ``sphinx.search`` with a + * custom function per language. + * + * The regular expression works by splitting the string on consecutive characters + * that are not Unicode letters, numbers, underscores, or emoji characters. + * This is the same as ``\W+`` in Python, preserving the surrogate pair area. + */ +if (typeof splitQuery === "undefined") { + var splitQuery = (query) => query + .split(/[^\p{Letter}\p{Number}_\p{Emoji_Presentation}]+/gu) + .filter(term => term) // remove remaining empty strings +} + +/** + * Search Module + */ +const Search = { + _index: null, + _queued_query: null, + _pulse_status: -1, + + htmlToText: (htmlString) => { + const htmlElement = new DOMParser().parseFromString(htmlString, 'text/html'); + htmlElement.querySelectorAll(".headerlink").forEach((el) => { el.remove() }); + const docContent = htmlElement.querySelector('[role="main"]'); + if (docContent !== undefined) return docContent.textContent; + console.warn( + "Content block not found. Sphinx search tries to obtain it via '[role=main]'. Could you check your theme or template." + ); + return ""; + }, + + init: () => { + const query = new URLSearchParams(window.location.search).get("q"); + document + .querySelectorAll('input[name="q"]') + .forEach((el) => (el.value = query)); + if (query) Search.performSearch(query); + }, + + loadIndex: (url) => + (document.body.appendChild(document.createElement("script")).src = url), + + setIndex: (index) => { + Search._index = index; + if (Search._queued_query !== null) { + const query = Search._queued_query; + Search._queued_query = null; + Search.query(query); + } + }, + + hasIndex: () => Search._index !== null, + + deferQuery: (query) => (Search._queued_query = query), + + stopPulse: () => (Search._pulse_status = -1), + + startPulse: () => { + if (Search._pulse_status >= 0) return; + + const pulse = () => { + Search._pulse_status = (Search._pulse_status + 1) % 4; + Search.dots.innerText = ".".repeat(Search._pulse_status); + if (Search._pulse_status >= 0) window.setTimeout(pulse, 500); + }; + pulse(); + }, + + /** + * perform a search for something (or wait until index is loaded) + */ + performSearch: (query) => { + // create the required interface elements + const searchText = document.createElement("h2"); + searchText.textContent = _("Searching"); + const searchSummary = document.createElement("p"); + searchSummary.classList.add("search-summary"); + searchSummary.innerText = ""; + const searchList = document.createElement("ul"); + searchList.classList.add("search"); + + const out = document.getElementById("search-results"); + Search.title = out.appendChild(searchText); + Search.dots = Search.title.appendChild(document.createElement("span")); + Search.status = out.appendChild(searchSummary); + Search.output = out.appendChild(searchList); + + const searchProgress = document.getElementById("search-progress"); + // Some themes don't use the search progress node + if (searchProgress) { + searchProgress.innerText = _("Preparing search..."); + } + Search.startPulse(); + + // index already loaded, the browser was quick! + if (Search.hasIndex()) Search.query(query); + else Search.deferQuery(query); + }, + + /** + * execute search (requires search index to be loaded) + */ + query: (query) => { + const filenames = Search._index.filenames; + const docNames = Search._index.docnames; + const titles = Search._index.titles; + const allTitles = Search._index.alltitles; + const indexEntries = Search._index.indexentries; + + // stem the search terms and add them to the correct list + const stemmer = new Stemmer(); + const searchTerms = new Set(); + const excludedTerms = new Set(); + const highlightTerms = new Set(); + const objectTerms = new Set(splitQuery(query.toLowerCase().trim())); + splitQuery(query.trim()).forEach((queryTerm) => { + const queryTermLower = queryTerm.toLowerCase(); + + // maybe skip this "word" + // stopwords array is from language_data.js + if ( + stopwords.indexOf(queryTermLower) !== -1 || + queryTerm.match(/^\d+$/) + ) + return; + + // stem the word + let word = stemmer.stemWord(queryTermLower); + // select the correct list + if (word[0] === "-") excludedTerms.add(word.substr(1)); + else { + searchTerms.add(word); + highlightTerms.add(queryTermLower); + } + }); + + if (SPHINX_HIGHLIGHT_ENABLED) { // set in sphinx_highlight.js + localStorage.setItem("sphinx_highlight_terms", [...highlightTerms].join(" ")) + } + + // console.debug("SEARCH: searching for:"); + // console.info("required: ", [...searchTerms]); + // console.info("excluded: ", [...excludedTerms]); + + // array of [docname, title, anchor, descr, score, filename] + let results = []; + _removeChildren(document.getElementById("search-progress")); + + const queryLower = query.toLowerCase(); + for (const [title, foundTitles] of Object.entries(allTitles)) { + if (title.toLowerCase().includes(queryLower) && (queryLower.length >= title.length/2)) { + for (const [file, id] of foundTitles) { + let score = Math.round(100 * queryLower.length / title.length) + results.push([ + docNames[file], + titles[file] !== title ? `${titles[file]} > ${title}` : title, + id !== null ? "#" + id : "", + null, + score, + filenames[file], + ]); + } + } + } + + // search for explicit entries in index directives + for (const [entry, foundEntries] of Object.entries(indexEntries)) { + if (entry.includes(queryLower) && (queryLower.length >= entry.length/2)) { + for (const [file, id] of foundEntries) { + let score = Math.round(100 * queryLower.length / entry.length) + results.push([ + docNames[file], + titles[file], + id ? "#" + id : "", + null, + score, + filenames[file], + ]); + } + } + } + + // lookup as object + objectTerms.forEach((term) => + results.push(...Search.performObjectSearch(term, objectTerms)) + ); + + // lookup as search terms in fulltext + results.push(...Search.performTermsSearch(searchTerms, excludedTerms)); + + // let the scorer override scores with a custom scoring function + if (Scorer.score) results.forEach((item) => (item[4] = Scorer.score(item))); + + // now sort the results by score (in opposite order of appearance, since the + // display function below uses pop() to retrieve items) and then + // alphabetically + results.sort((a, b) => { + const leftScore = a[4]; + const rightScore = b[4]; + if (leftScore === rightScore) { + // same score: sort alphabetically + const leftTitle = a[1].toLowerCase(); + const rightTitle = b[1].toLowerCase(); + if (leftTitle === rightTitle) return 0; + return leftTitle > rightTitle ? -1 : 1; // inverted is intentional + } + return leftScore > rightScore ? 1 : -1; + }); + + // remove duplicate search results + // note the reversing of results, so that in the case of duplicates, the highest-scoring entry is kept + let seen = new Set(); + results = results.reverse().reduce((acc, result) => { + let resultStr = result.slice(0, 4).concat([result[5]]).map(v => String(v)).join(','); + if (!seen.has(resultStr)) { + acc.push(result); + seen.add(resultStr); + } + return acc; + }, []); + + results = results.reverse(); + + // for debugging + //Search.lastresults = results.slice(); // a copy + // console.info("search results:", Search.lastresults); + + // print the results + _displayNextItem(results, results.length, searchTerms, highlightTerms); + }, + + /** + * search for object names + */ + performObjectSearch: (object, objectTerms) => { + const filenames = Search._index.filenames; + const docNames = Search._index.docnames; + const objects = Search._index.objects; + const objNames = Search._index.objnames; + const titles = Search._index.titles; + + const results = []; + + const objectSearchCallback = (prefix, match) => { + const name = match[4] + const fullname = (prefix ? prefix + "." : "") + name; + const fullnameLower = fullname.toLowerCase(); + if (fullnameLower.indexOf(object) < 0) return; + + let score = 0; + const parts = fullnameLower.split("."); + + // check for different match types: exact matches of full name or + // "last name" (i.e. last dotted part) + if (fullnameLower === object || parts.slice(-1)[0] === object) + score += Scorer.objNameMatch; + else if (parts.slice(-1)[0].indexOf(object) > -1) + score += Scorer.objPartialMatch; // matches in last name + + const objName = objNames[match[1]][2]; + const title = titles[match[0]]; + + // If more than one term searched for, we require other words to be + // found in the name/title/description + const otherTerms = new Set(objectTerms); + otherTerms.delete(object); + if (otherTerms.size > 0) { + const haystack = `${prefix} ${name} ${objName} ${title}`.toLowerCase(); + if ( + [...otherTerms].some((otherTerm) => haystack.indexOf(otherTerm) < 0) + ) + return; + } + + let anchor = match[3]; + if (anchor === "") anchor = fullname; + else if (anchor === "-") anchor = objNames[match[1]][1] + "-" + fullname; + + const descr = objName + _(", in ") + title; + + // add custom score for some objects according to scorer + if (Scorer.objPrio.hasOwnProperty(match[2])) + score += Scorer.objPrio[match[2]]; + else score += Scorer.objPrioDefault; + + results.push([ + docNames[match[0]], + fullname, + "#" + anchor, + descr, + score, + filenames[match[0]], + ]); + }; + Object.keys(objects).forEach((prefix) => + objects[prefix].forEach((array) => + objectSearchCallback(prefix, array) + ) + ); + return results; + }, + + /** + * search for full-text terms in the index + */ + performTermsSearch: (searchTerms, excludedTerms) => { + // prepare search + const terms = Search._index.terms; + const titleTerms = Search._index.titleterms; + const filenames = Search._index.filenames; + const docNames = Search._index.docnames; + const titles = Search._index.titles; + + const scoreMap = new Map(); + const fileMap = new Map(); + + // perform the search on the required terms + searchTerms.forEach((word) => { + const files = []; + const arr = [ + { files: terms[word], score: Scorer.term }, + { files: titleTerms[word], score: Scorer.title }, + ]; + // add support for partial matches + if (word.length > 2) { + const escapedWord = _escapeRegExp(word); + Object.keys(terms).forEach((term) => { + if (term.match(escapedWord) && !terms[word]) + arr.push({ files: terms[term], score: Scorer.partialTerm }); + }); + Object.keys(titleTerms).forEach((term) => { + if (term.match(escapedWord) && !titleTerms[word]) + arr.push({ files: titleTerms[word], score: Scorer.partialTitle }); + }); + } + + // no match but word was a required one + if (arr.every((record) => record.files === undefined)) return; + + // found search word in contents + arr.forEach((record) => { + if (record.files === undefined) return; + + let recordFiles = record.files; + if (recordFiles.length === undefined) recordFiles = [recordFiles]; + files.push(...recordFiles); + + // set score for the word in each file + recordFiles.forEach((file) => { + if (!scoreMap.has(file)) scoreMap.set(file, {}); + scoreMap.get(file)[word] = record.score; + }); + }); + + // create the mapping + files.forEach((file) => { + if (fileMap.has(file) && fileMap.get(file).indexOf(word) === -1) + fileMap.get(file).push(word); + else fileMap.set(file, [word]); + }); + }); + + // now check if the files don't contain excluded terms + const results = []; + for (const [file, wordList] of fileMap) { + // check if all requirements are matched + + // as search terms with length < 3 are discarded + const filteredTermCount = [...searchTerms].filter( + (term) => term.length > 2 + ).length; + if ( + wordList.length !== searchTerms.size && + wordList.length !== filteredTermCount + ) + continue; + + // ensure that none of the excluded terms is in the search result + if ( + [...excludedTerms].some( + (term) => + terms[term] === file || + titleTerms[term] === file || + (terms[term] || []).includes(file) || + (titleTerms[term] || []).includes(file) + ) + ) + break; + + // select one (max) score for the file. + const score = Math.max(...wordList.map((w) => scoreMap.get(file)[w])); + // add result to the result list + results.push([ + docNames[file], + titles[file], + "", + null, + score, + filenames[file], + ]); + } + return results; + }, + + /** + * helper function to return a node containing the + * search summary for a given text. keywords is a list + * of stemmed words. + */ + makeSearchSummary: (htmlText, keywords) => { + const text = Search.htmlToText(htmlText); + if (text === "") return null; + + const textLower = text.toLowerCase(); + const actualStartPosition = [...keywords] + .map((k) => textLower.indexOf(k.toLowerCase())) + .filter((i) => i > -1) + .slice(-1)[0]; + const startWithContext = Math.max(actualStartPosition - 120, 0); + + const top = startWithContext === 0 ? "" : "..."; + const tail = startWithContext + 240 < text.length ? "..." : ""; + + let summary = document.createElement("p"); + summary.classList.add("context"); + summary.textContent = top + text.substr(startWithContext, 240).trim() + tail; + + return summary; + }, +}; + +_ready(Search.init); diff --git a/sqlalcamey/_build/html/_static/sphinx_highlight.js b/sqlalcamey/_build/html/_static/sphinx_highlight.js new file mode 100644 index 000000000..8a96c69a1 --- /dev/null +++ b/sqlalcamey/_build/html/_static/sphinx_highlight.js @@ -0,0 +1,154 @@ +/* Highlighting utilities for Sphinx HTML documentation. */ +"use strict"; + +const SPHINX_HIGHLIGHT_ENABLED = true + +/** + * highlight a given string on a node by wrapping it in + * span elements with the given class name. + */ +const _highlight = (node, addItems, text, className) => { + if (node.nodeType === Node.TEXT_NODE) { + const val = node.nodeValue; + const parent = node.parentNode; + const pos = val.toLowerCase().indexOf(text); + if ( + pos >= 0 && + !parent.classList.contains(className) && + !parent.classList.contains("nohighlight") + ) { + let span; + + const closestNode = parent.closest("body, svg, foreignObject"); + const isInSVG = closestNode && closestNode.matches("svg"); + if (isInSVG) { + span = document.createElementNS("http://www.w3.org/2000/svg", "tspan"); + } else { + span = document.createElement("span"); + span.classList.add(className); + } + + span.appendChild(document.createTextNode(val.substr(pos, text.length))); + const rest = document.createTextNode(val.substr(pos + text.length)); + parent.insertBefore( + span, + parent.insertBefore( + rest, + node.nextSibling + ) + ); + node.nodeValue = val.substr(0, pos); + /* There may be more occurrences of search term in this node. So call this + * function recursively on the remaining fragment. + */ + _highlight(rest, addItems, text, className); + + if (isInSVG) { + const rect = document.createElementNS( + "http://www.w3.org/2000/svg", + "rect" + ); + const bbox = parent.getBBox(); + rect.x.baseVal.value = bbox.x; + rect.y.baseVal.value = bbox.y; + rect.width.baseVal.value = bbox.width; + rect.height.baseVal.value = bbox.height; + rect.setAttribute("class", className); + addItems.push({ parent: parent, target: rect }); + } + } + } else if (node.matches && !node.matches("button, select, textarea")) { + node.childNodes.forEach((el) => _highlight(el, addItems, text, className)); + } +}; +const _highlightText = (thisNode, text, className) => { + let addItems = []; + _highlight(thisNode, addItems, text, className); + addItems.forEach((obj) => + obj.parent.insertAdjacentElement("beforebegin", obj.target) + ); +}; + +/** + * Small JavaScript module for the documentation. + */ +const SphinxHighlight = { + + /** + * highlight the search words provided in localstorage in the text + */ + highlightSearchWords: () => { + if (!SPHINX_HIGHLIGHT_ENABLED) return; // bail if no highlight + + // get and clear terms from localstorage + const url = new URL(window.location); + const highlight = + localStorage.getItem("sphinx_highlight_terms") + || url.searchParams.get("highlight") + || ""; + localStorage.removeItem("sphinx_highlight_terms") + url.searchParams.delete("highlight"); + window.history.replaceState({}, "", url); + + // get individual terms from highlight string + const terms = highlight.toLowerCase().split(/\s+/).filter(x => x); + if (terms.length === 0) return; // nothing to do + + // There should never be more than one element matching "div.body" + const divBody = document.querySelectorAll("div.body"); + const body = divBody.length ? divBody[0] : document.querySelector("body"); + window.setTimeout(() => { + terms.forEach((term) => _highlightText(body, term, "highlighted")); + }, 10); + + const searchBox = document.getElementById("searchbox"); + if (searchBox === null) return; + searchBox.appendChild( + document + .createRange() + .createContextualFragment( + '

' + + '' + + _("Hide Search Matches") + + "

" + ) + ); + }, + + /** + * helper function to hide the search marks again + */ + hideSearchWords: () => { + document + .querySelectorAll("#searchbox .highlight-link") + .forEach((el) => el.remove()); + document + .querySelectorAll("span.highlighted") + .forEach((el) => el.classList.remove("highlighted")); + localStorage.removeItem("sphinx_highlight_terms") + }, + + initEscapeListener: () => { + // only install a listener if it is really needed + if (!DOCUMENTATION_OPTIONS.ENABLE_SEARCH_SHORTCUTS) return; + + document.addEventListener("keydown", (event) => { + // bail for input elements + if (BLACKLISTED_KEY_CONTROL_ELEMENTS.has(document.activeElement.tagName)) return; + // bail with special keys + if (event.shiftKey || event.altKey || event.ctrlKey || event.metaKey) return; + if (DOCUMENTATION_OPTIONS.ENABLE_SEARCH_SHORTCUTS && (event.key === "Escape")) { + SphinxHighlight.hideSearchWords(); + event.preventDefault(); + } + }); + }, +}; + +_ready(() => { + /* Do not call highlightSearchWords() when we are on the search page. + * It will highlight words from the *previous* search query. + */ + if (typeof Search === "undefined") SphinxHighlight.highlightSearchWords(); + SphinxHighlight.initEscapeListener(); +}); diff --git a/sqlalcamey/_build/html/genindex.html b/sqlalcamey/_build/html/genindex.html new file mode 100644 index 000000000..da08c1eb1 --- /dev/null +++ b/sqlalcamey/_build/html/genindex.html @@ -0,0 +1,98 @@ + + + + + + + Index — MITRE SAF Security Guidance Database documentation + + + + + + + + + + + + + + + + +
+
+
+ + +
+ + +

Index

+ +
+ +
+ + +
+ +
+
+ +
+
+
+ ©2023, Aaron Lippold . + + | + Powered by Sphinx 7.2.6 + & Alabaster 0.7.13 + +
+ + + + + + \ No newline at end of file diff --git a/sqlalcamey/_build/html/index.html b/sqlalcamey/_build/html/index.html new file mode 100644 index 000000000..e74457d52 --- /dev/null +++ b/sqlalcamey/_build/html/index.html @@ -0,0 +1,109 @@ + + + + + + + + Welcome to MITRE SAF Security Guidance Database’s documentation! — MITRE SAF Security Guidance Database documentation + + + + + + + + + + + + + + + + +
+
+
+ + +
+ +
+

Welcome to MITRE SAF Security Guidance Database’s documentation!¶

+
+
+
+
+

Indices and tables¶

+ +
+ + +
+ +
+
+ +
+
+
+ ©2023, Aaron Lippold . + + | + Powered by Sphinx 7.2.6 + & Alabaster 0.7.13 + + | + Page source +
+ + + + + + \ No newline at end of file diff --git a/sqlalcamey/_build/html/objects.inv b/sqlalcamey/_build/html/objects.inv new file mode 100644 index 000000000..d61444880 --- /dev/null +++ b/sqlalcamey/_build/html/objects.inv @@ -0,0 +1,7 @@ +# Sphinx inventory version 2 +# Project: MITRE SAF Security Guidance Database +# Version: +# The remainder of this file is compressed using zlib. +xÚ…ŽM +Â0…÷=Åx€ +nÝ þÐEA¬àzš m ÉH3»ó^Ï“hIÅwÃ{ï{óòÆkºA½¶X“…|ͨ.[qŠá̾1ÍjM²Š0”Åù´ƒj³‡ŠTìŒôpˆF£W[¬1Ðóþðn‰Ž¼ ö‹Ì±þ1äÚç#}*YGK㤉û;öÒ²ŸÓ°SíLZbªä±¡ì Zi2 \ No newline at end of file diff --git a/sqlalcamey/_build/html/search.html b/sqlalcamey/_build/html/search.html new file mode 100644 index 000000000..d03aa0eed --- /dev/null +++ b/sqlalcamey/_build/html/search.html @@ -0,0 +1,117 @@ + + + + + + + Search — MITRE SAF Security Guidance Database documentation + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + +
+ +

Search

+ + + + +

+ Searching for multiple words only shows matches that contain + all words. +

+ + +
+ + + +
+ + + +
+ +
+ + +
+ +
+
+ +
+
+
+ ©2023, Aaron Lippold . + + | + Powered by Sphinx 7.2.6 + & Alabaster 0.7.13 + +
+ + + + + + \ No newline at end of file diff --git a/sqlalcamey/_build/html/searchindex.js b/sqlalcamey/_build/html/searchindex.js new file mode 100644 index 000000000..45de81fd7 --- /dev/null +++ b/sqlalcamey/_build/html/searchindex.js @@ -0,0 +1 @@ +Search.setIndex({"docnames": ["index"], "filenames": ["index.rst"], "titles": ["Welcome to MITRE SAF Security Guidance Database\u2019s documentation!"], "terms": {"index": 0, "modul": 0, "search": 0, "page": 0}, "objects": {}, "objtypes": {}, "objnames": {}, "titleterms": {"welcom": 0, "mitr": 0, "saf": 0, "secur": 0, "guidanc": 0, "databas": 0, "": 0, "document": 0, "indic": 0, "tabl": 0}, "envversion": {"sphinx.domains.c": 3, "sphinx.domains.changeset": 1, "sphinx.domains.citation": 1, "sphinx.domains.cpp": 9, "sphinx.domains.index": 1, "sphinx.domains.javascript": 3, "sphinx.domains.math": 2, "sphinx.domains.python": 4, "sphinx.domains.rst": 2, "sphinx.domains.std": 2, "sphinx": 60}, "alltitles": {"Welcome to MITRE SAF Security Guidance Database\u2019s documentation!": [[0, "welcome-to-mitre-saf-security-guidance-database-s-documentation"]], "Indices and tables": [[0, "indices-and-tables"]]}, "indexentries": {}}) \ No newline at end of file diff --git a/sqlalcamey/conf.py b/sqlalcamey/conf.py new file mode 100644 index 000000000..7a413451c --- /dev/null +++ b/sqlalcamey/conf.py @@ -0,0 +1,26 @@ +# Configuration file for the Sphinx documentation builder. +# +# For the full list of built-in configuration values, see the documentation: +# https://www.sphinx-doc.org/en/master/usage/configuration.html + +# -- Project information ----------------------------------------------------- +# https://www.sphinx-doc.org/en/master/usage/configuration.html#project-information + +project = "MITRE SAF Security Guidance Database" +copyright = "2023, Aaron Lippold " +author = "Aaron Lippold " + +# -- General configuration --------------------------------------------------- +# https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration + +extensions = [] + +templates_path = ["_templates"] +exclude_patterns = ["_build", "Thumbs.db", ".DS_Store"] + + +# -- Options for HTML output ------------------------------------------------- +# https://www.sphinx-doc.org/en/master/usage/configuration.html#options-for-html-output + +html_theme = "alabaster" +html_static_path = ["_static"] diff --git a/sqlalcamey/database.py b/sqlalcamey/database.py new file mode 100644 index 000000000..d402a2931 --- /dev/null +++ b/sqlalcamey/database.py @@ -0,0 +1,10 @@ +# database.py +from sqlalchemy import create_engine +from sqlalchemy.orm import sessionmaker + +engine = create_engine("sqlite:///benchmarks.db") +Session = sessionmaker(bind=engine) + + +def get_session(): + return Session() diff --git a/sqlalcamey/index.rst b/sqlalcamey/index.rst new file mode 100644 index 000000000..8e57a483a --- /dev/null +++ b/sqlalcamey/index.rst @@ -0,0 +1,20 @@ +.. MITRE SAF Security Guidance Database documentation master file, created by + sphinx-quickstart on Mon Dec 18 01:56:18 2023. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +Welcome to MITRE SAF Security Guidance Database's documentation! +================================================================ + +.. toctree:: + :maxdepth: 2 + :caption: Contents: + + + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` diff --git a/sqlalcamey/interfaces.py b/sqlalcamey/interfaces.py new file mode 100644 index 000000000..9dcd17694 --- /dev/null +++ b/sqlalcamey/interfaces.py @@ -0,0 +1,663 @@ +from sqlalchemy.orm import Session +from .models import ( + BenchmarkArtifacts, + Artifact, + Benchmarks, + Organization, + Products, + ArtifactTypes, + BenchmarkType, +) + + +class SecurityGuidance: + @staticmethod + def add_benchmark_artifact(session, benchmark_id, artifact_id, is_default): + """ + Adds a new benchmark artifact to the benchmark_artifacts table. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + new_benchmark_artifact = BenchmarkArtifacts( + benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default + ) + session.add(new_benchmark_artifact) + session.commit() + + @staticmethod + def update_benchmark_artifact(session, benchmark_id, artifact_id, is_default): + """ + Updates an existing benchmark artifact in the benchmark_artifacts table. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + benchmark_artifact = ( + session.query(BenchmarkArtifacts) + .filter_by(benchmark_id=benchmark_id, artifact_id=artifact_id) + .first() + ) + if benchmark_artifact is not None: + benchmark_artifact.is_default = is_default + session.commit() + + @staticmethod + def create_artifact( + session: Session, + type_id: int, + owner_id: int, + name: str, + location: str, + secondary_location: str, + created_at: date, + raw_data: str, + ): + """ + Creates a new Artifact and adds it to the database. + + Args: + session (Session): The session to use for database operations. + type_id (int): The ID of the artifact type. + owner_id (int): The ID of the owner of the artifact. + name (str): The name of the artifact. + location (str): The primary location of the artifact. + secondary_location (str): The secondary location of the artifact. + created_at (date): The date the artifact was created. + raw_data (str): The raw data of the artifact. + + Returns: + None + """ + artifact = Artifact( + type_id=type_id, + owner_id=owner_id, + name=name, + location=location, + secondary_location=secondary_location, + created_at=created_at, + raw_data=raw_data, + ) + session.add(artifact) + session.commit() + + def get_artifact_by_id(session: Session, artifact_id: int): + """ + Retrieves an Artifact from the database by its ID. + + Args: + session (Session): The session to use for database operations. + artifact_id (int): The ID of the artifact to retrieve. + + Returns: + Artifact: The retrieved Artifact, or None if no Artifact with the given ID exists. + """ + return ( + session.query(Artifact).filter(Artifact.artifact_id == artifact_id).first() + ) + + def create_benchmark( + session: Session, + version: int, + release: int, + release_date: date, + type_id: int, + product_id: int, + author_id: int, + sponsor_id: int, + status_id: int, + ): + """ + Creates a new Benchmark and adds it to the database. + + Args: + session (Session): The session to use for database operations. + version (int): The version of the benchmark. + release (int): The release of the benchmark. + release_date (date): The release date of the benchmark. + type_id (int): The ID of the benchmark type. + product_id (int): The ID of the product associated with the benchmark. + author_id (int): The ID of the author of the benchmark. + sponsor_id (int): The ID of the sponsor of the benchmark. + status_id (int): The ID of the status of the benchmark. + + Returns: + None + """ + benchmark = Benchmarks( + version=version, + release=release, + release_date=release_date, + type_id=type_id, + product_id=product_id, + author_id=author_id, + sponsor_id=sponsor_id, + status_id=status_id, + ) + session.add(benchmark) + session.commit() + + def get_benchmark_by_id(session: Session, benchmark_id: int): + """ + Retrieves a Benchmark from the database by its ID. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark to retrieve. + + Returns: + Benchmarks: The retrieved Benchmark, or None if no Benchmark with the given ID exists. + """ + return ( + session.query(Benchmarks) + .filter(Benchmarks.benchmark_id == benchmark_id) + .first() + ) + + def create_organization( + session: Session, long_name: str, short_name: str, uri: str, email: str + ): + """ + Creates a new Organization and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the organization. + short_name (str): The short name of the organization. + uri (str): The URI of the organization. + email (str): The email of the organization. + + Returns: + None + """ + organization = Organization( + long_name=long_name, short_name=short_name, uri=uri, email=email + ) + session.add(organization) + session.commit() + + def get_organization_by_id(session: Session, organization_id: int): + """ + Retrieves an Organization from the database by its ID. + + Args: + session (Session): The session to use for database operations. + organization_id (int): The ID of the organization to retrieve. + + Returns: + Organization: The retrieved Organization, or None if no Organization with the given ID exists. + """ + return ( + session.query(Organization) + .filter(Organization.organization_id == organization_id) + .first() + ) + + def create_product( + session: Session, + long_name: str, + short_name: str, + version: float, + release: int, + owner_id: int, + ): + """ + Creates a new Product and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the product. + short_name (str): The short name of the product. + version (float): The version of the product. + release (int): The release of the product. + owner_id (int): The ID of the owner of the product. + + Returns: + None + """ + product = Products( + long_name=long_name, + short_name=short_name, + version=version, + release=release, + owner_id=owner_id, + ) + session.add(product) + session.commit() + + def get_product_by_id(session: Session, product_id: int): + """ + Retrieves a Product from the database by its ID. + + Args: + session (Session): The session to use for database operations. + product_id (int): The ID of the product to retrieve. + + Returns: + Products: The retrieved Product, or None if no Product with the given ID exists. + """ + return session.query(Products).filter(Products.product_id == product_id).first() + + def create_artifact_type(session: Session, type_name: str, description: str): + """ + Creates a new ArtifactType and adds it to the database. + + Args: + session (Session): The session to use for database operations. + type_name (str): The name of the artifact type. + description (str): The description of the artifact type. + + Returns: + None + """ + artifact_type = ArtifactTypes(type_name=type_name, description=description) + session.add(artifact_type) + session.commit() + + def get_artifact_type_by_id(session: Session, artifact_type_id: int): + """ + Retrieves an ArtifactType from the database by its ID. + + Args: + session (Session): The session to use for database operations. + artifact_type_id (int): The ID of the artifact type to retrieve. + + Returns: + ArtifactTypes: The retrieved ArtifactType, or None if no ArtifactType with the given ID exists. + """ + return ( + session.query(ArtifactTypes) + .filter(ArtifactTypes.artifact_type_id == artifact_type_id) + .first() + ) + + def create_benchmark_artifact( + session: Session, benchmark_id: int, artifact_id: int, is_default: bool + ): + """ + Creates a new BenchmarkArtifact and adds it to the database. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + benchmark_artifact = BenchmarkArtifacts( + benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default + ) + session.add(benchmark_artifact) + session.commit() + + def get_benchmark_artifact_by_ids( + session: Session, benchmark_id: int, artifact_id: int + ): + """ + Retrieves a BenchmarkArtifact from the database by its benchmark and artifact IDs. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + + Returns: + BenchmarkArtifacts: The retrieved BenchmarkArtifact, or None if no BenchmarkArtifact \\ + with the given IDs exists. + """ + return ( + session.query(BenchmarkArtifacts) + .filter( + BenchmarkArtifacts.benchmark_id == benchmark_id, + BenchmarkArtifacts.artifact_id == artifact_id, + ) + .first() + ) + + def create_benchmark_type( + session: Session, long_name: str, short_name: str, description: str + ): + """ + Creates a new BenchmarkType and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the benchmark type. + short_name (str): The short name of the benchmark type. + description (str): The description of the benchmark type. + + Returns: + None + """ + benchmark_type = BenchmarkType( + long_name=long_name, short_name=short_name, description=description + ) + session.add(benchmark_type) + session.commit() + + def get_benchmark_type_by_id(session: Session, benchmark_type_id: int): + """ + Retrieves a BenchmarkType from the database by its ID. + + Args: + session (Session): The session to use for database operations. + benchmark_type_id (int): The ID of the benchmark type to retrieve. + + Returns: + BenchmarkType: The retrieved BenchmarkType, or None if no BenchmarkType \\ + with the given ID exists. + + Usage: + from sqlalchemy.orm import Session + from models import BenchmarkType + + session = Session() + benchmark_type_id = 1 + benchmark_type = get_benchmark_type_by_id(session, benchmark_type_id) + if benchmark_type is not None: + print(f"Retrieved benchmark type: {benchmark_type.long_name}") + else: + print("No benchmark type found with the given ID.") + """ + return ( + session.query(BenchmarkType) + .filter(BenchmarkType.benchmark_type_id == benchmark_type_id) + .first() + ) + + +""" +To interact with these models: + +1. One-to-Many Relationships: +- Organization to Artifact: An organization can own multiple artifacts. +- Organization to Products: An organization can own multiple products. +- Organization to Benchmarks (as author or sponsor): An organization can author or \\ + sponsor multiple benchmarks. + +For these relationships, you might need functions to: + +- Get all artifacts owned by an organization. +- Get all products owned by an organization. +- Get all benchmarks authored or sponsored by an organization. + +2. Many-to-Many Relationships: +- Benchmarks to Artifact through BenchmarkArtifacts: A benchmark can have multiple artifacts, \\ + and an artifact can be associated with multiple benchmarks. + +For this relationship, you might need functions to: + +- Get all artifacts associated with a benchmark. +- Get all benchmarks associated with an artifact. +- Associate an artifact with a benchmark. +- Disassociate an artifact from a benchmark. +""" + + +def get_artifacts_by_organization(session: Session, organization_id: int): + """ + Retrieves all artifacts owned by a specific organization. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + organization_id (int): The ID of the organization whose artifacts you want to retrieve. + + Returns: + List[Artifact]: A list of Artifact objects owned by the organization. + If the organization does not own any artifacts, returns an empty list. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get all artifacts owned by the organization with ID 1 + artifacts = get_artifacts_by_organization(session, 1) + for artifact in artifacts: + print(artifact.name) + """ + return session.query(Artifact).filter(Artifact.owner_id == organization_id).all() + + +def get_products_by_organization(session: Session, organization_id: int): + """ + Retrieves all products owned by a specific organization. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + organization_id (int): The ID of the organization whose products you want to retrieve. + + Returns: + List[Products]: A list of Products objects owned by the organization. + If the organization does not own any products, returns an empty list. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get all products owned by the organization with ID 1 + products = get_products_by_organization(session, 1) + for product in products: + print(product.name) + """ + return session.query(Products).filter(Products.owner_id == organization_id).all() + + +def get_benchmarks_by_author(session: Session, author_id: int): + """ + Retrieves all benchmarks authored by a specific organization. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + author_id (int): The ID of the organization whose authored benchmarks you want to retrieve. + + Returns: + List[Benchmarks]: A list of Benchmarks objects authored by the organization. + If the organization has not authored any benchmarks, returns an empty list. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get all benchmarks authored by the organization with ID 1 + benchmarks = get_benchmarks_by_author(session, 1) + for benchmark in benchmarks: + print(benchmark.name) + """ + return session.query(Benchmarks).filter(Benchmarks.author_id == author_id).all() + + +def get_benchmarks_by_sponsor(session: Session, sponsor_id: int): + """ + Retrieves all benchmarks sponsored by a specific organization. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + sponsor_id (int): The ID of the organization whose sponsored benchmarks you want to retrieve. + + Returns: + List[Benchmarks]: A list of Benchmarks objects sponsored by the organization. + If the organization has not sponsored any benchmarks, returns an empty list. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get all benchmarks sponsored by the organization with ID 1 + benchmarks = get_benchmarks_by_sponsor(session, 1) + for benchmark in benchmarks: + print(benchmark.name) + """ + return session.query(Benchmarks).filter(Benchmarks.sponsor_id == sponsor_id).all() + + +def get_artifacts_by_benchmark(session: Session, benchmark_id: int): + """ + Retrieves all artifacts associated with a specific benchmark. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark whose associated artifacts you want to retrieve. + + Returns: + List[Artifact]: A list of Artifact objects associated with the benchmark. If the benchmark \\ + does not have any associated artifacts, returns an empty list. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get all artifacts associated with the benchmark with ID 1 + artifacts = get_artifacts_by_benchmark(session, 1) + for artifact in artifacts: + print(artifact.name) + """ + return ( + session.query(Artifact) + .join(BenchmarkArtifacts) + .filter(BenchmarkArtifacts.benchmark_id == benchmark_id) + .all() + ) + + +def get_benchmarks_by_artifact(session: Session, artifact_id: int): + """ + Retrieves all benchmarks associated with a specific artifact. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + artifact_id (int): The ID of the artifact whose associated benchmarks you want to retrieve. + + Returns: + List[Benchmarks]: A list of Benchmarks objects associated with the artifact. If the artifact \\ + is not associated with any benchmarks, returns an empty list. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # get all benchmarks associated with the artifact with ID 1 + benchmarks = get_benchmarks_by_artifact(session, 1) + for benchmark in benchmarks: + print(benchmark.name) + """ + return ( + session.query(Benchmarks) + .join(BenchmarkArtifacts) + .filter(BenchmarkArtifacts.artifact_id == artifact_id) + .all() + ) + + +def associate_artifact_with_benchmark( + session: Session, benchmark_id: int, artifact_id: int, is_default: bool +): + """ + Associates an artifact with a benchmark. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark with which you want to associate the artifact. + artifact_id (int): The ID of the artifact you want to associate with the benchmark. + is_default (bool): A boolean indicating whether the artifact is a default artifact for the benchmark. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # associate the artifact with ID 1 with the benchmark with ID 1, and set it as a default artifact + associate_artifact_with_benchmark(session, 1, 1, True) + """ + association = BenchmarkArtifacts( + benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default + ) + session.add(association) + session.commit() + + +def disassociate_artifact_from_benchmark( + session: Session, benchmark_id: int, artifact_id: int +): + """ + Disassociates an artifact from a benchmark. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark from which you want to disassociate the artifact. + artifact_id (int): The ID of the artifact you want to disassociate from the benchmark. + + Example: + from sqlalchemy.orm import Session + # create a new session + session = Session() + # disassociate the artifact with ID 1 from the benchmark with ID 1 + disassociate_artifact_from_benchmark(session, 1, 1) + """ + association = ( + session.query(BenchmarkArtifacts) + .filter( + BenchmarkArtifacts.benchmark_id == benchmark_id, + BenchmarkArtifacts.artifact_id == artifact_id, + ) + .first() + ) + if association: + session.delete(association) + session.commit() + + +def get_all_artifacts_associated_with_benchmark(session: Session, benchmark_id: int): + """ + Retrieves all artifacts associated with a specific benchmark. + + This function queries the BenchmarkArtifacts table for all rows with the given benchmark_id. + Then, for each of these BenchmarkArtifacts, it queries the Artifact table for the Artifact + with the artifact_id from the BenchmarkArtifacts. The result is a list of all Artifact objects + associated with the given benchmark. + + Args: + session (Session): The session to use for making the database queries. + benchmark_id (int): The ID of the benchmark to retrieve artifacts for. + + Returns: + list[Artifact]: A list of Artifact objects associated with the given benchmark. + + Example: + >>> from sqlalchemy import create_engine + >>> from sqlalchemy.orm import sessionmaker + >>> engine = create_engine('sqlite:///example.db') + >>> Session = sessionmaker(bind=engine) + >>> session = Session() + >>> benchmark_id = 1 + >>> artifacts = get_all_artifacts_associated_with_benchmark(session, benchmark_id) + >>> print(artifacts) + [, ] + """ + # Query for all BenchmarkArtifacts with the given benchmark_id + benchmark_artifacts = ( + session.query(BenchmarkArtifacts) + .filter(BenchmarkArtifacts.benchmark_id == benchmark_id) + .all() + ) + + # Now, for each BenchmarkArtifacts, get the associated Artifact + artifacts = [ + session.query(Artifact).get(ba.artifact_id) for ba in benchmark_artifacts + ] + + return artifacts + + diff --git a/sqlalcamey/main.py b/sqlalcamey/main.py new file mode 100644 index 000000000..7f788672b --- /dev/null +++ b/sqlalcamey/main.py @@ -0,0 +1,8 @@ +# main.py +from .database import get_session +from .repository import BenchmarksRepository + +session = get_session() +repo = BenchmarksRepository(session) + +# Perform operations... diff --git a/sqlalcamey/make.bat b/sqlalcamey/make.bat new file mode 100644 index 000000000..32bb24529 --- /dev/null +++ b/sqlalcamey/make.bat @@ -0,0 +1,35 @@ +@ECHO OFF + +pushd %~dp0 + +REM Command file for Sphinx documentation + +if "%SPHINXBUILD%" == "" ( + set SPHINXBUILD=sphinx-build +) +set SOURCEDIR=. +set BUILDDIR=_build + +%SPHINXBUILD% >NUL 2>NUL +if errorlevel 9009 ( + echo. + echo.The 'sphinx-build' command was not found. Make sure you have Sphinx + echo.installed, then set the SPHINXBUILD environment variable to point + echo.to the full path of the 'sphinx-build' executable. Alternatively you + echo.may add the Sphinx directory to PATH. + echo. + echo.If you don't have Sphinx installed, grab it from + echo.https://www.sphinx-doc.org/ + exit /b 1 +) + +if "%1" == "" goto help + +%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% +goto end + +:help +%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O% + +:end +popd diff --git a/sqlalcamey/models.py b/sqlalcamey/models.py new file mode 100644 index 000000000..2406cc0f4 --- /dev/null +++ b/sqlalcamey/models.py @@ -0,0 +1,318 @@ +from sqlalchemy import Column,Integer,String,Date,ForeignKey +from sqlalchemy import Boolean, Float, LargeBinary, UniqueConstraint + +from sqlalchemy.orm import relationship +from sqlalchemy.ext.declarative import declarative_base + +Base = declarative_base() + + +# TODO: Add indexes to the correct tables in both this interface and the SQL +class Artifact(Base): + """ + The Artifact class represents the Artifact table in the database. + + Attributes: + artifact_id (int): The primary key for this table. + type_id (int): A foreign key that refers to the artifact_type_id in the artifact_types table. + owner_id (int): A foreign key that refers to the organization_id in the Organization table. + name (str): The name of the artifact. This field is required. + location (str): The location of the artifact. This field is required. + secondary_location (str): The secondary location of the artifact. This field is optional. + created_at (date): The date when the artifact was created. This field is required. + raw_data (LargeBinary): The raw data of the artifact. This field is optional. + + Relationships: + artifact_type: A relationship to the ArtifactType model object associated with this artifact. + organization: A relationship to the Organization model object associated with this artifact. + """ + + def __repr__(self): + """ + Returns a string representation of this Artifact. + + Returns: + str: A string representation of this Artifact. + """ + return f"" + + __tablename__ = "Artifact" + + artifact_id = Column(Integer, primary_key=True, autoincrement=True) + type_id = Column(Integer, ForeignKey("artifact_types.artifact_type_id"), nullable=False) + owner_id = Column(Integer, ForeignKey("Organization.organization_id"), nullable=False) + name = Column(String, nullable=False) + location = Column(String, nullable=False) + secondary_location = Column(String) + created_at = Column(Date, nullable=False) + raw_data = Column(LargeBinary) + + # Define relationships + artifact_type = relationship("ArtifactType", back_populates="artifacts") + organization = relationship("Organization", back_populates="artifacts") + + +class Benchmarks(Base): + """ + The Benchmarks class represents the Benchmarks table in the database. + + Attributes: + benchmark_id (int): The primary key for this table. + version (int): The version of the benchmark. This field is required. + release (int): The release number of the benchmark. This field is required. + release_date (date): The date when the benchmark was released. This field is required. + type_id (int): A foreign key that refers to the benchmark_type_id in the benchmark_type table. This field is required. + product_id (int): A foreign key that refers to the product_id in the Products table. This field is required. + author_id (int): A foreign key that refers to the organization_id in the Organization table. This field is required and defaults to 0. + sponsor_id (int): A foreign key that refers to the organization_id in the Organization table. This field defaults to 0. + status_id (int): A foreign key that refers to the status_id in the Statuses table. This field is required. + + Relationships: + benchmark_type: A relationship to the BenchmarkType model object associated with this benchmark. + product: A relationship to the Product model object associated with this benchmark. + author: A relationship to the Organization model object that authored this benchmark. + sponsor: A relationship to the Organization model object that sponsored this benchmark. + status: A relationship to the Status model object associated with this benchmark. + """ + + __tablename__ = "Benchmarks" + + benchmark_id = Column(Integer, primary_key=True, autoincrement=True) + version = Column(Integer, nullable=False) + release = Column(Integer, nullable=False) + release_date = Column(Date, nullable=False) + type_id = Column(Integer, ForeignKey("benchmark_type.benchmark_type_id"), nullable=False) + product_id = Column(Integer, ForeignKey("Products.product_id"), nullable=False) + author_id = Column(Integer, ForeignKey("Organization.organization_id"), nullable=False, default=0) + sponsor_id = Column(Integer, ForeignKey("Organization.organization_id"), default=0) + status_id = Column(Integer, ForeignKey("Statuses.status_id"), nullable=False) + + # Define relationships + benchmark_type = relationship("BenchmarkType", back_populates="benchmarks") + product = relationship("Product", back_populates="benchmarks") + author = relationship("Organization", back_populates="authored_benchmarks") + sponsor = relationship("Organization", back_populates="sponsored_benchmarks") + status = relationship("Status", back_populates="benchmarks") + + __table_args__ = ( + UniqueConstraint( + "version", + "release", + "product_id", + "author_id", + name="unique_product_version_release_owner", + ), + ) + + def __repr__(self): + """ + Returns a string representation of this Benchmarks. + + Returns: + str: A string representation of this Benchmarks. + """ + return f"" + + +class Organization(Base): + """ + The Organization class represents the Organization table in the database. + + Attributes: + organization_id (int): The primary key for this table. + long_name (str): The full name of the organization. This field is required. + short_name (str): The abbreviated name of the organization. This field is required. + uri (str): The URI of the organization. This field is optional. + email (str): The email of the organization. This field is optional. + + Constraints: + UniqueConstraint: Ensures that the combination of long_name and short_name is unique across all organizations. + + """ + + __tablename__ = "Organization" + + organization_id = Column(Integer, primary_key=True, autoincrement=True) + long_name = Column(String, nullable=False) + short_name = Column(String, nullable=False) + uri = Column(String) + email = Column(String) + + __table_args__ = (UniqueConstraint("long_name", "short_name", name="unique_org_short_and_long_name"),) + + def __repr__(self): + """ + Returns a string representation of this Organization. + + Returns: + str: A string representation of this Organization. + """ + return f"" + + +class Products(Base): + """ + The Products class represents the Products table in the database. + + Attributes: + product_id (int): The primary key for this table. + long_name (str): The full name of the product. This field is required. + short_name (str): The abbreviated name of the product. This field is required. + version (float): The version number of the product. This field is required. + release (int): The release number of the product. This field is required. + owner_id (int): A foreign key that refers to the organization_id in the Organization table. This field is required. + + Relationships: + owner: A relationship to the Organization model object that owns this product. + """ + + __tablename__ = "Products" + + product_id = Column(Integer, primary_key=True, autoincrement=True) + long_name = Column(String, nullable=False) + short_name = Column(String, nullable=False) + version = Column(Float, nullable=False) + release = Column(Integer, nullable=False) + owner_id = Column(Integer, ForeignKey("Organization.organization_id"), nullable=False) + + # Define relationships + owner = relationship("Organization", back_populates="products") + + def __repr__(self): + """ + Returns a string representation of this Products. + + Returns: + str: A string representation of this Products. + """ + return f"" + + +class Statuses(Base): + """ + The Statuses class represents the Statuses table in the database. + + Attributes: + status_id (int): The primary key for this table. + name (str): The name of the status. This field is required. + + Constraints: + UniqueConstraint: Ensures that the combination of status_id and name is unique across all statuses. + """ + + __tablename__ = "Statuses" + + status_id = Column(Integer, primary_key=True, autoincrement=True) + name = Column(String, nullable=False) + + __table_args__ = (UniqueConstraint("status_id", "name", name="unique_status_id_name"),) + + def __repr__(self): + """ + Returns a string representation of this Statuses. + + Returns: + str: A string representation of this Statuses. + """ + return f"" + + +class ArtifactTypes(Base): + """ + The ArtifactTypes class represents the ArtifactTypes table in the database. + + Attributes: + artifact_type_id (int): The primary key for this table. + type_name (str): The name of the artifact type. This field is required. + description (str): The description of the artifact type. This field is optional. + + """ + + __tablename__ = "artifact_types" + + artifact_type_id = Column(Integer, primary_key=True, autoincrement=True) + type_name = Column(String, nullable=False) + description = Column(String) + + def __repr__(self): + """ + Returns a string representation of this ArtifactTypes. + + Returns: + str: A string representation of this ArtifactTypes. + """ + return f"" + + +class BenchmarkArtifacts(Base): + """ + The BenchmarkArtifacts class represents the BenchmarkArtifacts table in the database. + + Attributes: + benchmark_id (int): A foreign key that refers to the benchmark_id in the Benchmarks table. This field is part of the primary key for this table. + artifact_id (int): A foreign key that refers to the artifact_id in the Artifact table. This field is part of the primary key for this table. + is_default (bool): A flag indicating whether this artifact is the default for the associated benchmark. This field defaults to False. + + Constraints: + UniqueConstraint: Ensures that the combination of benchmark_id, artifact_id, and is_default is unique across all benchmark artifacts. + """ + + __tablename__ = "benchmark_artifacts" + + benchmark_id = Column(Integer, ForeignKey("Benchmarks.benchmark_id"), primary_key=True) + artifact_id = Column(Integer, ForeignKey("Artifact.artifact_id"), primary_key=True) + is_default = Column(Boolean, default=False) + + __table_args__ = ( + UniqueConstraint( + "benchmark_id", + "artifact_id", + "is_default", + name="unique_benchmark_artificat_default", + ), + ) + + def __repr__(self): + """ + Returns a string representation of this BenchmarkArtifacts. + + Returns: + str: A string representation of this BenchmarkArtifacts. + """ + return f"" + + +class BenchmarkType(Base): + """ + The BenchmarkType class represents the BenchmarkType table in the database. + + Attributes: + benchmark_type_id (int): The primary key for this table. + long_name (str): The full name of the benchmark type. This field is required. + short_name (str): The abbreviated name of the benchmark type. This field is required. + description (str): The description of the benchmark type. This field is required. + + Constraints: + UniqueConstraint: Ensures that the long_name and short_name are unique across all benchmark types. + """ + + __tablename__ = "benchmark_type" + + benchmark_type_id = Column(Integer, primary_key=True, autoincrement=True) + long_name = Column(String, nullable=False) + short_name = Column(String, nullable=False) + description = Column(String, nullable=False) + + __table_args__ = ( + UniqueConstraint("long_name", name="unique_bt_long_name"), + UniqueConstraint("short_name", name="unique_bt_short_name"), + ) + + def __repr__(self): + """ + Returns a string representation of this BenchmarkType. + + Returns: + str: A string representation of this BenchmarkType. + """ + return f"" diff --git a/sqlalcamey/models.py.old b/sqlalcamey/models.py.old new file mode 100644 index 000000000..1e4b6f4f8 --- /dev/null +++ b/sqlalcamey/models.py.old @@ -0,0 +1,203 @@ +from sqlalchemy import ( + Column, + Integer, + String, + Date, + ForeignKey, + Boolean, + Float, + Text, + LargeBinary, +) + +# from sqlalchemy.orm import relationship +from sqlalchemy.ext.declarative import declarative_base +from sqlalchemy.orm import relationship + +Base = declarative_base() + + +class Artifact(Base): + """ + SQLAlchemy model class that represents the Artifact table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + artifact_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + type_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the artifact_types table. + owner_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + name (sqlalchemy.sql.schema.Column): Column for the name of the artifact. + location (sqlalchemy.sql.schema.Column): Column for the primary location of the artifact. + secondary_location (sqlalchemy.sql.schema.Column): Column for the secondary location of the artifact. + created_at (sqlalchemy.sql.schema.Column): Column for the creation date of the artifact. + raw_data (sqlalchemy.sql.schema.Column): Column for the raw data of the artifact. + """ + + __tablename__ = "Artifact" + + artifact_id = Column(Integer, primary_key=True, autoincrement=True) + type_id = Column( + Integer, ForeignKey("artifact_types.artifact_type_id"), nullable=False + ) + owner_id = Column( + Integer, ForeignKey("Organization.organization_id"), nullable=False + ) + name = Column(String, nullable=False) + location = Column(String, nullable=False) + secondary_location = Column(String) + created_at = Column(Date, nullable=False) + raw_data = Column(LargeBinary) + + # Define relationships + artifact_type = relationship("ArtifactType", back_populates="artifacts") + organization = relationship("Organization", back_populates="artifacts") + + +class ArtifactTypes(Base): + """ + SQLAlchemy model class that represents the artifact_types table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + artifact_type_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + type_name (sqlalchemy.sql.schema.Column): Column for the name of the artifact type. + description (sqlalchemy.sql.schema.Column): Column for the description of the artifact type. + """ + + __tablename__ = "artifact_types" + + artifact_type_id = Column(Integer, primary_key=True) + type_name = Column(String) + description = Column(Text) + + +class Benchmarks(Base): + """ + SQLAlchemy model class that represents the Benchmarks table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + benchmark_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + version (sqlalchemy.sql.schema.Column): Column for the version of the benchmark. + release (sqlalchemy.sql.schema.Column): Column for the release of the benchmark. + release_date (sqlalchemy.sql.schema.Column): Column for the release date of the benchmark. + type_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the benchmark_type table. + product_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Products table. + author_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + sponsor_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + status_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Statuses table. + """ + + __tablename__ = "Benchmarks" + + benchmark_id = Column(Integer, primary_key=True) + version = Column(Integer) + release = Column(Integer) + release_date = Column(Date) + type_id = Column(Integer, ForeignKey("benchmark_type.benchmark_type_id")) + product_id = Column(Integer, ForeignKey("Products.product_id")) + author_id = Column(Integer, ForeignKey("Organization.organization_id")) + sponsor_id = Column(Integer, ForeignKey("Organization.organization_id")) + status_id = Column(Integer, ForeignKey("Statuses.status_id")) + + +class BenchmarkArtifacts(Base): + """ + SQLAlchemy model class that represents the benchmark_artifacts table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + benchmark_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Benchmarks table, part of the composite primary key. + artifact_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Artifact table, part of the composite primary key. + is_default (sqlalchemy.sql.schema.Column): Column indicating if the artifact is the default one for the benchmark. + """ + + __tablename__ = "benchmark_artifacts" + + benchmark_id = Column( + Integer, ForeignKey("Benchmarks.benchmark_id"), primary_key=True + ) + artifact_id = Column(Integer, ForeignKey("Artifact.artifact_id"), primary_key=True) + is_default = Column(Boolean) + + +class BenchmarkType(Base): + """ + SQLAlchemy model class that represents the benchmark_type table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + benchmark_type_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + long_name (sqlalchemy.sql.schema.Column): Column for the long name of the benchmark type. + short_name (sqlalchemy.sql.schema.Column): Column for the short name of the benchmark type. + description (sqlalchemy.sql.schema.Column): Column for the description of the benchmark type. + """ + + __tablename__ = "benchmark_type" + + benchmark_type_id = Column(Integer, primary_key=True) + long_name = Column(String) + short_name = Column(String) + description = Column(Text) + + +class Organization(Base): + """ + SQLAlchemy model class that represents the Organization table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + organization_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + long_name (sqlalchemy.sql.schema.Column): Column for the long name of the organization. + short_name (sqlalchemy.sql.schema.Column): Column for the short name of the organization. + uri (sqlalchemy.sql.schema.Column): Column for the URI of the organization. + """ + + __tablename__ = "Organization" + + organization_id = Column(Integer, primary_key=True) + long_name = Column(String) + short_name = Column(String) + uri = Column(String) + email = Column(String) + + +class Products(Base): + """ + SQLAlchemy model class that represents the Products table. + + Attributes: + __tablename__ (str): The name of the table this class represents. + product_id (sqlalchemy.sql.schema.Column): The primary key column of the table. + long_name (sqlalchemy.sql.schema.Column): Column for the long name of the product. + short_name (sqlalchemy.sql.schema.Column): Column for the short name of the product. + version (sqlalchemy.sql.schema.Column): Column for the version of the product. + release (sqlalchemy.sql.schema.Column): Column for the release of the product. + owner_id (sqlalchemy.sql.schema.Column): Foreign key column referencing the Organization table. + """ + + __tablename__ = "Products" + + product_id = Column(Integer, primary_key=True) + long_name = Column(String) + short_name = Column(String) + version = Column(Float) + release = Column(Integer) + owner_id = Column(Integer, ForeignKey("Organization.organization_id")) + + +class Statuses(Base): + """ + Represents the 'Statuses' table in the database. + + The 'Statuses' table contains information about the different statuses that a benchmark can have. + + Attributes: + status_id (Integer): The unique identifier for the status. This is the primary key in the table. + name (String): The name of the status. + """ + + __tablename__ = "Statuses" + + status_id = Column(Integer, primary_key=True) + name = Column(String) diff --git a/sqlalcamey/move-to-classes.py b/sqlalcamey/move-to-classes.py new file mode 100644 index 000000000..9748a3e6d --- /dev/null +++ b/sqlalcamey/move-to-classes.py @@ -0,0 +1,365 @@ +@staticmethod + def add_benchmark_artifact(session, benchmark_id, artifact_id, is_default): + """ + Adds a new benchmark artifact to the benchmark_artifacts table. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + new_benchmark_artifact = BenchmarkArtifacts( + benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default + ) + session.add(new_benchmark_artifact) + session.commit() + + @staticmethod + def update_benchmark_artifact(session, benchmark_id, artifact_id, is_default): + """ + Updates an existing benchmark artifact in the benchmark_artifacts table. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + benchmark_artifact = ( + session.query(BenchmarkArtifacts) + .filter_by(benchmark_id=benchmark_id, artifact_id=artifact_id) + .first() + ) + if benchmark_artifact is not None: + benchmark_artifact.is_default = is_default + session.commit() + + @staticmethod + def create_artifact( + session: Session, + type_id: int, + owner_id: int, + name: str, + location: str, + secondary_location: str, + created_at: date, + raw_data: str, + ): + """ + Creates a new Artifact and adds it to the database. + + Args: + session (Session): The session to use for database operations. + type_id (int): The ID of the artifact type. + owner_id (int): The ID of the owner of the artifact. + name (str): The name of the artifact. + location (str): The primary location of the artifact. + secondary_location (str): The secondary location of the artifact. + created_at (date): The date the artifact was created. + raw_data (str): The raw data of the artifact. + + Returns: + None + """ + artifact = Artifact( + type_id=type_id, + owner_id=owner_id, + name=name, + location=location, + secondary_location=secondary_location, + created_at=created_at, + raw_data=raw_data, + ) + session.add(artifact) + session.commit() + + def get_artifact_by_id(session: Session, artifact_id: int): + """ + Retrieves an Artifact from the database by its ID. + + Args: + session (Session): The session to use for database operations. + artifact_id (int): The ID of the artifact to retrieve. + + Returns: + Artifact: The retrieved Artifact, or None if no Artifact with the given ID exists. + """ + return ( + session.query(Artifact).filter(Artifact.artifact_id == artifact_id).first() + ) + + def create_benchmark( + session: Session, + version: int, + release: int, + release_date: date, + type_id: int, + product_id: int, + author_id: int, + sponsor_id: int, + status_id: int, + ): + """ + Creates a new Benchmark and adds it to the database. + + Args: + session (Session): The session to use for database operations. + version (int): The version of the benchmark. + release (int): The release of the benchmark. + release_date (date): The release date of the benchmark. + type_id (int): The ID of the benchmark type. + product_id (int): The ID of the product associated with the benchmark. + author_id (int): The ID of the author of the benchmark. + sponsor_id (int): The ID of the sponsor of the benchmark. + status_id (int): The ID of the status of the benchmark. + + Returns: + None + """ + benchmark = Benchmarks( + version=version, + release=release, + release_date=release_date, + type_id=type_id, + product_id=product_id, + author_id=author_id, + sponsor_id=sponsor_id, + status_id=status_id, + ) + session.add(benchmark) + session.commit() + + def get_benchmark_by_id(session: Session, benchmark_id: int): + """ + Retrieves a Benchmark from the database by its ID. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark to retrieve. + + Returns: + Benchmarks: The retrieved Benchmark, or None if no Benchmark with the given ID exists. + """ + return ( + session.query(Benchmarks) + .filter(Benchmarks.benchmark_id == benchmark_id) + .first() + ) + + def create_organization( + session: Session, long_name: str, short_name: str, uri: str, email: str + ): + """ + Creates a new Organization and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the organization. + short_name (str): The short name of the organization. + uri (str): The URI of the organization. + email (str): The email of the organization. + + Returns: + None + """ + organization = Organization( + long_name=long_name, short_name=short_name, uri=uri, email=email + ) + session.add(organization) + session.commit() + + def get_organization_by_id(session: Session, organization_id: int): + """ + Retrieves an Organization from the database by its ID. + + Args: + session (Session): The session to use for database operations. + organization_id (int): The ID of the organization to retrieve. + + Returns: + Organization: The retrieved Organization, or None if no Organization with the given ID exists. + """ + return ( + session.query(Organization) + .filter(Organization.organization_id == organization_id) + .first() + ) + + def create_product( + session: Session, + long_name: str, + short_name: str, + version: float, + release: int, + owner_id: int, + ): + """ + Creates a new Product and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the product. + short_name (str): The short name of the product. + version (float): The version of the product. + release (int): The release of the product. + owner_id (int): The ID of the owner of the product. + + Returns: + None + """ + product = Products( + long_name=long_name, + short_name=short_name, + version=version, + release=release, + owner_id=owner_id, + ) + session.add(product) + session.commit() + + def get_product_by_id(session: Session, product_id: int): + """ + Retrieves a Product from the database by its ID. + + Args: + session (Session): The session to use for database operations. + product_id (int): The ID of the product to retrieve. + + Returns: + Products: The retrieved Product, or None if no Product with the given ID exists. + """ + return session.query(Products).filter(Products.product_id == product_id).first() + + def create_artifact_type(session: Session, type_name: str, description: str): + """ + Creates a new ArtifactType and adds it to the database. + + Args: + session (Session): The session to use for database operations. + type_name (str): The name of the artifact type. + description (str): The description of the artifact type. + + Returns: + None + """ + artifact_type = ArtifactTypes(type_name=type_name, description=description) + session.add(artifact_type) + session.commit() + + def get_artifact_type_by_id(session: Session, artifact_type_id: int): + """ + Retrieves an ArtifactType from the database by its ID. + + Args: + session (Session): The session to use for database operations. + artifact_type_id (int): The ID of the artifact type to retrieve. + + Returns: + ArtifactTypes: The retrieved ArtifactType, or None if no ArtifactType with the given ID exists. + """ + return ( + session.query(ArtifactTypes) + .filter(ArtifactTypes.artifact_type_id == artifact_type_id) + .first() + ) + + def create_benchmark_artifact( + session: Session, benchmark_id: int, artifact_id: int, is_default: bool + ): + """ + Creates a new BenchmarkArtifact and adds it to the database. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + is_default (bool): Whether the artifact is the default one for the benchmark. + + Returns: + None + """ + benchmark_artifact = BenchmarkArtifacts( + benchmark_id=benchmark_id, artifact_id=artifact_id, is_default=is_default + ) + session.add(benchmark_artifact) + session.commit() + + def get_benchmark_artifact_by_ids( + session: Session, benchmark_id: int, artifact_id: int + ): + """ + Retrieves a BenchmarkArtifact from the database by its benchmark and artifact IDs. + + Args: + session (Session): The session to use for database operations. + benchmark_id (int): The ID of the benchmark. + artifact_id (int): The ID of the artifact. + + Returns: + BenchmarkArtifacts: The retrieved BenchmarkArtifact, or None if no BenchmarkArtifact with the given IDs exists. + """ + return ( + session.query(BenchmarkArtifacts) + .filter( + BenchmarkArtifacts.benchmark_id == benchmark_id, + BenchmarkArtifacts.artifact_id == artifact_id, + ) + .first() + ) + + def create_benchmark_type( + session: Session, long_name: str, short_name: str, description: str + ): + """ + Creates a new BenchmarkType and adds it to the database. + + Args: + session (Session): The session to use for database operations. + long_name (str): The long name of the benchmark type. + short_name (str): The short name of the benchmark type. + description (str): The description of the benchmark type. + + Returns: + None + """ + benchmark_type = BenchmarkType( + long_name=long_name, short_name=short_name, description=description + ) + session.add(benchmark_type) + session.commit() + + def get_benchmark_type_by_id(session: Session, benchmark_type_id: int): + """ + Retrieves a BenchmarkType from the database by its ID. + + Args: + session (Session): The session to use for database operations. + benchmark_type_id (int): The ID of the benchmark type to retrieve. + + Returns: + BenchmarkType: The retrieved BenchmarkType, or None if no BenchmarkType with the given ID exists. + + Usage: + from sqlalchemy.orm import Session + from models import BenchmarkType + + session = Session() + benchmark_type_id = 1 + benchmark_type = get_benchmark_type_by_id(session, benchmark_type_id) + if benchmark_type is not None: + print(f"Retrieved benchmark type: {benchmark_type.long_name}") + else: + print("No benchmark type found with the given ID.") + """ + return ( + session.query(BenchmarkType) + .filter(BenchmarkType.benchmark_type_id == benchmark_type_id) + .first() + ) \ No newline at end of file diff --git a/sqlalcamey/repository.py b/sqlalcamey/repository.py new file mode 100644 index 000000000..3d77f7206 --- /dev/null +++ b/sqlalcamey/repository.py @@ -0,0 +1,1753 @@ +# repository.py +from datetime import date +from sqlalchemy.orm import Session +from sqlalchemy.exc import IntegrityError +from .models import ( + Artifact, + ArtifactTypes, + Benchmarks, + BenchmarkArtifacts, + BenchmarkType, + Statuses, + BenchmarkType, + Organization, + Products, +) + + +class ArtifactRepository: + """ + A repository for managing Artifact entities in a database. + + This class provides methods for creating, retrieving, updating, and deleting Artifact entities, as well as retrieving associated ArtifactType and Organization entities. + + Attributes: + session (Session): The SQLAlchemy session that will be used for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the ArtifactRepository class. + get_all(self): Retrieve all Artifact entities from the database. + get_by_id(self, artifact_id: int): Retrieve an Artifact entity by its ID. + create(self, **kwargs): Create a new Artifact entity and save it to the database. + update(self, artifact_id: int, **kwargs): Update an Artifact entity with the given ID. + delete(self, artifact_id: int): Delete an Artifact entity by its ID. + get_artifact_type(self, artifact_id: int): Retrieve the ArtifactType associated with an Artifact entity. + get_organization(self, artifact_id: int): Retrieve the Organization associated with an Artifact entity. + get_raw_data(self, artifact_id: int): Retrieve the raw_data of an Artifact entity by its ID. + get_created_date(self, artifact_id: int): Retrieve the created_at date of an Artifact entity by its ID. + update_raw_data(self, artifact_id: int, new_raw_data: bytes): Update the raw_data of an Artifact entity by its ID. + get_artifacts_by_type(self, type_id: int): Retrieve all Artifact entities with a specific ArtifactType. + get_artifacts_by_organization(self, organization_id: int): Retrieve all Artifact entities belonging to a specific Organization. + + Example: + from sqlalchemy.orm import Session + from sqlalchemy import create_engine + + engine = create_engine('sqlite:///example.db') + Session = sessionmaker(bind=engine) + session = Session() + + repo = ArtifactRepository(session) + + # Create a new artifact + artifact = repo.create(name='Artifact 1', location='Location 1', created_at=date.today(), type_id=1, owner_id=1) + print(artifact.artifact_id) # Outputs the ID of the newly created artifact + + # Retrieve all artifacts + artifacts = repo.get_all() + for artifact in artifacts: + print(artifact.name) # Outputs the name of each artifact + + # Retrieve an artifact by ID + artifact = repo.get_by_id(1) + if artifact: + print(artifact.name) # Outputs the name of the artifact + + # Update an artifact + repo.update(1, name='Updated Artifact') + updated_artifact = repo.get_by_id(1) + print(updated_artifact.name) # Outputs 'Updated Artifact' + + # Delete an artifact + repo.delete(1) + deleted_artifact = repo.get_by_id(1) + print(deleted_artifact) # Outputs 'None' + + # Retrieve the artifact type of an artifact + artifact_type = repo.get_artifact_type(1) + if artifact_type: + print(artifact_type.type_name) # Outputs the type name of the artifact type + + # Retrieve the organization of an artifact + organization = repo.get_organization(1) + if organization: + print(organization.name) # Outputs the name of the organization + + # Retrieve the raw data of an artifact + raw_data = repo.get_raw_data(1) + if raw_data: + print(raw_data) # Outputs the raw data of the artifact + + # Retrieve the created date of an artifact + created_date = repo.get_created_date(1) + if created_date: + print(created_date) # Outputs the created date of the artifact + + # Update the raw data of an artifact + success = repo.update_raw_data(1, b'New raw data') + print(success) # Outputs 'True' if the update was successful, 'False' otherwise + + # Retrieve all artifacts of a specific type + artifacts_by_type = repo.get_artifacts_by_type(1) + for artifact in artifacts_by_type: + print(artifact.name) # Outputs the name of each artifact + + # Retrieve all artifacts of a specific organization + artifacts_by_organization = repo.get_artifacts_by_organization(1) + for artifact in artifacts_by_organization: + print(artifact.name) # Outputs the name of each artifact + """ + + def __init__(self, session: Session): + self.session = session + + def get_all(self): + """ + Retrieve all Artifact entities from the database. + + Returns: + list[Artifact]: A list of all Artifact entities. + + Example: + repo = ArtifactRepository(session) + artifacts = repo.get_all() + for artifact in artifacts: + print(artifact.name) # Outputs the name of each artifact + """ + return self.session.query(Artifact).all() + + def get_by_id(self, artifact_id: int): + """ + Retrieve an Artifact entity by its ID. + + Args: + artifact_id (int): The ID of the Artifact entity to retrieve. + + Returns: + Artifact: The Artifact entity with the given ID, or None if not found. + + Example: + repo = ArtifactRepository(session) + artifact = repo.get_by_id(1) + if artifact: + print(artifact.name) # Outputs the name of the artifact + """ + return self.session.query(Artifact).get(artifact_id) + + def create(self, **kwargs): + """ + Create a new Artifact entity and save it to the database. + + Args: + **kwargs: The properties of the Artifact entity to create. + - type_id (int): The ID of the artifact type. + - owner_id (int): The ID of the owner of the artifact. + - name (str): The name of the artifact. + - location (str): The primary location of the artifact. + - secondary_location (str): The secondary location of the artifact. + - created_at (date): The date the artifact was created. + - raw_data (LargeBinary): The raw data of the artifact. This field is optional. + + Returns: + Artifact: The newly created Artifact entity. + + Example: + repo = ArtifactRepository(session) + artifact = repo.create(name='New Artifact', location='Location', created_at=date.today(), type_id=1, owner_id=1) + print(artifact.artifact_id) # Outputs the ID of the newly created artifact + """ + + # Check for invalid arguments + valid_args = { + "type_id", + "owner_id", + "name", + "location", + "secondary_location", + "created_at", + "raw_data", + } + if not set(kwargs.keys()).issubset(valid_args): + print("Invalid arguments provided.") + return None + + artifact = Artifact(**kwargs) + try: + self.session.add(artifact) + self.session.commit() + return artifact + except Exception as e: + print(f"Failed to create Artifact: {e}") + self.session.rollback() + return None + + def update(self, artifact_id: int, **kwargs): + """ + Update an Artifact entity with the given ID. + + Args: + artifact_id (int): The ID of the Artifact entity to update. + **kwargs: The properties to update. + + Example: + repo = ArtifactRepository(session) + repo.update(1, name='Updated Artifact') # Updates the name of the artifact with ID 1 + """ + # Check for invalid arguments + valid_args = { + "type_id", + "owner_id", + "name", + "location", + "secondary_location", + "created_at", + "raw_data", + } + if not set(kwargs.keys()).issubset(valid_args): + print("Invalid arguments provided.") + return None + + artifact = self.session.query(Artifact).get(artifact_id) + if artifact: + for key, value in kwargs.items(): + setattr(artifact, key, value) + try: + self.session.commit() + except Exception as e: + print(f"Failed to update Artifact: {e}") + self.session.rollback() + return None + else: + print(f"No Artifact found with ID {artifact_id}") + return None + + def delete(self, artifact_id: int): + """ + Delete an Artifact entity by its ID. + + Args: + artifact_id (int): The ID of the Artifact entity to delete. + + Example: + repo = ArtifactRepository(session) + repo.delete(1) # Deletes the artifact with ID 1 + """ + artifact = self.session.query(Artifact).get(artifact_id) + if artifact: + self.session.delete(artifact) + self.session.commit() + + def get_artifact_type(self, artifact_id: int): + """ + Retrieve the ArtifactType associated with an Artifact entity. + + Args: + artifact_id (int): The ID of the Artifact entity. + + Returns: + ArtifactType: The ArtifactType associated with the Artifact entity, or None if not found. + + Example: + repo = ArtifactRepository(session) + artifact_type = repo.get_artifact_type(1) + if artifact_type: + print(artifact_type.type_name) # Outputs the type name of the artifact type + """ + artifact = self.session.query(Artifact).get(artifact_id) + return artifact.artifact_type if artifact else None + + def get_organization(self, artifact_id: int): + """ + Retrieve the Organization associated with an Artifact entity. + + Args: + artifact_id (int): The ID of the Artifact entity. + + Returns: + Organization: The Organization associated with the Artifact entity, or None if not found. + + Example: + repo = ArtifactRepository(session) + organization = repo.get_organization(1) + if organization: + print(organization.name) # Outputs the name of the organization + """ + artifact = self.session.query(Artifact).get(artifact_id) + return artifact.organization if artifact else None + + def get_raw_data(self, artifact_id: int): + """ + Retrieve the raw_data of an Artifact entity by its ID. + + Args: + artifact_id (int): The ID of the Artifact entity. + + Returns: + bytes: The raw_data of the Artifact entity. + """ + artifact = self.session.query(Artifact).get(artifact_id) + if artifact: + return artifact.raw_data + else: + return None + + def get_created_date(self, artifact_id: int): + """ + Retrieve the created_at date of an Artifact entity by its ID. + + Args: + artifact_id (int): The ID of the Artifact entity. + + Returns: + date: The created_at date of the Artifact entity. + """ + artifact = self.session.query(Artifact).get(artifact_id) + if artifact: + return artifact.created_at + else: + return None + + def update_raw_data(self, artifact_id: int, new_raw_data: bytes): + """ + Update the raw_data of an Artifact entity by its ID. + + Args: + artifact_id (int): The ID of the Artifact entity. + new_raw_data (bytes): The new raw_data to update the Artifact entity with. + + Returns: + bool: True if the update was successful, False otherwise. + """ + artifact = self.session.query(Artifact).get(artifact_id) + if artifact: + artifact.raw_data = new_raw_data + self.session.commit() + return True + else: + return False + + def get_artifacts_by_type(self, type_id: int): + """ + Retrieve all Artifact entities with a specific ArtifactType. + + Args: + type_id (int): The ID of the ArtifactType. + + Returns: + List[Artifact]: A list of Artifact entities with the specified ArtifactType. + """ + artifacts = self.session.query(Artifact).filter(Artifact.type_id == type_id).all() + return artifacts + + def get_artifacts_by_organization(self, organization_id: int): + """ + Retrieve all Artifact entities belonging to a specific Organization. + + Args: + organization_id (int): The ID of the Organization. + + Returns: + List[Artifact]: A list of Artifact entities belonging to the specified Organization. + """ + artifacts = self.session.query(Artifact).filter(Artifact.owner_id == organization_id).all() + return artifacts + + +class BenchmarksRepository: + """ + A repository for managing Benchmarks entities in a database. + + Attributes: + session (Session): The SQLAlchemy session that will be used for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the BenchmarksRepository class. + get_all(self): Retrieve all Benchmarks entities from the database. + get_by_id(self, benchmark_id: int): Retrieve a Benchmarks entity by its ID. + create(self, **kwargs): Create a new Benchmarks entity and save it to the database. + update(self, benchmark_id: int, **kwargs): Update a Benchmarks entity with the given ID. + delete(self, benchmark_id: int): Delete a Benchmarks entity by its ID. + add_product(self, benchmark_id, product_id): Associates a product with a benchmark. + get_associated_entities(self, benchmark_id: int): Retrieve the associated entities of a Benchmarks entity. + get_benchmarks_by_type(self, type_id): Retrieve all Benchmarks entities associated with a specific BenchmarkType. + get_benchmarks_by_product(self, product_id): Retrieve all Benchmarks entities associated with a specific Product. + get_benchmarks_by_author(self, author_id): Retrieve all Benchmarks entities associated with a specific author Organization. + get_benchmarks_by_sponsor(self, sponsor_id): Retrieve all Benchmarks entities associated with a specific sponsor Organization. + get_benchmarks_by_status(self, status_id): Retrieve all Benchmarks entities associated with a specific Status. + + Example: + from sqlalchemy.orm import Session + from sqlalchemy import create_engine + + engine = create_engine('sqlite:///example.db') + Session = sessionmaker(bind=engine) + session = Session() + + repo = BenchmarksRepository(session) + + # Create a new benchmark + benchmark = repo.create(version='1.0', name='Benchmark 1', description='This is a benchmark.') + print(benchmark.id) # Outputs the ID of the newly created benchmark + + # Retrieve all benchmarks + benchmarks = repo.get_all() + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + + # Retrieve a benchmark by ID + benchmark = repo.get_by_id(1) + if benchmark: + print(benchmark.version) # Outputs the version of the benchmark + + # Update a benchmark + repo.update(1, version='1.1', name='Updated Benchmark') + updated_benchmark = repo.get_by_id(1) + print(updated_benchmark.version) # Outputs '1.1' + print(updated_benchmark.name) # Outputs 'Updated Benchmark' + + # Delete a benchmark + repo.delete(1) + deleted_benchmark = repo.get_by_id(1) + print(deleted_benchmark) # Outputs 'None' + + # Retrieve the associated entities of a benchmark + entities = repo.get_associated_entities(1) + print(entities) # Outputs the associated entities + + # Retrieve all benchmarks associated with a specific BenchmarkType + benchmarks = repo.get_benchmarks_by_type(1) + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + + # Retrieve all benchmarks associated with a specific Product + benchmarks = repo.get_benchmarks_by_product(1) + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + + # Retrieve all benchmarks associated with a specific author Organization + benchmarks = repo.get_benchmarks_by_author(1) + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + + # Retrieve all benchmarks associated with a specific sponsor Organization + benchmarks = repo.get_benchmarks_by_sponsor(1) + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + + # Retrieve all benchmarks associated with a specific Status + benchmarks = repo.get_benchmarks_by_status(1) + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + """ + + def __init__(self, session: Session): + """ + Initialize a new instance of the BenchmarksRepository class. + + Args: + session (Session): The SQLAlchemy session that will be used for database operations. + + Example: + from sqlalchemy.orm import Session + from sqlalchemy import create_engine + + engine = create_engine('sqlite:///example.db') + Session = sessionmaker(bind=engine) + session = Session() + + repo = BenchmarksRepository(session) + """ + self.session = session + + def get_all(self): + """ + Retrieve all Benchmarks entities from the database. + + Returns: + list[Benchmarks]: A list of all Benchmarks entities. + + Example: + repo = BenchmarksRepository(session) + benchmarks = repo.get_all() + for benchmark in benchmarks: + print(benchmark.version) # Outputs the version of each benchmark + """ + return self.session.query(Benchmarks).all() + + def get_by_id(self, benchmark_id: int): + """ + Retrieve a Benchmarks entity by its ID. + + Args: + benchmark_id (int): The ID of the Benchmarks entity to retrieve. + + Returns: + Benchmarks: The Benchmarks entity with the given ID, or None if not found. + + Example: + repo = BenchmarksRepository(session) + benchmark = repo.get_by_id(1) + if benchmark: + print(benchmark.version) # Outputs the version of the benchmark + """ + return self.session.query(Benchmarks).get(benchmark_id) + + def create( + self, + version, + release, + release_date, + type_id, + product_id, + author_id, + status_id, + sponsor_id=None, + ): + """ + Creates a new benchmark. + + Args: + version (str): The version of the benchmark. + release (str): The release of the benchmark. + release_date (date): The release date of the benchmark. + type_id (int): The ID of the benchmark type. + product_id (int): The ID of the product. + author_id (int): The ID of the authoring organization. + status_id (int): The ID of the status. + sponsor_id (int, optional): The ID of the sponsoring organization. + + Returns: + Benchmark: The newly created Benchmark object. + + Raises: + ValueError: If a benchmark with the same version, release, product_id, and author_id already exists. + + Example: + repo = BenchmarksRepository(session) + + # Create a new benchmark + benchmark = repo.create('1.0', 'A', date.today(), 1, 2, 3, 4, 5) + + print(benchmark.version) # Outputs: '1.0' + """ + new_benchmark = Benchmarks( + version=version, + release=release, + release_date=release_date, + type_id=type_id, + product_id=product_id, + author_id=author_id, + status_id=status_id, + sponsor_id=sponsor_id, + ) + self.session.add(new_benchmark) + try: + self.session.commit() + return new_benchmark + except IntegrityError: + self.session.rollback() + raise ValueError("A benchmark with this version, release, product_id, and author_id already exists.") + + def update(self, benchmark_id, **kwargs): + """ + Updates a benchmark. + + Args: + benchmark_id (int): The ID of the benchmark to update. + **kwargs: Arbitrary keyword arguments. Each argument represents a field to update on the benchmark. + + Returns: + Benchmark: The updated Benchmark object, or None if no benchmark with the provided ID was found. + + Raises: + ValueError: If updating the benchmark would result in a duplicate version, release, product_id, and author_id. + + Example: + repo = BenchmarksRepository(session) + + # Update the version of a benchmark with ID 1 + benchmark = repo.update(1, version='1.1') + + print(benchmark.version) # Outputs: '1.1' + """ + benchmark = self.get_by_id(benchmark_id) + if benchmark: + for key, value in kwargs.items(): + setattr(benchmark, key, value) + try: + self.session.commit() + return benchmark + except IntegrityError: + self.session.rollback() + raise ValueError("A benchmark with this version, release, product_id, and author_id already exists.") + + def delete(self, benchmark_id: int): + """ + Delete a Benchmarks entity by its ID. + + Args: + benchmark_id (int): The ID of the Benchmarks entity to delete. + + Example: + repo = BenchmarksRepository(session) + repo.delete(1) + deleted_benchmark = repo.get_by_id(1) + print(deleted_benchmark) # Outputs 'None' + """ + benchmark = self.session.query(Benchmarks).get(benchmark_id) + if benchmark: + self.session.delete(benchmark) + self.session.commit() + + def add_product(self, benchmark_id, product_id): + """ + Associates a product with a benchmark. + + This method sets the product_id foreign key in the Benchmarks table to the provided product_id, + effectively associating the product with the benchmark. + + Args: + benchmark_id (int): The ID of the benchmark. + product_id (int): The ID of the product to associate with the benchmark. + + Returns: + Benchmark: The updated benchmark object, or None if no benchmark with the provided ID was found. + + Raises: + IntegrityError: If the provided product_id does not exist in the Products table. + + Example: + repo = BenchmarksRepository(session) + + # Assume we have a benchmark with ID 1 and a product with ID 2 + benchmark = repo.add_product(1, 2) + + print(benchmark.product_id) # Outputs: 2 + """ + benchmark = self.get_by_id(benchmark_id) + if benchmark: + try: + benchmark.product = product_id + self.session.commit() + except IntegrityError: + self.session.rollback() + raise ValueError("The provided product_id does not exist in the Products table.") + return benchmark + + def get_associated_entities(self, benchmark_id: int): + """ + Retrieve the associated entities of a Benchmark entity. + + Args: + benchmark_id (int): The ID of the Benchmark entity. + + Returns: + dict: A dictionary containing the associated entities. + + Example: + repo = BenchmarksRepository(session) + entities = repo.get_associated_entities(1) + print(entities) # Outputs the associated entities + """ + benchmark = self.session.query(Benchmarks).get(benchmark_id) + if benchmark: + return { + "benchmark_type": benchmark.benchmark_type, + "product": benchmark.product, + "author": benchmark.author, + "sponsor": benchmark.sponsor, + "status": benchmark.status, + } + return None + + def get_benchmarks_by_type(self, type_id): + """ + Retrieves all benchmarks of a specific type. + + Args: + type_id (int): The ID of the benchmark type. + + Returns: + List[Benchmark]: A list of Benchmark objects with the specified type_id. + + Example: + repo = BenchmarksRepository(session) + + # Assume we have benchmarks of type 1 + benchmarks = repo.get_benchmarks_by_type(1) + + for benchmark in benchmarks: + print(benchmark.type_id) # Outputs: 1 + """ + return self.session.query(Benchmarks).filter(Benchmarks.type_id == type_id).all() + + def get_benchmarks_by_product(self, product_id): + """ + Retrieves all benchmarks for a specific product. + + Args: + product_id (int): The ID of the product. + + Returns: + List[Benchmark]: A list of Benchmark objects for the specified product_id. + + Example: + repo = BenchmarksRepository(session) + + # Assume we have benchmarks for product 2 + benchmarks = repo.get_benchmarks_by_product(2) + + for benchmark in benchmarks: + print(benchmark.product_id) # Outputs: 2 + """ + return self.session.query(Benchmarks).filter(Benchmarks.product_id == product_id).all() + + def get_benchmarks_by_author(self, author_id): + """ + Retrieves all benchmarks authored by a specific organization. + + Args: + author_id (int): The ID of the authoring organization. + + Returns: + List[Benchmark]: A list of Benchmark objects authored by the specified organization. + + Example: + repo = BenchmarksRepository(session) + + # Assume we have benchmarks authored by organization 3 + benchmarks = repo.get_benchmarks_by_author(3) + + for benchmark in benchmarks: + print(benchmark.author_id) # Outputs: 3 + """ + return self.session.query(Benchmarks).filter(Benchmarks.author_id == author_id).all() + + def get_benchmarks_by_sponsor(self, sponsor_id): + """ + Retrieves all benchmarks sponsored by a specific organization. + + Args: + sponsor_id (int): The ID of the sponsoring organization. + + Returns: + List[Benchmark]: A list of Benchmark objects sponsored by the specified organization. + + Example: + repo = BenchmarksRepository(session) + + # Assume we have benchmarks sponsored by organization 4 + benchmarks = repo.get_benchmarks_by_sponsor(4) + + for benchmark in benchmarks: + print(benchmark.sponsor_id) # Outputs: 4 + """ + return self.session.query(Benchmarks).filter(Benchmarks.sponsor_id == sponsor_id).all() + + def get_benchmarks_by_status(self, status_id): + """ + Retrieves all benchmarks with a specific status. + + Args: + status_id (int): The ID of the status. + + Returns: + List[Benchmark]: A list of Benchmark objects with the specified status_id. + + Example: + repo = BenchmarksRepository(session) + + # Assume we have benchmarks with status 5 + benchmarks = repo.get_benchmarks_by_status(5) + + for benchmark in benchmarks: + print(benchmark.status_id) # Outputs: 5 + """ + return self.session.query(Benchmarks).filter(Benchmarks.status_id == status_id).all() + + +class StatusesRepository: + """ + A repository for managing Statuses entities in a database. + + Attributes: + session (Session): The SQLAlchemy session that will be used for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the StatusesRepository class. + get_all(self): Retrieve all Statuses entities from the database. + get_by_id(self, status_id: int): Retrieve a Statuses entity by its ID. + create(self, name: str): Create a new Statuses entity and save it to the database. + update(self, status_id: int, name: str): Update a Statuses entity with the given ID. + delete(self, status_id: int): Delete a Statuses entity by its ID. + + Example: + from sqlalchemy.orm import Session + from sqlalchemy import create_engine + + engine = create_engine('sqlite:///example.db') + Session = sessionmaker(bind=engine) + session = Session() + + repo = StatusesRepository(session) + + # Create a new status + status = repo.create(name='New Status') + print(status.status_id) # Outputs the ID of the newly created status + + # Retrieve all statuses + statuses = repo.get_all() + for status in statuses: + print(status.name) # Outputs the name of each status + + # Retrieve a status by ID + status = repo.get_by_id(1) + if status: + print(status.name) # Outputs the name of the status + + # Update a status + repo.update(1, name='Updated Status') + updated_status = repo.get_by_id(1) + print(updated_status.name) # Outputs 'Updated Status' + + # Delete a status + repo.delete(1) + deleted_status = repo.get_by_id(1) + print(deleted_status) # Outputs 'None' + """ + + def __init__(self, session: Session): + self.session = session + + def get_all(self): + return self.session.query(Statuses).all() + + def get_by_id(self, status_id): + return self.session.query(Statuses).get(status_id) + + def create(self, name): + new_status = Statuses(name=name) + self.session.add(new_status) + self.session.commit() + return new_status + + def update(self, status_id, name): + status = self.get_by_id(status_id) + if status: + status.name = name + self.session.commit() + return status + + def delete(self, status_id): + status = self.get_by_id(status_id) + if status: + self.session.delete(status) + self.session.commit() + + +class OrganizationRepository: + """ + A repository for managing Organization entities in a database. + + Attributes: + session (Session): The SQLAlchemy session that will be used for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the OrganizationRepository class. + get_all(self): Retrieve all Organization entities from the database. + get_by_id(self, organization_id: int): Retrieve an Organization entity by its ID. + create(self, long_name: str, short_name: str, uri: str, email: str): Create a new Organization entity and save it to the database. + update(self, organization_id: int, **kwargs): Update an Organization entity with the given ID. + delete(self, organization_id: int): Delete an Organization entity by its ID. + + Example: + from sqlalchemy.orm import Session + from sqlalchemy import create_engine + + engine = create_engine('sqlite:///example.db') + Session = sessionmaker(bind=engine) + session = Session() + + repo = OrganizationRepository(session) + + # Create a new organization + organization = repo.create(long_name='New Organization', short_name='NO', uri='http://example.com', email='info@example.com') + print(organization.organization_id) # Outputs the ID of the newly created organization + + # Retrieve all organizations + organizations = repo.get_all() + for organization in organizations: + print(organization.long_name) # Outputs the long_name of each organization + + # Retrieve an organization by ID + organization = repo.get_by_id(1) + if organization: + print(organization.long_name) # Outputs the long_name of the organization + + # Update an organization + repo.update(1, long_name='Updated Organization', short_name='UO') + updated_organization = repo.get_by_id(1) + print(updated_organization.long_name) # Outputs 'Updated Organization' + + # Delete an organization + repo.delete(1) + deleted_organization = repo.get_by_id(1) + print(deleted_organization) # Outputs 'None' + """ + + def __init__(self, session: Session): + self.session = session + + def get_all(self): + return self.session.query(Organization).all() + + def get_by_id(self, organization_id): + return self.session.query(Organization).get(organization_id) + + def create(self, long_name, short_name, uri, email): + new_organization = Organization(long_name=long_name, short_name=short_name, uri=uri, email=email) + self.session.add(new_organization) + try: + self.session.commit() + return new_organization + except IntegrityError: + self.session.rollback() + raise ValueError("An organization with this long_name and short_name already exists.") + + def update(self, organization_id, **kwargs): + organization = self.get_by_id(organization_id) + if organization: + for key, value in kwargs.items(): + setattr(organization, key, value) + try: + self.session.commit() + return organization + except IntegrityError: + self.session.rollback() + raise ValueError("An organization with this long_name and short_name already exists.") + + def delete(self, organization_id): + organization = self.get_by_id(organization_id) + if organization: + self.session.delete(organization) + self.session.commit() + + +class ProductRepository: + """ + A repository providing an interface for accessing and manipulating Product entities in the database. + + Methods: + + __init__(self, session: Session): Initialize a new instance of the ProductRepository class. + + create(session: Session, long_name: str, short_name: str, version: float, release: int, owner_id: int) -> Products: + Create a new entity and add it to the database. + + get_by_id(session: Session, id: int) -> Products: + Get an entity by its ID. + + get_all(session: Session) -> list[Products]: + Get all entities. + + update(session: Session, id: int, short_name: str, version: float, release: int, owner_id: int, long_name: str = None) -> None: + Update an entity. + + delete(session: Session, id: int) -> None: + Delete an entity. + + Examples: + >>> repo = Repository() + >>> new_entity = repo.create(session, 'Long Name', 'Short Name', 1.0, 1, 1) + >>> print(new_entity.long_name) + 'Long Name' + >>> entity = repo.get_by_id(session, 1) + >>> print(entity.long_name) + 'Long Name' + >>> entities = repo.get_all(session) + >>> for entity in entities: + ... print(entity.long_name) + 'Entity 1' + 'Entity 2' + 'Entity 3' + >>> repo.update(session, 1, 'New Short Name', 1.1, 2, 2, 'New Long Name') + >>> updated_entity = repo.get_by_id(session, 1) + >>> print(updated_entity.short_name) + 'New Short Name' + >>> repo.delete(session, 1) + >>> deleted_entity = repo.get_by_id(session, 1) + >>> print(deleted_entity) + None + """ + + def __init__(self, session: Session): + """ + Initialize a new instance of the ProductRepository class. + + Args: + session (Session): The SQLAlchemy session for database operations. + """ + self.session = session + + def create( + self, + session: Session, + long_name: str, + short_name: str, + version: float, + release: int, + owner_id: int, + ) -> Products: + """ + Create a new entity and add it to the database. + + Args: + long_name (str): The long name of the entity. + short_name (str): The short name of the entity. + version (float): The version of the entity. + release (int): The release of the entity. + owner_id (int): The ID of the organization that owns the entity. + + Returns: + Products: The created entity. + + Examples: + >>> repo = Repository(session) + >>> new_entity = repo.create('Long Name', 'Short Name', 1.0, 1, 1) + >>> print(new_entity.long_name) + 'Long Name' + """ + entity = Products( + long_name=long_name, + short_name=short_name, + version=version, + release=release, + owner_id=owner_id, + ) + session.add(entity) + session.commit() + return entity + + def get_by_id(session: Session, id: int) -> Products: + """ + Get an entity by its ID. + + Args: + id (int): The ID of the entity to get. + + Returns: + Products: The entity with the given ID, or None if no such entity exists. + + Examples: + >>> repo = Repository(session) + >>> entity = repo.get_by_id(1) + >>> print(entity.long_name) + 'Long Name' + """ + return session.query(Products).filter(Products.product_id == id).first() + + def get_all(session: Session) -> list[Products]: + """ + Get all entities. + + Returns: + list[Products]: A list of all entities. + + Examples: + >>> repo = Repository(session) + >>> entities = repo.get_all() + >>> for entity in entities: + ... print(entity.long_name) + 'Entity 1' + 'Entity 2' + 'Entity 3' + """ + return session.query(Products).all() + + def update( + session: Session, + id: int, + short_name: str, + version: float, + release: int, + owner_id: int, + long_name: str = None, + ) -> None: + """ + Update an entity. + + Args: + id (int): The ID of the entity to update. + short_name (str): The new short name of the entity. + version (float): The new version of the entity. + release (int): The new release of the entity. + owner_id (int): The new owner ID of the entity. + long_name (str, optional): The new long name of the entity. Defaults to None. + + Examples: + >>> repo = Repository(session) + >>> repo.update(1, 'New Short Name', 1.1, 2, 2, 'New Long Name') + >>> updated_entity = repo.get_by_id(1) + >>> print(updated_entity.short_name) + 'New Short Name' + """ + + entity = get_by_id(session, id) + if entity is not None: + attributes = { + "long_name": long_name, + "short_name": short_name, + "version": version, + "release": release, + "owner_id": owner_id, + } + for attr, value in attributes.items(): + if value is not None: + setattr(entity, attr, value) + session.commit() + + def delete(session: Session, id: int) -> None: + """ + Delete an entity. + + Args: + id (int): The ID of the entity to delete. + + Examples: + >>> repo = Repository(session) + >>> repo.delete(1) + >>> deleted_entity = repo.get_by_id(1) + >>> print(deleted_entity) + None + """ + entity = get_by_id(session, id) + if entity is not None: + session.delete(entity) + session.commit() + + +class ArtifactTypesRepository: + """ + A repository providing an interface for accessing and manipulating ArtifactTypes entities in the database. + + Attributes: + session (Session): The SQLAlchemy session for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the ArtifactTypesRepository class. + get_by_id(artifact_type_id: int): Retrieve an ArtifactTypes entity by its ID. + add(type_name: str, description: str): Add a new ArtifactTypes entity to the database. + update(artifact_type_id: int, type_name: str, description: str): Update an existing ArtifactTypes entity in the database. + remove(artifact_type_id: int): Remove an existing ArtifactTypes entity from the database. + get_all(): Retrieve all ArtifactTypes entities from the database. + """ + + def __init__(self, session): + """ + Initialize the ArtifactTypesRepository with a SQLAlchemy session. + + Args: + session (Session): The SQLAlchemy session for database operations. + + Example: + >>> from sqlalchemy import create_engine, sessionmaker + >>> from sqlalchemy.orm import Session + >>> engine = create_engine('sqlite:///:memory:') + >>> Session = sessionmaker(bind=engine) + >>> session = Session() + >>> repo = ArtifactTypesRepository(session) + """ + self.session = session + + def get_by_id(self, artifact_type_id): + """ + Retrieve an ArtifactTypes entity by its ID. + + Args: + artifact_type_id (int): The ID of the ArtifactTypes entity. + + Returns: + ArtifactTypes: The ArtifactTypes entity with the given ID. + + Example: + >>> artifact_type = repo.get_by_id(1) + >>> print(artifact_type.type_name) + 'Type1' + """ + return self.session.query(ArtifactTypes).get(artifact_type_id) + + def add(self, type_name, description): + """ + Add a new ArtifactTypes entity to the database. + + Args: + type_name (str): The name of the new ArtifactTypes entity. + description (str): The description of the new ArtifactTypes entity. + + Returns: + ArtifactTypes: The newly created ArtifactTypes entity. + + Example: + >>> new_type = repo.add('Type2', 'Description for Type2') + >>> print(new_type.type_name) + 'Type2' + """ + new_type = ArtifactTypes(type_name=type_name, description=description) + self.session.add(new_type) + self.session.commit() + return new_type + + def update(self, artifact_type_id, type_name, description): + """ + Update an existing ArtifactTypes entity in the database. + + Args: + artifact_type_id (int): The ID of the ArtifactTypes entity to update. + type_name (str): The new name of the ArtifactTypes entity. + description (str): The new description of the ArtifactTypes entity. + + Returns: + ArtifactTypes: The updated ArtifactTypes entity, or None if no entity with the given ID was found. + + Example: + >>> updated_type = repo.update(1, 'UpdatedType', 'Updated description') + >>> print(updated_type.type_name) + 'UpdatedType' + """ + artifact_type = self.get_by_id(artifact_type_id) + if artifact_type is not None: + artifact_type.type_name = type_name + artifact_type.description = description + self.session.commit() + return artifact_type + + def remove(self, artifact_type_id): + """ + Remove an existing ArtifactTypes entity from the database. + + Args: + artifact_type_id (int): The ID of the ArtifactTypes entity to remove. + + Returns: + bool: True if the entity was removed, False otherwise. + + Example: + >>> result = repo.remove(1) + >>> print(result) + True + """ + artifact_type = self.get_by_id(artifact_type_id) + if artifact_type is not None: + self.session.delete(artifact_type) + self.session.commit() + return True + return False + + def get_all(self): + """ + Retrieve all ArtifactTypes entities from the database. + + Returns: + list[ArtifactTypes]: A list of all ArtifactTypes entities. + + Example: + >>> all_types = repo.get_all() + >>> for artifact_type in all_types: + ... print(artifact_type.type_name) + 'Type1' + 'Type2' + """ + return self.session.query(ArtifactTypes).all() + + +class BenchmarkArtifactsRepository: + """ + A repository providing an interface for accessing and manipulating BenchmarkArtifacts entities in the database. + + Attributes: + session (Session): The SQLAlchemy session for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the BenchmarkArtifactsRepository class. + get_by_ids(benchmark_id: int, artifact_id: int): Retrieve a BenchmarkArtifacts entity by its benchmark_id and artifact_id. + add(benchmark_id: int, artifact_id: int, is_default: bool = False): Add a new BenchmarkArtifacts entity to the database. + update(benchmark_id: int, artifact_id: int, is_default: bool): Update an existing BenchmarkArtifacts entity in the database. + remove(benchmark_id: int, artifact_id: int): Remove an existing BenchmarkArtifacts entity from the database. + get_all_artifacts(self): Retrieves all BenchmarkArtifacts entities. + get_all_for_benchmark: Retrieves all BenchmarkArtifacts entities for a specific benchmark. + get_default(benchmark_id: int): Retrieve the default BenchmarkArtifacts entity for a given benchmark_id from the database. + update_default(benchmark_id: int, new_default_artifact_id: int): Update the default BenchmarkArtifacts entity for a given benchmark_id in the database. + toggle_default(benchmark_id: int, artifact_id: int): Toggle the is_default status of a BenchmarkArtifacts entity in the database. + get_default_artifact_of_benchmark(self, benchmark_id: int): Retrieve the default BenchmarkArtifact entity of a specific benchmark. + + Examples: + # First, create a new SQLAlchemy session + from sqlalchemy import create_engine + from sqlalchemy.orm import sessionmaker + + engine = create_engine('sqlite:///benchmarks.db') + Session = sessionmaker(bind=engine) + session = Session() + + # Then, create a new instance of BenchmarkArtifactsRepository using the session + repo = BenchmarkArtifactsRepository(session) + + # Add a new benchmark artifact + new_artifact = repo.add(1, 1) + print(new_artifact.is_default) # Outputs: False + + # Get a benchmark artifact by its IDs + artifact = repo.get_by_ids(1, 1) + print(artifact.is_default) # Outputs: False + + # Toggle the is_default status of a benchmark artifact + toggled_artifact = repo.toggle_default(1, 1) + print(toggled_artifact.is_default) # Outputs: True + + # Update a benchmark artifact + updated_artifact = repo.update(1, 1, False) + print(updated_artifact.is_default) # Outputs: False + + # Remove a benchmark artifact + result = repo.remove(1, 1) + print(result) # Outputs: True + + # Get all artifacts for a specific benchmark + artifacts = repo.get_all_for_benchmark(1) + for artifact in artifacts: + print(artifact.artifact_id) # Outputs: 1, 2, 3, etc. + + # Get the default benchmark artifact + default_artifact = repo.get_default(1) + print(default_artifact.artifact_id) # Outputs: 1 + + # Update the default benchmark artifact + result = repo.update_default(1, 2) + print(result) # Outputs: True + + # Retrieve the default artifact of a specific benchmark + default_artifact = repo.get_default_artifact_of_benchmark(1) + if default_artifact: + print(default_artifact.name) # Outputs the name of the default artifact + """ + + def __init__(self, session): + """ + Initialize the BenchmarkArtifactsRepository with a SQLAlchemy session. + + Args: + session (Session): The SQLAlchemy session for database operations. + + Example: + >>> from sqlalchemy import create_engine + >>> from sqlalchemy.orm import sessionmaker + >>> engine = create_engine('sqlite:///benchmarks.db') + >>> Session = sessionmaker(bind=engine) + >>> session = Session() + >>> repo = BenchmarkArtifactsRepository(session) + """ + self.session = session + + def update(self, benchmark_id, artifact_id, is_default): + """ + Update an existing entity in the database. + + Args: + benchmark_id (int): The benchmark_id of the entity to update. + artifact_id (int): The artifact_id of the entity to update. + is_default (bool): The new is_default status of the entity. + + Returns: + BenchmarkArtifacts: The updated entity, or None if no entity with the given benchmark_id and artifact_id was found. + + Example: + >>> updated = repo.update(1, 1, False) + >>> print(updated.is_default) + False + """ + + artifact = self.get_by_ids(benchmark_id, artifact_id) + if artifact is not None: + artifact.is_default = is_default + self.session.commit() + return artifact + + def get_by_ids(self, benchmark_id, artifact_id): + """ + Retrieve a BenchmarkArtifacts entity by its benchmark_id and artifact_id. + + Args: + benchmark_id (int): The benchmark_id of the BenchmarkArtifacts entity. + artifact_id (int): The artifact_id of the BenchmarkArtifacts entity. + + Returns: + BenchmarkArtifacts: The BenchmarkArtifacts entity with the given benchmark_id and artifact_id. + + Example: + >>> artifact = repo.get_by_ids(1, 1) + >>> print(artifact.is_default) + True + """ + return self.session.query(BenchmarkArtifacts).get((benchmark_id, artifact_id)) + + def add(self, benchmark_id, artifact_id, is_default=False): + """ + Add a new BenchmarkArtifacts entity to the database. + + This method creates a new BenchmarkArtifacts record with the provided benchmark_id, artifact_id, and is_default status. + It then adds this record to the database. + + Args: + benchmark_id (int): The ID of the benchmark to associate with the artifact. + artifact_id (int): The ID of the artifact to associate with the benchmark. + is_default (bool, optional): Whether the artifact is the default for the benchmark. Defaults to False. + + Returns: + BenchmarkArtifacts: The newly created BenchmarkArtifacts entity. + + Raises: + IntegrityError: If a BenchmarkArtifacts record with the same benchmark_id, artifact_id, and is_default status already exists. + + Example: + repo = BenchmarkArtifactsRepository(session) + + # Add a new BenchmarkArtifacts record + new_artifact = repo.add(1, 1, True) + + print(new_artifact.is_default) # Outputs: True + print(new_artifact.benchmark_id) # Outputs: 1 + print(new_artifact.artifact_id) # Outputs: 1 + """ + try: + artifact = BenchmarkArtifacts( + benchmark_id=benchmark_id, + artifact_id=artifact_id, + is_default=is_default, + ) + self.session.add(artifact) + self.session.commit() + except IntegrityError: + self.session.rollback() + raise ValueError("This operation would violate a database constraint.") + + def remove(self, benchmark_id, artifact_id): + """ + Remove an existing entity from the database. + + Args: + benchmark_id (int): The benchmark_id of the entity to remove. + artifact_id (int): The artifact_id of the entity to remove. + + Returns: + bool: True if the entity was removed, False otherwise. + + Example: + >>> result = repo.remove(1, 1) + >>> print(result) + True + """ + artifact = self.get_by_ids(benchmark_id, artifact_id) + if artifact is not None: + self.session.delete(artifact) + self.session.commit() + return True + return False + + def get_all_artifacts(self): + """ + Retrieve all entries from the database. + + Returns: + list[BenchmarkArtifacts]: A list of all entities. + + Example: + >>> entities = repo.get_all_artifacts() + >>> for entity in entities: + ... print(entity.benchmark_id, entity.artifact_id) + 1 1 + 2 2 + 3 3 + """ + return self.session.query(BenchmarkArtifacts).all() + + def toggle_default(self, benchmark_id, artifact_id): + """ + Toggle the is_default status of an entity in the database. + + Args: + benchmark_id (int): The benchmark_id of the entity to update. + artifact_id (int): The artifact_id of the entity to update. + + Returns: + BenchmarkArtifacts: The updated entity, or None if no entity with the given benchmark_id and artifact_id was found. + + Example: + >>> entity = repo.get_by_ids(1, 1) + >>> print(entity.is_default) + True + >>> toggled = repo.toggle_default(1, 1) + >>> print(toggled.is_default) + False + """ + artifact = self.get_by_ids(benchmark_id, artifact_id) + if artifact is not None: + artifact.is_default = not artifact.is_default + self.session.commit() + return artifact + + def get_all_for_benchmark(self, benchmark_id): + """ + Retrieve all Artifact entities for a given benchmark_id from the database. + + Args: + benchmark_id (int): The benchmark_id of the entities. + + Returns: + list[BenchmarkArtifacts]: A list of all entities for the given benchmark_id. + + Example: + >>> entities = repo.get_all_for_benchmark(1) + >>> for entity in entities: + ... print(entity.artifact_id) + 1 + 2 + 3 + """ + return self.session.query(BenchmarkArtifacts).filter_by(benchmark_id=benchmark_id).all() + + def get_default(self, benchmark_id): + """ + Retrieve the default entity for a given benchmark_id from the database. + + Args: + benchmark_id (int): The benchmark_id of the entity. + + Returns: + BenchmarkArtifacts: The default entity for the given benchmark_id, or None if no default entity was found. + + Example: + >>> default = repo.get_default(1) + >>> print(default.artifact_id) + 1 + """ + return self.session.query(BenchmarkArtifacts).filter_by(benchmark_id=benchmark_id, is_default=True).first() + + def update_default(self, benchmark_id, new_default_id): + """ + Update the default entity for a given benchmark_id in the database. + + Args: + benchmark_id (int): The benchmark_id of the entity to update. + new_default_id (int): The artifact_id of the new default entity. + + Returns: + bool: True if the default entity was updated, False otherwise. + + Example: + >>> result = repo.update_default(1, 2) + >>> print(result) + True + """ + current_default = self.get_default(benchmark_id) + if current_default is not None: + self.toggle_default(benchmark_id, current_default.artifact_id) + + new_default = self.get_by_ids(benchmark_id, new_default_id) + if new_default is not None: + self.toggle_default(benchmark_id, new_default_id) + return True + + return False + + def get_default_artifact_of_benchmark(self, benchmark_id: int): + """ + Retrieve the default BenchmarkArtifact entity of a specific benchmark. + + Args: + benchmark_id (int): The ID of the benchmark. + + Returns: + BenchmarkArtifact: The default BenchmarkArtifact entity of the specified benchmark, or None if no default artifact is found. + """ + default_artifact = ( + self.session.query(Artifact) + .filter(Artifact.is_default == True, Artifact.benchmark_id == benchmark_id) + .first() + ) + return default_artifact + + +class BenchmarkTypeRepository: + """ + A repository providing an interface for accessing and manipulating BenchmarkType entities in the database. + + Attributes: + session (Session): The SQLAlchemy session for database operations. + + Methods: + __init__(self, session: Session): Initialize a new instance of the BenchmarkTypeRepository class. + get_by_id(benchmark_type_id: int): Retrieve a BenchmarkType entity by its benchmark_type_id. + add(long_name: str, short_name: str, description: str): Add a new BenchmarkType entity to the database. + update(benchmark_type_id: int, long_name: str, short_name: str, description: str): Update an existing BenchmarkType entity in the database. + remove(benchmark_type_id: int): Remove an existing BenchmarkType entity from the database. + get_all(): Retrieve all BenchmarkType entities from the database. + + Examples: + # First, create a new SQLAlchemy session + from sqlalchemy import create_engine + from sqlalchemy.orm import sessionmaker + + engine = create_engine('sqlite:///benchmarks.db') + Session = sessionmaker(bind=engine) + session = Session() + + # Then, create a new instance of BenchmarkTypeRepository using the session + repo = BenchmarkTypeRepository(session) + + # Add a new benchmark type + new_type = repo.add('Long Name', 'Short', 'This is a description.') + print(new_type.long_name) # Outputs: 'Long Name' + + # Get a benchmark type by its ID + type = repo.get_by_id(1) + print(type.short_name) # Outputs: 'Short' + + # Update a benchmark type + updated_type = repo.update(1, 'New Long Name', 'New Short', 'This is a new description.') + print(updated_type.long_name) # Outputs: 'New Long Name' + + # Remove a benchmark type + result = repo.remove(1) + print(result) # Outputs: True + + # Get all benchmark types + types = repo.get_all() + for type in types: + print(type.benchmark_type_id) # Outputs: 1, 2, 3, etc. + """ + + def __init__(self, session): + """ + Initialize the BenchmarkTypeRepository with a database session. + + Args: + session (Session): The SQLAlchemy session for database operations. + + Example: + repo = BenchmarkTypeRepository(session) + """ + self.session = session + + def get_by_id(self, benchmark_type_id): + """ + Retrieve a BenchmarkType entity by its benchmark_type_id. + + Args: + benchmark_type_id (int): The ID of the BenchmarkType entity to retrieve. + + Returns: + BenchmarkType: The BenchmarkType entity with the given benchmark_type_id, or None if no such entity exists. + + Example: + type = repo.get_by_id(1) + print(type.short_name) # Outputs: 'Short' + """ + return self.session.query(BenchmarkType).get(benchmark_type_id) + + def add(self, long_name, short_name, description): + """ + Add a new BenchmarkType entity to the database. + + Args: + long_name (str): The long name for the new BenchmarkType entity. + short_name (str): The short name for the new BenchmarkType entity. + description (str): The description for the new BenchmarkType entity. + + Returns: + BenchmarkType: The newly created BenchmarkType entity. + + Example: + new_type = repo.add('Long Name', 'Short', 'This is a description.') + print(new_type.long_name) # Outputs: 'Long Name' + """ + try: + benchmark_type = BenchmarkType(long_name=long_name, short_name=short_name, description=description) + self.session.add(benchmark_type) + self.session.commit() + except IntegrityError: + self.session.rollback() + raise ValueError("A BenchmarkType with this long_name or short_name already exists.") + + def update(self, benchmark_type_id, long_name, short_name, description): + """ + Update an existing BenchmarkType entity in the database. + + Args: + benchmark_type_id (int): The ID of the BenchmarkType entity to update. + long_name (str): The new long name for the BenchmarkType entity. + short_name (str): The new short name for the BenchmarkType entity. + description (str): The new description for the BenchmarkType entity. + + Returns: + BenchmarkType: The updated BenchmarkType entity, or None if no entity with the given benchmark_type_id was found. + + Example: + updated_type = repo.update(1, 'New Long Name', 'New Short', 'This is a new description.') + print(updated_type.long_name) # Outputs: 'New Long Name' + """ + type = self.get_by_id(benchmark_type_id) + if type is not None: + try: + type.long_name = long_name + type.short_name = short_name + type.description = description + self.session.commit() + except IntegrityError: + self.session.rollback() + raise ValueError("A BenchmarkType with this long_name or short_name already exists.") + return type + + def remove(self, benchmark_type_id): + """ + Remove an existing BenchmarkType entity from the database. + + Args: + benchmark_type_id (int): The ID of the BenchmarkType entity to remove. + + Returns: + bool: True if the BenchmarkType entity was removed successfully, False otherwise. + + Example: + result = repo.remove(1) + print(result) # Outputs: True + """ + type = self.get_by_id(benchmark_type_id) + if type is not None: + self.session.delete(type) + self.session.commit() + return True + return False + + def get_all(self): + """ + Retrieve all BenchmarkType entities from the database. + + Returns: + list[BenchmarkType]: A list of all BenchmarkType entities. + + Example: + types = repo.get_all() + for type in types: + print(type.benchmark_type_id) # Outputs: 1, 2, 3, etc. + """ + return self.session.query(BenchmarkType).all() diff --git a/sqlalcamey/review_zip_or_file.py b/sqlalcamey/review_zip_or_file.py new file mode 100644 index 000000000..bd8cd4748 --- /dev/null +++ b/sqlalcamey/review_zip_or_file.py @@ -0,0 +1,58 @@ +# https://softwareengineering.stackexchange.com/questions/49550/which-hashing-algorithm-is-best-for-uniqueness-and-speed +# https://stackoverflow.com/questions/49515975/how-to-keep-track-of-the-files-i-read-into-a-database-in-python +# https://dunlapww.medium.com/setup-pythons-equivalent-or-ruby-s-pry-ipdb-33e98f4f847b +# https://wundergraph.com/blog/wunderbase_serverless_graphql_database_on_top_of_sqlite_firecracker_and_prisma + +import os +from stig_parser import convert_stig +from stig_parser import convert_xccdf + +## PARSE STIG ZIP FILE +file1 = "../test/U_CAN_Ubuntu_20-04_LTS_V1R5_STIG.zip" +file2 = "../benchmarks/DISA/U_CAN_Ubuntu_20-04_LTS_STIG_V1R4_Manual-xccdf.xml" +# import ipdb; ipdb.set_trace() + + +def process_stig(stig, type="zip"): + """ + Process the STIG and return the JSON results. + + Args: + stig (type): The STIG to be processed. + + Returns: + dict: The JSON results of the processed STIG. + """ + json_results = "" + if type == "zip": + json_results = convert_stig(stig) + else: + try: + # import ipdb + # ipdb.set_trace() + fp = open(stig, "r") + json_results = convert_xccdf(fp.read()) + except: + print("could not open: " + file2) + print("plese check the path") + print(os.getcwd()) + + print("Processing STIG: " + stig) + print(json_results["Title"] + " Version: " + json_results["Version"] + " Release: " + json_results["Release"]) + print("\n") + + return json_results + + +process_stig(file1, "zip") + +process_stig(file2, "xccdf") + +path = "/tmp" + +obj = os.scandir(path) + +print("Files and Directories in '% s':" % path) +for entry in obj: + if entry.is_dir() or entry.is_file(): + print(entry.name) diff --git a/sqlalcamey/sqla.py b/sqlalcamey/sqla.py new file mode 100644 index 000000000..6ad87ed78 --- /dev/null +++ b/sqlalcamey/sqla.py @@ -0,0 +1,43 @@ +# https://www.youtube.com/watch?v=1Va493SMTcY&t=2637s +from sqlalchemy.ext.automap import automap_base +from sqlalchemy.orm import Session +from sqlalchemy import create_engine +from sqlalchemy import inspect + +Base = automap_base() + +# engine, suppose it has two tables 'user' and 'address' set up +engine = create_engine("sqlite:///database/test.db") + +# reflect the tables +Base.prepare(autoload_with=engine) + +# mapped classes are now created with names by default +# matching that of the table name. + +Benchmarks = Base.classes.Benchmarks +Artifact = Base.classes.Artifact +Organization = Base.classes.Organization +Statuses = Base.classes.Statuses +Products = Base.classes.Products + +artifact_types = Base.classes.artifact_types +benchmark_artifacts = Base.classes.benchmark_artifacts +benchmark_type = Base.classes.benchmark_type + +session = Session(engine) +inspector = inspect(engine) + + +import ipdb + +ipdb.set_trace() + +# rudimentary relationships are produced +session.add(Address(email_address="foo@bar.com", user=User(name="foo"))) +session.commit() + +# collection-based relationships are by default named +# "_collection" +u1 = session.query(User).first() +print(u1.address_collection) diff --git a/sqlalcamey/tests/__init__.py b/sqlalcamey/tests/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/sqlalcamey/tests/test_associate_artifact_with_benchmark.py b/sqlalcamey/tests/test_associate_artifact_with_benchmark.py new file mode 100644 index 000000000..9d0857d0c --- /dev/null +++ b/sqlalcamey/tests/test_associate_artifact_with_benchmark.py @@ -0,0 +1,25 @@ +import unittest +from unittest.mock import Mock, patch +from sqlalchemy.orm import Session +from ..interfaces import associate_artifact_with_benchmark +from ..models import BenchmarkArtifacts + + +class TestAssociateArtifactWithBenchmark(unittest.TestCase): + @patch("sqlalchemy.orm.Session") + def test_associate_artifact_with_benchmark(self, mock_session): + # Arrange + mock_association = Mock(spec=BenchmarkArtifacts) + mock_session.add.return_value = None + mock_session.commit.return_value = None + + # Act + associate_artifact_with_benchmark(mock_session, 1, 1, True) + + # Assert + mock_session.add.assert_called_once() + mock_session.commit.assert_called_once() + + +if __name__ == "__main__": + unittest.main() diff --git a/sqlalcamey/tests/test_disassociate_artifact_from_benchmark.py b/sqlalcamey/tests/test_disassociate_artifact_from_benchmark.py new file mode 100644 index 000000000..6c9415e7f --- /dev/null +++ b/sqlalcamey/tests/test_disassociate_artifact_from_benchmark.py @@ -0,0 +1,33 @@ +import unittest +from unittest.mock import Mock, patch +from sqlalchemy.orm import Session +from ..interfaces import disassociate_artifact_from_benchmark +from ..models import BenchmarkArtifacts + + +class TestDisassociateArtifactFromBenchmark(unittest.TestCase): + @patch("sqlalchemy.orm.Session") + def test_disassociate_artifact_from_benchmark(self, mock_session): + # Arrange + mock_association = Mock(spec=BenchmarkArtifacts) + mock_session.query.return_value.filter.return_value.first.return_value = ( + mock_association + ) + mock_session.delete.return_value = None + mock_session.commit.return_value = None + + # Act + disassociate_artifact_from_benchmark(mock_session, 1, 1) + + # Assert + mock_session.query.assert_called_once_with(BenchmarkArtifacts) + mock_session.query.return_value.filter.assert_called_once_with( + BenchmarkArtifacts.benchmark_id == 1, + BenchmarkArtifacts.artifact_id == 1, + ) + mock_session.delete.assert_called_once_with(mock_association) + mock_session.commit.assert_called_once() + + +if __name__ == "__main__": + unittest.main() diff --git a/sqlalcamey/utils.py b/sqlalcamey/utils.py new file mode 100644 index 000000000..4c68049e3 --- /dev/null +++ b/sqlalcamey/utils.py @@ -0,0 +1,168 @@ +# utils.py +from typing import Type, Optional, Any, Dict, List, Union +from sqlalchemy.orm import Session +from sqlalchemy.sql.schema import Column +from sqlalchemy.ext.declarative import DeclarativeMeta + + +# The `table:`` parameter is used, but it might not be immediately obvious where. + +# In SQLAlchemy, when you perform a query, you specify the model class +# (which represents a table in your database) as an argument to session.query(). +# In this function, table is used in this way. + +# The line session.query(column).filter(filter_column == id).first() is where table +# is used indirectly. Here, column and filter_column are expected to be attributes +# of an instance of table. When you pass Statuses.name and Statuses.status_id as +# column and filter_column respectively, you're actually passing attributes of +# the Statuses model, which represents a table in your database. + +# So, while table isn't explicitly mentioned in the function body, it's used to +# derive the column and filter_column parameters. The function wouldn't work correctly +# if column and filter_column weren't attributes of table. + + +def get_column_value_by_id( + session: Session, + table: Type[DeclarativeMeta], + column: Column, + filter_column: Column, + id: int, +) -> Optional[Any]: + """ + Retrieves a specific column value for a record in a table, given the record's ID. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + table (sqlalchemy.ext.declarative.api.DeclarativeMeta): The SQLAlchemy model class representing the table. + column (sqlalchemy.sql.schema.Column): The column in the table that you want to retrieve. + filter_column (sqlalchemy.sql.schema.Column): The column in the table that you want to filter on. + id (int): The ID of the record you want to retrieve. + + Returns: + Any: The value of the specified column for the record with the given ID. If no such record exists, returns None. + + Example: + from sqlalchemy.orm import Session + # the table from models you want to access + from .models import Statuses + # create a new session + session = Session() + # get the name of the status with ID 1 + name = get_column_value_by_id(session, Statuses, Statuses.name, Statuses.status_id, 1) + print(name) + """ + result = session.query(column).filter(filter_column == id).first() + if result is not None: + return result[0] + else: + return None + + +def update_column_value_by_id( + session: Session, + table: Type[DeclarativeMeta], + column: Column, + filter_column: Column, + id: int, + new_value: Any, +) -> None: + """ + Updates a specific column value for a record in a table, given the record's ID. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + table (sqlalchemy.ext.declarative.api.DeclarativeMeta): The SQLAlchemy model class representing the table. + column (sqlalchemy.sql.schema.Column): The column in the table that you want to update. + filter_column (sqlalchemy.sql.schema.Column): The column in the table that you want to filter on. + id (int): The ID of the record you want to update. + new_value (Any): The new value that you want to set for the specified column. + + Example: + from sqlalchemy.orm import Session + from .models import Statuses + # create a new session + session = Session() + # update the name of the status with ID 1 + update_column_value_by_id(session, Statuses, Statuses.name, Statuses.status_id, 1, 'New Name') + """ + record = session.query(table).filter(filter_column == id).first() + if record is not None: + setattr(record, column.name, new_value) + session.commit() + + +def get_values_in_row_by_id( + session: Session, + table: Type[DeclarativeMeta], + columns: Union[Dict[str, Column], List[Column]], + filter_column: Column, + id: int, +) -> Optional[Union[Dict[str, Any], List[Any]]]: + """ + Retrieves specific column values for a record in a table, given the record's ID. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + table (sqlalchemy.ext.declarative.api.DeclarativeMeta): The SQLAlchemy model class representing the table. + columns (Union[Dict[str, sqlalchemy.sql.schema.Column], List[sqlalchemy.sql.schema.Column]]): Either a dictionary where the keys are the names of the columns you want to retrieve and the values are the corresponding Column objects, or a list of Column objects. + filter_column (sqlalchemy.sql.schema.Column): The column in the table that you want to filter on. + id (int): The ID of the record you want to retrieve. + + Returns: + Union[Dict[str, Any], List[Any]]: + If columns is a dictionary, returns a dictionary where the keys are the names of the columns and the values are the values of those columns for the record with the given ID. + If columns is a list, returns a list of the values of the specified columns for the record with the given ID. If no such record exists, returns None. + + Example: + from sqlalchemy.orm import Session + from .models import Statuses + # create a new session + session = Session() + + # get some values in the row with ID 1 using a dictionary of columns + values_dict = get_values_in_row_by_id(session, Statuses, {'name': Statuses.name, 'status': Statuses.status}, Statuses.status_id, 1) + print(values_dict) + + # get some values in the row with ID 1 using a list of columns + values_list = get_values_in_row_by_id(session, Statuses, [Statuses.name, Statuses.status], Statuses.status_id, 1) + print(values_list) + """ + if isinstance(columns, dict): + record = session.query(*columns.values()).filter(filter_column == id).first() + if record is not None: + return {key: value for key, value in zip(columns.keys(), record)} + elif isinstance(columns, list): + record = session.query(*columns).filter(filter_column == id).first() + if record is not None: + return list(record) + else: + return None + + +def get_all_values_in_row_by_id( + session: Session, table: Type[DeclarativeMeta], filter_column: Column, id: int +) -> Optional[DeclarativeMeta]: + """ + Retrieves all column values for a record in a table, given the record's ID. + + Args: + session (sqlalchemy.orm.Session): The session object used to execute database queries. + table (sqlalchemy.ext.declarative.api.DeclarativeMeta): The SQLAlchemy model class representing the table. + filter_column (sqlalchemy.sql.schema.Column): The column in the table that you want to filter on. + id (int): The ID of the record you want to retrieve. + + Returns: + DeclarativeMeta: An instance of the table class representing the record with the given ID. If no such record exists, returns None. + + Example: + from sqlalchemy.orm import Session + from .models import Statuses + # create a new session + session = Session() + # get all values in the row with ID 1 + row = get_all_values_in_row_by_id(session, Statuses, Statuses.status_id, 1) + print(row) + """ + record = session.query(table).filter(filter_column == id).first() + return record diff --git a/tailwind.config.js b/tailwind.config.js new file mode 100644 index 000000000..e69de29bb diff --git a/test/U_CAN_Ubuntu_20-04_LTS_V1R5_STIG.zip b/test/U_CAN_Ubuntu_20-04_LTS_V1R5_STIG.zip new file mode 100644 index 000000000..9730ad737 Binary files /dev/null and b/test/U_CAN_Ubuntu_20-04_LTS_V1R5_STIG.zip differ diff --git a/tmp/extract.sh b/tmp/extract.sh index 4bb1e9df5..b356f7dd9 100644 --- a/tmp/extract.sh +++ b/tmp/extract.sh @@ -1,9 +1,7 @@ mkdir tmp -for i in {1..5} -do - find . -name "*.zip" -print0 | while read -d $'\0' file - do +for i in {1..5}; do + find . -name "*.zip" -print0 | while read -d $'\0' file; do echo $file unzip -d tmp -o "$file" rm -f "$file" @@ -11,12 +9,11 @@ do done mkdir stigs -find . -name 'U*xccdf.xml' -print0 | while read -d $'\0' file -do +find . -name 'U*xccdf.xml' -print0 | while read -d $'\0' file; do cp "$file" ./stigs/ done rm -rf tmp mv ./stigs/U*xccdf.xml ../benchmarks/DISA/ -rm -rf stigs \ No newline at end of file +rm -rf stigs diff --git a/update.py b/update.py deleted file mode 100644 index 92e7aca17..000000000 --- a/update.py +++ /dev/null @@ -1,299 +0,0 @@ -import requests -from bs4 import BeautifulSoup -from difflib import SequenceMatcher -import re -import json -import uuid -import re -import os -import xml.etree.ElementTree as ET - -badTerms = ['scc', 'library', '.msi.zip', 'srg_stig_applicability_guide', 'STIGApplicabilityGuide'] -url = "https://public.cyber.mil/stigs/downloads/" -headers = { - 'Access-Control-Allow-Origin': '*', - 'Access-Control-Allow-Methods': 'GET', - 'Access-Control-Allow-Headers': 'Content-Type', - 'Access-Control-Max-Age': '3600', - 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0' -} -stigs = [] - -with open('stigs.json', 'r') as existingSTIGsFile: - stigs = json.load(existingSTIGsFile) - -def getFilename(url): - return url.split('/')[-1] - -### Get STIGS from DISA'S site - -def updateSTIGSList(): - # If you're running behind a proxy with SSL bumping - req = requests.get(url, headers, verify=False) - # req = requests.get(url, headers) - soup = BeautifulSoup(req.content, 'html.parser') - table = soup.find_all('table')[0] # Grab the first table - - knownURLs = [] - - with open('stigs.json', 'r') as existingSTIGsFile: - existingSTIGs = json.load(existingSTIGsFile) - knownURLs.extend([stig['url'] for stig in existingSTIGs]) - - def cleanText(inputText): - return re.sub(' +', ' ', inputText.replace('\r', ' ').replace('\u200b', '').replace('\n', ' ').split('\t')[0].strip()).strip() - - for row in table.find_all('tr'): - try: - columns = row.find_all('td') - href = "" - name = "" - size = "" - for idx, column in enumerate(columns): - if idx == 2: - size = column.get_text().strip() - if idx == 1: - href = column.find('a')['href'] - name = cleanText(column.get_text()) - if (href != "" and name != "" and size != "" and ('stig' in name.lower() or 'benchmark' in name.lower() or 'stig' in href.lower() or 'benchmark' in href.lower()) and "viewer" not in name.lower()): - # Check if the similarity of the current name is similar to an existing name - newStig = True - knownIndex = 0 - hrefWithNoVersion = re.sub(r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', '', href) - for idx, knownURL in enumerate(knownURLs): - knownURLWithNoVersion = re.sub(r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', '', knownURL) - if SequenceMatcher(None, hrefWithNoVersion, knownURLWithNoVersion).ratio() > 0.99: - # print(f"Similarity: {SequenceMatcher(None, hrefWithNoVersion, knownURLWithNoVersion).ratio()} {hrefWithNoVersion} -> {knownURLWithNoVersion}") - knownIndex = idx - newStig = False - break - if newStig: - if (href.lower().endswith('.zip')): - knownURLs.append(href) - #print(f"Downloading {name}: {href}") - #urllib.request.urlretrieve(href, "tmp/" + getFilenameFromURL(href)) - # Get version from the file name e.g "U_IBM_MaaS360_with_Watson_v10-x_MDM_V1R2_STIG.zip" - version = re.search(r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', href) - if version is not None: - stigs.append({ - 'id': str(uuid.uuid4()), - 'name': name, - 'url': href, - 'size': size, - 'version': version.group(0) - }) - else: - print(f"Version not found in {href}") - # Attempt to get version number from name, e.g "Ver 1, Rel 1" - version = re.search(r'Ver (\d?)(\d?)(\d?)(\d?), Rel (\d?)(\d?)(\d?)(\d?)', name) - if version is not None: - versionNumber = f"V{version.group(1)}{version.group(2)}{version.group(3)}{version.group(4)}R{version.group(5)}{version.group(6)}{version.group(7)}{version.group(8)}" - print(f"Version found in {href} as {versionNumber}") - stigs.append({ - 'id': str(uuid.uuid4()), - 'name': name, - 'url': href, - 'size': size, - 'version': versionNumber - }) - else: - stigs.append({ - 'id': str(uuid.uuid4()), - 'name': name, - 'url': href, - 'size': size - }) - else: - version = re.search(r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', href) - if version is not None: - stigs[knownIndex]['url'] = href - stigs[knownIndex]['size'] = size - stigs[knownIndex]['version'] = version.group(0) - stigs[knownIndex]['name'] = name - elif version is None: - version = re.search(r'Ver (\d?)(\d?)(\d?)(\d?), Rel (\d?)(\d?)(\d?)(\d?)', name) - if version is not None: - versionNumber = f"V{version.group(1)}{version.group(2)}{version.group(3)}{version.group(4)}R{version.group(5)}{version.group(6)}{version.group(7)}{version.group(8)}" - print(f"Version found in '{name}' as {versionNumber}") - stigs[knownIndex]['url'] = href - stigs[knownIndex]['size'] = size - stigs[knownIndex]['version'] = versionNumber - stigs[knownIndex]['name'] = name - else: - # I've seen DISA remove the version number from the URL, so we need to remove it from the existing STIG if it's no longer there. - print(f"Version not found in {href}") - stigs[knownIndex]['url'] = href - stigs[knownIndex]['size'] = size - stigs[knownIndex]['name'] = name - if 'version' in stigs[knownIndex]: - del stigs[knownIndex]['version'] - - except KeyboardInterrupt: - exit() - except Exception as e: - print(e) - # Bad rows ignored, typicall they don't contain a download link - pass - - with open('stigs.json', 'w') as outfile: - json.dump(stigs, outfile, indent=2) - -def updateSTIGS(): - # Delete the existing STIGs - os.system("rm -rf tmp/input/*") - - ## Download the STIGs - for stig in stigs: - # Download ZIP from DISA if it doesn't contain a banned term - foundTerm = False - - for badTerm in badTerms: - if badTerm.lower() in stig['url'].lower(): - foundTerm = True - - if not foundTerm: - if 'scc' not in stig['url'].lower() and 'library' not in stig['url'].lower(): - os.system(f"wget {stig['url']} -O tmp/input/{stig['id']}.zip") - - # Unzip the STIGs - os.system("cd tmp; bash extract.sh") - -def associateSTIGFileArchives(): - # Get filenames from benchmarks folder - downloadedStigs = os.listdir('benchmarks/DISA/') - - for idx, benchmark in enumerate(stigs): - urlWithNoVersion = re.sub( - r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', '', getFilename(benchmark['url'])) - version = re.search( - r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', getFilename(benchmark['url'])) - if version is not None: - version = version.group(0) - highestSimilarity = 0.0 - highestSimilarityFilename = None - for filename in downloadedStigs: - filenameVersion = re.search( - r'V\d(\d?)(\d?)(\d?)(\d?)R\d(\d?)(\d?)(\d?)(\d?)', getFilename(filename)) - if filenameVersion is not None: - filenameVersion = filenameVersion.group(0) - similarity = SequenceMatcher( - None, urlWithNoVersion, filename).ratio() - if similarity > highestSimilarity and filenameVersion == version: - highestSimilarity = similarity - highestSimilarityFilename = filename - if highestSimilarityFilename is not None: - print(f"{getFilename(benchmark['url'])} -> {highestSimilarityFilename}") - stigs[idx]['file'] = f"https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/benchmarks/DISA/{highestSimilarityFilename}" - else: - del stigs[idx] - else: - print("No version for url: "+benchmark['url']) - - with open('stigs.json', 'w') as outfile: - json.dump(stigs, outfile, indent=2) - -""" -Gets the Profile ID from the XCCDF xml file -Example: - - - -We want "Active_Directory_Domain" from this. -""" - -def getProfileIDFromProfileXMLs(): - for stig in stigs: - if 'file' in stig: - # Get the file path from the file URL - filePath = stig['file'].split('https://raw.githubusercontent.com/mitre/inspec-profile-update-action/main/')[1] - # Get the file name from the file path - fileName = filePath.split('/')[-1] - - # Parse the XML file - tree = ET.parse(filePath) - root = tree.getroot() - - # Get the ID from the root - if 'id' in root.attrib: - if '/' not in root.attrib['id']: - stig['id'] = root.attrib['id'] - else: - print(f"No ID found for {fileName}") - - with open('stigs.json', 'w') as outfile: - json.dump(stigs, outfile, indent=2) - -def pageGenerator(): - # Delete existing generated actions - os.system("rm -rf actions/*") - - for stig in stigs: - - yml = f""" -on: [push] - -jobs: -test_action: - runs-on: ubuntu-latest - name: Test inpec-profile-update action - steps: - # To use this repository's private action, - # you must check out the repository - - name: Checkout - uses: actions/checkout@v3 - # Update profile - - name: Updates profile - uses: mitre/inspec-profile-update-action@main - # Set env variables - env: - profile: {stig['id']} - # Create new branch - - name: Push changes to new PR - uses: peter-evans/create-pull-request@v4 - with: - branch: update-profile - delete-branch: true""" - - with open(f"actions/{stig['id']}.yml", "w") as f: - f.write(yml) - - html = """ - - - - STIGs List - - """ - - html += "" - for stig in stigs: - html += f""" - - - - """ - if 'version' in stig: - html += f"""""" - else: - html += f"""""" - html += f""" - - - - """ - html += "
STIG IDNameVersionURLSizeAction
{stig['id']}{stig['name']}{stig['version']}Download{stig['size']}Download Action
" - - with open("index.html", "w") as f: - f.write(html) - -updateSTIGSList() -updateSTIGS() -associateSTIGFileArchives() -getProfileIDFromProfileXMLs() -pageGenerator() \ No newline at end of file