/usr/share/scap-security-guide/Debian/8/bash-remediations.xml is in ssg-debian 0.1.31-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 | <fix-content system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1">
<fix-group id="bash" system="urn:xccdf:fix:script:sh" xmlns="http://checklists.nist.gov/xccdf/1.1">
<fix rule="securetty_root_login_console_only" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i '/^vc\//d' /etc/securetty
</fix>
<fix rule="no_direct_root_logins" complexity="low" disruption="low" reboot="false" strategy="disable">echo > /etc/securetty
</fix>
<fix rule="restrict_serial_port_logins" complexity="low" disruption="low" reboot="false" strategy="disable">sed -i '/ttyS/d' /etc/securetty
</fix>
<fix rule="file_permissions_etc_passwd" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/passwd
</fix>
<fix rule="file_permissions_etc_shadow" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/shadow
</fix>
<fix rule="file_permissions_etc_group" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0644 /etc/group
</fix>
<fix rule="package_telnetd_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove telnetd
# from the system, and may remove any packages
# that depend on telnetd. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge telnetd
</fix>
<fix rule="package_ntpdate_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove ntpdate
# from the system, and may remove any packages
# that depend on ntpdate. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge ntpdate
</fix>
<fix rule="file_permissions_etc_gshadow" complexity="low" disruption="low" reboot="false" strategy="configure">chmod 0640 /etc/gshadow
</fix>
<fix rule="package_openssh-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove openssh-server
# from the system, and may remove any packages
# that depend on openssh-server. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge openssh-server
</fix>
<fix rule="package_nis_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove nis
# from the system, and may remove any packages
# that depend on nis. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge nis
</fix>
<fix rule="package_telnetd-ssl_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove telnetd-ssl
# from the system, and may remove any packages
# that depend on telnetd-ssl. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge telnetd-ssl
</fix>
<fix rule="package_inetutils-telnetd_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove inetutils-telnetd
# from the system, and may remove any packages
# that depend on inetutils-telnetd. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge inetutils-telnetd
</fix>
<fix rule="package_rsyslog_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># Include source function library.
apt-get install rsyslog
</fix>
<fix rule="package_auditd_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># Include source function library.
apt-get install auditd
</fix>
<fix rule="package_rsh-client_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove rsh-client
# from the system, and may remove any packages
# that depend on rsh-client. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge rsh-client
</fix>
<fix rule="package_rsh-server_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove rsh-server
# from the system, and may remove any packages
# that depend on rsh-server. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge rsh-server
</fix>
<fix rule="package_ntp_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># Include source function library.
apt-get install ntp
</fix>
<fix rule="package_ntpd_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># Include source function library.
apt-get install ntpd
</fix>
<fix rule="package_cron_installed" complexity="low" disruption="low" reboot="false" strategy="disable"># Include source function library.
apt-get install cron
</fix>
<fix rule="package_talkd_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove talkd
# from the system, and may remove any packages
# that depend on talkd. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge talkd
</fix>
<fix rule="package_talk_removed" complexity="low" disruption="low" reboot="false" strategy="disable"># CAUTION: This remediation script will remove talk
# from the system, and may remove any packages
# that depend on talk. Execute this
# remediation AFTER testing on a non-production
# system!
apt-get remove --purge talk
</fix>
</fix-group>
</fix-content>
|