[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

241641

 
 

909

 
 

192372

 
 

277

Paid content will be excluded from the download.


Download | Alert*


oval:org.secpod.oval:def:708271
etcd: highly-available key value store -- client etcd could be made to expose sensitive information over the network.

oval:org.secpod.oval:def:708146
mysql-8.0: MySQL database Details: USN-6060-1 fixed vulnerabilities in MySQL. The new upstream 8.0.33 version introduced a regression on the armhf architecture. This update fixes the problem. Original advisory USN-6060-1 introduced a regression in MySQL.

oval:org.secpod.oval:def:708269
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Details: USN-6161-1 fixed vulnerabilities in .NET. The update introduced a regression with regards to how the runtime imported X.509 certificates. This update fixes the problem. We apologize for the inconvenience. Original ...

oval:org.secpod.oval:def:708109
Ubuntu 23.04 is installed

oval:org.secpod.oval:def:92219
Log files stored in /var/log/ contain logged information from many services on the system, or on log hosts others as well. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and protected.

oval:org.secpod.oval:def:708393
openjdk-17: Open Source Java implementation - openjdk-lts: Open Source Java implementation Details: USN-6263-1 fixed vulnerabilities in OpenJDK. Unfortunately, that update introduced a regression when opening APK, ZIP or JAR files in OpenJDK 11 and OpenJDK 17. This update fixes the problem. We apolo ...

oval:org.secpod.oval:def:708450
atftp: Advanced TFTP Server and Client atftp could be made to crash if it received specially crafted network traffic.

oval:org.secpod.oval:def:708259
python-werkzeug: collection of utilities for WSGI applications Details: USN-5948-1 fixed vulnerabilities in Werkzeug. This update provides the corresponding updates for Ubuntu 23.04. Original advisory Several security issues were fixed in Werkzeug.

oval:org.secpod.oval:def:708404
docker-registry: Docker toolset to pack, ship, store, and deliver content Docker Registry could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708234
sniproxy: Transparent TLS and HTTP layer 4 proxy with SNI support SNI Proxy could be made to crash or run programs if it received specially crafted input.

oval:org.secpod.oval:def:708329
llvm-toolchain-13: C, C++ and Objective-C compiler - llvm-toolchain-14: C, C++ and Objective-C compiler - llvm-toolchain-15: C, C++ and Objective-C compiler Several security issues were fixed in LLVM Toolchain.

oval:org.secpod.oval:def:91660
llvm-toolchain-15: C, C++ and Objective-C compiler Several security issues were fixed in LLVM Toolchain.

oval:org.secpod.oval:def:708282
cpdb-libs: Common Print Dialog Backends - Tools CPDB could be made to crash or execute arbitrary code.

oval:org.secpod.oval:def:708289
ruby-doorkeeper: OAuth 2 provider for Rails and Grape Doorkeeper could be made to expose sensitive information over the network.

oval:org.secpod.oval:def:708276
python-reportlab: library to create PDF documents ReportLab could be made to crash or run programs as your login if it opened a specially crafted file.

oval:org.secpod.oval:def:708142
python-os-brick: Library for managing local volume attaches os-brick could be made to expose sensitive information.

oval:org.secpod.oval:def:708141
cinder: OpenStack storage service Cinder could be made to expose sensitive information.

oval:org.secpod.oval:def:708143
python-glance-store: OpenStack Image Service store library Glance_store could be made to expose sensitive information.

oval:org.secpod.oval:def:708140
nova: OpenStack Compute cloud infrastructure Nova could be made to expose sensitive information.

oval:org.secpod.oval:def:708316
cinder: OpenStack storage service - ironic: Openstack bare metal provisioning service - nova: OpenStack Compute cloud infrastructure - python-glance-store: OpenStack Image Service store library - python-os-brick: Library for managing local volume attaches OpenStack could be made to expose sensitive ...

oval:org.secpod.oval:def:708230
glusterfs: clustered file-system GlusterFS could be made to crash if it received a specially crafted request.

oval:org.secpod.oval:def:708342
maradns: A small open-source DNS server Several security issues were fixed in MaraDNS.

oval:org.secpod.oval:def:708571
axis: SOAP implementation in Java Axis could be made to crash or execute arbitrary code if it received specially crafted input.

oval:org.secpod.oval:def:708573
libsndfile: Library for reading/writing audio files libsndfile could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708580
memcached: High-performance in-memory object caching system Several security issues were fixed in memcached.

oval:org.secpod.oval:def:708593
iniparser: development files for the iniParser INI file reader/writer Iniparser could be made to crash if it received a specially crafted file.

oval:org.secpod.oval:def:708600
hibagent: Agent that triggers hibernation on EC2 instances A security improvement was added to hibagent.

oval:org.secpod.oval:def:708606
frr: FRRouting suite of internet protocols Several security issues were fixed in FRR.

oval:org.secpod.oval:def:708611
glusterfs: clustered file-system GlusterFS could be made to crash if it received a specially crafted request.

oval:org.secpod.oval:def:708260
libjettison-java: A Java library for converting XML to JSON and vice-versa Jettison could be made to crash if it opened a specially crafted file.

oval:org.secpod.oval:def:91652
bind9: Internet Domain Name Server Several security issues were fixed in Bind.

oval:org.secpod.oval:def:708377
cjose: C library implementing the JOSE standard JOSE for C/C++ could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708378
fastdds: eProsima FastDDS Discovery Server and Tools Fast DDS could be made to crash or expose sensitive information if it received specially crafted input.

oval:org.secpod.oval:def:708587
tidy-html5: HTML/XML syntax checker and reformatter tidy-html5 could be made to crash or run programs if it opened a specially crafted file.

oval:org.secpod.oval:def:708216
python3.11: An interactive high-level object-oriented language - python3.10: An interactive high-level object-oriented language - python3.8: An interactive high-level object-oriented language - python2.7: An interactive high-level object-oriented language - python3.6: An interactive high-level objec ...

oval:org.secpod.oval:def:708591
openvpn: virtual private network software Several security issues were fixed in OpenVPN.

oval:org.secpod.oval:def:708441
cups: Common UNIX Printing System CUPS could be made to expose sensitive information.

oval:org.secpod.oval:def:92186
Root login via SSH should be disabled (and dependencies are met)

oval:org.secpod.oval:def:92185
The root account is the only system account that should have a login shell.

oval:org.secpod.oval:def:92188
IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall. ufw was developed to ease IPtables firewall configuration.

oval:org.secpod.oval:def:92187
This test makes sure that '/etc/shadow' file permission is setted as appropriate. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:92189
The Kernel Parameter for Accepting Source-Routed Packets By Default should be enabled or disabled as appropriate. The kernel runtime parameter "net.ipv4.conf.default.accept_source_route" should be set to "0".

oval:org.secpod.oval:def:92191
The kernel runtime parameter "net.ipv4.ip_forward" should be set to "0".

oval:org.secpod.oval:def:92190
The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * retr ...

oval:org.secpod.oval:def:92193
The /etc/gshadow file is used to store the information about groups that is critical to the security of those accounts, such as the hashed password and other security information Rationale: If attackers can gain read access to the /etc/gshadow file, they can easily run a password ...

oval:org.secpod.oval:def:92192
Rsyslog will create logfiles that do not already exist on the system. This setting controls what permissions will be applied to these newly created files. Rationale: It is important to ensure that log files have the correct permissions to ensure that sensitive data is archived and ...

oval:org.secpod.oval:def:92195
Ensure all apparmor profiles are in enforce or complain mode. Rationale: Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that any p ...

oval:org.secpod.oval:def:92194
The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Rationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading informa ...

oval:org.secpod.oval:def:92197
The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user. Rationale: Using GID 0 for the root account helps prevent root-owned files from accidentally becoming accessible to non-privileged users.

oval:org.secpod.oval:def:92196
AppArmor profiles define what resources applications are able to access.

oval:org.secpod.oval:def:92199
The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. Rationale: To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of s ...

oval:org.secpod.oval:def:92198
The commands below change password encryption to yescrypt (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm. Rationale: The yescrypt algorithm provides much stronger hashing than previou ...

oval:org.secpod.oval:def:92164
This test makes sure that '/etc/passwd' has proper permission. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:92285
Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automat ...

oval:org.secpod.oval:def:92284
The rsyncd service can be used to synchronize files between systems over network links. Rationale: The rsyncd service presents a security risk as it uses unencrypted protocols for communication.

oval:org.secpod.oval:def:92287
Once the rsyslog package is installed it needs to be activated. Rationale: If the rsyslog service is not activated the system may default to the syslogd service or lack logging instead.

oval:org.secpod.oval:def:92165
The rsh package contains the client commands for the rsh services.

oval:org.secpod.oval:def:92286
The cron daemon is used to execute batch jobs on the system. Rationale: While there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them.

oval:org.secpod.oval:def:92168
Without reauthentication, users may access resources or perform tasks for which they do not have authorization.

oval:org.secpod.oval:def:92289
MAC algorithms being used during ssh can be limited by defining them in sshd_config file.

oval:org.secpod.oval:def:92167
Sudo caches used credentials for a default of 15 minutes. This is for ease of use when there are multiple administrative tasks to perform. The timeout can be modified to suit local security policies.

oval:org.secpod.oval:def:92288
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer o ...

oval:org.secpod.oval:def:92169
The journald system includes the capability of compressing overly large files to avoid filling up the system with logs or making the logs unmanageably large. Rationale: Uncompressed large files may unexpectedly fill a filesystem leading to resource unavailability. Compressing log ...

oval:org.secpod.oval:def:92290
All users should have a password change date in the past. Rationale: If a users recorded password change date is in the future then they could bypass any set password expiration.

oval:org.secpod.oval:def:92171
autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives. RAtionale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themse ...

oval:org.secpod.oval:def:92292
The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds. Rationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn' ...

oval:org.secpod.oval:def:92170
Data from journald may be stored in volatile memory or persisted locally on the server. Logs in memory will be lost upon a system reboot. By persisting logs to local disk on the server they are protected from loss. Rationale: Writing log data to disk will provide the ability to fo ...

oval:org.secpod.oval:def:92291
Turn on the auditd daemon to record system events. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occurring.

oval:org.secpod.oval:def:92173
The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system. Rationale: The SNMP server can communicate using SNMP v1, w ...

oval:org.secpod.oval:def:92294
File permission for '/etc/hosts.deny' is set to appropriate values.

oval:org.secpod.oval:def:92172
The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Server Message Block (SMB) protocol. Windows desktop users will be able to mount these directories ...

oval:org.secpod.oval:def:92293
The DPKG package 'xserver-xorg-core' should be removed.

oval:org.secpod.oval:def:92175
Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field. Rationale: Users must be assigned unique UIDs for accountability and to ensure appropriate access pro ...

oval:org.secpod.oval:def:92296
Only SSH protocol version 2 connections should be permitted.

oval:org.secpod.oval:def:92174
Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field. Rationale: User groups must be assigned unique GIDs for accountability and to ensure appropriate a ...

oval:org.secpod.oval:def:92295
SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

oval:org.secpod.oval:def:92177
Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name. Rationale: If a user is assigned a duplicate user name, it will create and have access to files with the ...

oval:org.secpod.oval:def:92298
The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su co ...

oval:org.secpod.oval:def:92176
Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name. Rationale: If a group is assigned a duplicate group name, it will create and have access to files with ...

oval:org.secpod.oval:def:92297
Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written t ...

oval:org.secpod.oval:def:92179
nftables is a subsystem of the Linux kernel providing filtering and classification of network packets/datagrams/frames. The nftables service reads the /etc/nftables.conf file for a nftables file or files to include in the nftables ruleset. A nftables ruleset containing the input, forward, and outp ...

oval:org.secpod.oval:def:92178
Data from journald may be stored in volatile memory or persisted locally on the server. Utilities exist to accept remote export of journald logs, however, use of the rsyslog service provides a consistent means of log collection and export. Rationale: Storing log data on a remote ho ...

oval:org.secpod.oval:def:92299
The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive ...

oval:org.secpod.oval:def:92180
The talk software makes it possible for users to send and receive messages across systems through a terminal session.

oval:org.secpod.oval:def:92182
Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only u ...

oval:org.secpod.oval:def:92181
The kernel runtime parameter "net.ipv6.conf.default.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:92184
The passwords to remember should be set correctly.

oval:org.secpod.oval:def:92183
The file /etc/securetty contains a list of valid terminals that may be logged in directly as root.

oval:org.secpod.oval:def:92263
The INFO parameter specifies that record login and logout activity will be logged.

oval:org.secpod.oval:def:92262
The kernel runtime parameter "net.ipv4.conf.default.secure_redirects" should be set to "0".

oval:org.secpod.oval:def:92265
HTTP or web servers provide the ability to host web site content. Rationale: Unless there is a need to run the system as a web server, it is recommended that the package be deleted to reduce the potential attack surface.

oval:org.secpod.oval:def:92264
Squid is a standard proxy server used in many distributions and environments. Rationale: If there is no need for a proxy server, it is recommended that the squid proxy be deleted to reduce the potential attack surface.

oval:org.secpod.oval:def:92267
System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. Rationale: Time synchronization is important to support time sens ...

oval:org.secpod.oval:def:92266
Dovecot is an open source mail submission and transport server for Linux based systems. Rationale: Unless mail transport services are to be provided by this system, it is recommended that the service be disabled or deleted to reduce the potential attack surface. Note: Several ...

oval:org.secpod.oval:def:92269
The nftables service allows for the loading of nftables rulesets during boot, or starting of the nftables service. Rationale: The nftables service restores the nftables rules from the rules files referenced in the /etc/sysconfig/nftables.conf file during boot or the starting of th ...

oval:org.secpod.oval:def:92268
Periodic checking of the filesystem integrity is needed to detect changes to the filesystem. Rationale: Periodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.

oval:org.secpod.oval:def:92270
The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure.

oval:org.secpod.oval:def:92151
chrony is a daemon which implements the Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. Rationale: If chrony is in use on the system proper configuration is vital to ensuring time synchroniza ...

oval:org.secpod.oval:def:92150
The Set Lockout Time For Failed Password Attempts should be set correctly.

oval:org.secpod.oval:def:92271
Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and ...

oval:org.secpod.oval:def:92153
While the system administrator can establish secure permissions for users' "dot" files, the users can easily override these. Rationale: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's syste ...

oval:org.secpod.oval:def:92274
Core dumps for all users should be disabled

oval:org.secpod.oval:def:92152
Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group. Rationale: Groups defined in the /etc/passwd file but not in the /etc/group file pose a threat to system security since group permissions are not properly ma ...

oval:org.secpod.oval:def:92273
The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on NTP can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server.

oval:org.secpod.oval:def:92155
While the system administrator can establish secure permissions for users' home directories, the users can easily override these. Rationale: Group or world-writable user home directories may enable malicious users to steal or modify other users' data or to gain another user's system ...

oval:org.secpod.oval:def:92276
The maximum password age policy should meet minimum requirements.

oval:org.secpod.oval:def:92154
While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these. Rationale: .netrcfiles may contain unencrypted passwords that may be used to attack other systems.

oval:org.secpod.oval:def:92275
Access permission for '/etc/cron.d' is set to appropriate values.

oval:org.secpod.oval:def:92157
An account with an empty password field means that anybody may log in as that user without providing a password. Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.

oval:org.secpod.oval:def:92278
Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.n ...

oval:org.secpod.oval:def:92156
Users can be defined in /etc/passwd without a home directory or with a home directory that does not actually exist. Rationale: If the user's home directory does not exist or is unassigned, the user will be placed in "/" and will not be able to write any files or have local envir ...

oval:org.secpod.oval:def:92277
max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value

oval:org.secpod.oval:def:92159
The .forward file specifies an email address to forward the user's mail to. Rationale: Use of the .forward file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The .forward file also poses a risk as it can be used to execut ...

oval:org.secpod.oval:def:92158
Any account with UID 0 has superuser privileges on the system. Rationale: This access must be limited to only the default root account and only from the system console. Administrative access must be through an unprivileged account using an approved mechanism as noted in Item 5.6 ...

oval:org.secpod.oval:def:92279
The kernel module hfs should be disabled.

oval:org.secpod.oval:def:92160
The .netrc file contains data for logging into a remote host for file transfers via FTP. Rationale: The .netrc file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over .netrc files from ...

oval:org.secpod.oval:def:92281
The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files. Rationale: FTP does not protect the confidentiality of data or authentication credentials. It is recommended SFTP be used if file transfer is required. Unless there is a need to run t ...

oval:org.secpod.oval:def:92280
The kernel module cramfs should be disabled.

oval:org.secpod.oval:def:92162
Without reauthentication, users may access resources or perform tasks for which they do not have authorization.

oval:org.secpod.oval:def:92283
The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses. Rationale: Unless a system is specifically set up to act as a DHCP server, it is recommended that this service be deleted to reduce the potential attack surface ...

oval:org.secpod.oval:def:92161
While no .rhosts files are shipped by default, users can easily create them. Rationale: This action is only meaningful if .rhosts support is permitted in the file /etc/pam.conf . Even though the .rhosts files are ineffective if support is disabled in /etc/pam.conf , they may have ...

oval:org.secpod.oval:def:92282
The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability. Rationale: If ...

oval:org.secpod.oval:def:92249
Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user. It is highly unusual for a non privileg ...

oval:org.secpod.oval:def:92248
The kernel runtime parameter "net.ipv4.tcp_syncookies" should be set to "1".

oval:org.secpod.oval:def:92369
The logrotate (syslog rotator) service should be enabled.

oval:org.secpod.oval:def:92241
There are several options available to limit which users and group can access the system via SSH. It is recommended that at least one of the following options be leveraged: AllowUsers The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the syste ...

oval:org.secpod.oval:def:92362
The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate.

oval:org.secpod.oval:def:92240
The kernel module freevxfs should be disabled.

oval:org.secpod.oval:def:92361
The inetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no inetd services required, it is recommended that the daemon be removed.

oval:org.secpod.oval:def:92243
The kernel runtime parameter "kernel.randomize_va_space" should be set to "2".

oval:org.secpod.oval:def:92364
Description: AppArmor provides Mandatory Access Controls. Rationale: Without a Mandatory Access Control system installed only the default Discretionary Access Control system will be available. Audit: Verify that AppArmor is installed: # dpkg -s apparmor # dpkg -s apparmor-utils ...

oval:org.secpod.oval:def:92242
The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root.

oval:org.secpod.oval:def:92363
File permission for '/etc/ssh/sshd_config' is set to appropriate values.

oval:org.secpod.oval:def:92245
The kernel runtime parameter "net.ipv4.conf.all.log_martians" should be set to "1".

oval:org.secpod.oval:def:92366
Configure AppArmor to be enabled at boot time and verify that it has not been overwritten by the bootloader boot parameters. Rationale: AppArmor must be enabled at boot time in your bootloader configuration to ensure that the controls it provides are not overridden. Note: This re ...

oval:org.secpod.oval:def:92244
The kernel runtime parameter "net.ipv4.icmp_echo_ignore_broadcasts" should be set to "1".

oval:org.secpod.oval:def:92365
File permissions for '/etc/group' should be set correctly.

oval:org.secpod.oval:def:92247
TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers ...

oval:org.secpod.oval:def:92368
A Firewall package should be selected. Most firewall configuration utilities operate as a front end to nftables or iptables. Rationale: A Firewall package is required for firewall management and configuration.

oval:org.secpod.oval:def:92246
The minimum password age policy should be set appropriately.

oval:org.secpod.oval:def:92367
Set system audit so that audit rules cannot be modified with auditctl. Setting the flag "-e 2" forces audit to be put in immutable mode. Audit changes can only be made on system reboot. In immutable mode, unauthorized users cannot execute changes to the audit system to potentially hide malicious ac ...

oval:org.secpod.oval:def:92250
Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudoers_log. Any time a command ...

oval:org.secpod.oval:def:92371
Syslog logs should be sent to a remote loghost

oval:org.secpod.oval:def:92370
auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Rationale: The capturing of system events provides system administrators with information to allow them to determine if unauthorized access to their system is occ ...

oval:org.secpod.oval:def:92259
Access permission for '/etc/cron.monthly' is set to appropriate values.

oval:org.secpod.oval:def:92252
The contents of the file /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.

oval:org.secpod.oval:def:92373
The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP client, it is recommended that the softwar ...

oval:org.secpod.oval:def:92251
UsePAM Enables the Pluggable Authentication Module interface. If set to yes this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types

oval:org.secpod.oval:def:92372
The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal creden ...

oval:org.secpod.oval:def:92254
The kernel runtime parameter "net.ipv4.conf.default.accept_redirects" should be set to "0".

oval:org.secpod.oval:def:92375
The LoginGraceTime parameter specifies the time allowed for successful authentication to the SSH server. The longer the Grace period is the more open unauthenticated connections can exist. Like other session controls in this session the Grace Period should be limited to appropriate organizational li ...

oval:org.secpod.oval:def:92253
The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user ...

oval:org.secpod.oval:def:92374
The kernel runtime parameter "net.ipv4.icmp_ignore_bogus_error_responses" should be set to "1".

oval:org.secpod.oval:def:92256
Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail.

oval:org.secpod.oval:def:92377
The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.

oval:org.secpod.oval:def:92255
The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed.

oval:org.secpod.oval:def:92376
'biosdevname' is an external tool that works with the udev framework for naming devices. 'biosdevname' uses three methods to determine NIC names: 1. PCI firmware spec.3.1 2. smbios (matches # after "em" to OEM # printed on board or housing) 3. PCI IRQ Routing Table (uses # of NIC position in t ...

oval:org.secpod.oval:def:92258
The PermitUserEnvironment option allows users to present environment options to the ssh daemon.

oval:org.secpod.oval:def:92257
The kernel runtime parameter "net.ipv4.conf.all.send_redirects" should be set to "0".

oval:org.secpod.oval:def:92378
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The packages tftp and atftp are both used to define and support a TFTP server.

oval:org.secpod.oval:def:92261
Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a ...

oval:org.secpod.oval:def:92260
The accounts should be configured to expire automatically following Inactivity accounts.

oval:org.secpod.oval:def:92227
The kernel runtime parameter "net.ipv6.conf.default.accept_ra" should be set to "0".

oval:org.secpod.oval:def:92348
Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribu ...

oval:org.secpod.oval:def:92226
The auditd daemon can be configured to halt the system when the audit logs are full. In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. space_left_action, action_mail_acct and admin_space_left_action setting in / ...

oval:org.secpod.oval:def:92347
The kernel module rds should be disabled.

oval:org.secpod.oval:def:92229
The kernel module dccp should be disabled.

oval:org.secpod.oval:def:92228
Global IPv6 initialization should be disabled.

oval:org.secpod.oval:def:92349
The squashfs Kernel Module should be disabled.

oval:org.secpod.oval:def:92340
The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/log filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/log.

oval:org.secpod.oval:def:92221
An SSH public key is one of two files used in SSH public key authentication. In this authentication method, a public key is a key that can be used for verifying digital signatures generated using a corresponding private key. Only a public key that corresponds to a private key will be able to authent ...

oval:org.secpod.oval:def:92342
The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user a ...

oval:org.secpod.oval:def:92220
The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: The ...

oval:org.secpod.oval:def:92341
The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var.

oval:org.secpod.oval:def:92223
The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate. Rationale: It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is pro ...

oval:org.secpod.oval:def:92344
The DPKG package 'aide' should be installed.

oval:org.secpod.oval:def:92222
The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information. Rationale: If attackers can gain read access to the /etc/shadow file, they can easily run a pass ...

oval:org.secpod.oval:def:92343
The kernel module hfsplus should be disabled.

oval:org.secpod.oval:def:92225
The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else. Rationale: The /etc/group file needs to be protected from unauthorized changes by non-privileged users, but nee ...

oval:org.secpod.oval:def:92346
The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file.

oval:org.secpod.oval:def:92224
The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Rationale: If the /etc/issue.net file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.

oval:org.secpod.oval:def:92345
Emulation of the rsh command through the ssh server should be disabled (and dependencies are met)

oval:org.secpod.oval:def:92238
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ...

oval:org.secpod.oval:def:92359
The eXtended InterNET Daemon ( xinetd ) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests. Rationale: If there are no xinetd services ...

oval:org.secpod.oval:def:92237
Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loop ...

oval:org.secpod.oval:def:92358
GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. Rationale: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system ...

oval:org.secpod.oval:def:92239
Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a nonprivileged user (auid > = 500), i ...

oval:org.secpod.oval:def:92230
The kernel runtime parameter "net.ipv4.conf.all.rp_filter" should be set to "1".

oval:org.secpod.oval:def:92351
The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else.

oval:org.secpod.oval:def:92350
Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged w ...

oval:org.secpod.oval:def:92232
Remote connections (SSH) from accounts with empty passwords should be disabled (and dependencies are met).

oval:org.secpod.oval:def:92353
Ensure only strong Key Exchange algorithms are used

oval:org.secpod.oval:def:92231
The kernel module tipc should be disabled.

oval:org.secpod.oval:def:92352
If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.

oval:org.secpod.oval:def:92234
A default deny all policy on connections ensures that any unconfigured network usage will be rejected.With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.

oval:org.secpod.oval:def:92355
Normally, auditd will hold 4 logs of maximum log file size before deleting older log files. In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history. max_log_file_action setting in /etc/audit/auditd.conf is set to at least a certain v ...

oval:org.secpod.oval:def:92233
A default deny all policy on connections ensures that any unconfigured network usage will be rejected.With a default accept policy the firewall will accept any packet that is not configured to be denied. It is easier to white list acceptable usage than to black list unacceptable usage.

oval:org.secpod.oval:def:92354
X Display Manager Control Protocol (XDMCP) is designed to provide authenticated access to display management services for remote displays Rationale: XDMCP is inherently insecure. 1. XDMCP is not a ciphered protocol. This may allow an attacker to capture keystrokes entered by a ...

oval:org.secpod.oval:def:92236
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP ...

oval:org.secpod.oval:def:92357
The kernel module sctp should be disabled.

oval:org.secpod.oval:def:92235
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains ...

oval:org.secpod.oval:def:92356
Backlog limit represents the number of logs it will hold. Rationale: During boot if audit=1, then the backlog will hold specified number of records. If records more than are created during boot, auditd records will be lost and potential malicious activity could go undetected.

oval:org.secpod.oval:def:92360
The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root.

oval:org.secpod.oval:def:92205
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections.

oval:org.secpod.oval:def:92326
The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices.

oval:org.secpod.oval:def:92204
The kernel module udf should be disabled.

oval:org.secpod.oval:def:92325
The /home directory is used to support disk storage needs of local users. Rationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored und ...

oval:org.secpod.oval:def:92207
The default umask for all users specified in /etc/login.defs

oval:org.secpod.oval:def:92328
The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them.

oval:org.secpod.oval:def:92206
By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port. The guidance in the section ensures ...

oval:org.secpod.oval:def:92327
The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /dev/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions.

oval:org.secpod.oval:def:92209
The DPKG package 'rsyslog' should be installed.

oval:org.secpod.oval:def:92208
Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory. Changes to files in this directory could indicate that an unauthorized user is atte ...

oval:org.secpod.oval:def:92329
The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp .

oval:org.secpod.oval:def:92320
This variable limits the types of ciphers that SSH can use during communication.

oval:org.secpod.oval:def:92201
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into ...

oval:org.secpod.oval:def:92322
Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader. Rationale: Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user ...

oval:org.secpod.oval:def:92200
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Rationale: To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartu ...

oval:org.secpod.oval:def:92321
sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy. Rationale: sudo supports a plugin arch ...

oval:org.secpod.oval:def:92203
The prelinking feature changes binaries in an attempt to decrease their startup time.

oval:org.secpod.oval:def:92324
The auditing daemon, auditd , stores log data in the /var/log/audit directory. Rationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large ...

oval:org.secpod.oval:def:92202
The Set Password Warning Age should be set appropriately.

oval:org.secpod.oval:def:92323
The /var/log directory is used by system services to store log data. Rationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data.

oval:org.secpod.oval:def:92216
The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: Thes ...

oval:org.secpod.oval:def:92337
The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /home filesystem is only intended for user file storage, set this option to ensure that users cannot create setuid files in /home

oval:org.secpod.oval:def:92215
The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on most systems, but may exist in files that have been imported from other platforms. Rationale: The ...

oval:org.secpod.oval:def:92336
The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var.

oval:org.secpod.oval:def:92218
An SSH private key is one of two files used in SSH public key authentication. In this authentication method, The possession of the private key is proof of identity. Only a private key that corresponds to a public key will be able to authenticate successfully. The private keys need to be stored and h ...

oval:org.secpod.oval:def:92217
The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group. Rationale: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain re ...

oval:org.secpod.oval:def:92338
The noexec mount option specifies that the filesystem cannot contain executable . Rationale: Since the /var/log filesystem is only intended for log files, set this option to ensure that users cannot run executable binaries from /var/log .

oval:org.secpod.oval:def:92210
The contents of the /etc/issue file are displayed to users prior to login for local terminals. Rationale: If the /etc/issue file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information.

oval:org.secpod.oval:def:92331
GDM is the GNOME Display Manager which handles graphical login for GNOME based systems. The disable-user-list option controls is a list of users is displayed on the login screen. Rationale: Displaying the user list eliminates half of the Userid/Password equation that an unauthorized ...

oval:org.secpod.oval:def:92330
GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time.By using the lockdown mode in dconf, you can prevent users from changing specific settings.To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory.The file ...

oval:org.secpod.oval:def:92212
The grub boot loader should have password protection enabled.

oval:org.secpod.oval:def:92333
By default GNOME automatically mounts removable media when inserted as a convenience to the user. By using the lockdown mode in dconf, you can prevent users from changing specific settings. To lock down a dconf key or subpath, create a locks subdirectory in the keyfile directory. The files i ...

oval:org.secpod.oval:def:92211
Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of ...

oval:org.secpod.oval:def:92332
GNOME Desktop Manager can make the screen lock automatically whenever the user is idle for some amount of time. Rationale: Setting a lock-out value reduces the window of opportunity for unauthorized user access to another user's session that has been left unattended.

oval:org.secpod.oval:def:92214
Configure grub or lilo so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.Audit events need to be captured on processes that start up prior to auditd, so that potential malicious activity cannot go undetected.

oval:org.secpod.oval:def:92335
The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/log filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/log.

oval:org.secpod.oval:def:92213
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files.

oval:org.secpod.oval:def:92334
By default GNOME automatically mounts removable media when inserted as a convenience to the user. Rationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it ...

oval:org.secpod.oval:def:92304
The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. Rationale: If the system will not need to act as an LDAP server, it is recommended that the softw ...

oval:org.secpod.oval:def:92303
The kernel module jffs2 should be disabled.

oval:org.secpod.oval:def:92306
The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network. Rationale: Unless a system is specifically designated to act as a DNS server, it is recommended that the package be delete ...

oval:org.secpod.oval:def:92305
The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network. The rpcbind service maps Remote Procedure Call (RPC) services to the ports on wh ...

oval:org.secpod.oval:def:92308
The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.

oval:org.secpod.oval:def:92307
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client ( ypbind ) was used to bind a machine to an NIS server and receive the distributed configuration files. Ration ...

oval:org.secpod.oval:def:92309
The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable. Rationale: Since the /var directory may contain world-writable files and directories, there is a risk of resource e ...

oval:org.secpod.oval:def:92300
/etc/hosts.allow file is present.

oval:org.secpod.oval:def:92302
This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root ...

oval:org.secpod.oval:def:92301
The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub.

oval:org.secpod.oval:def:92315
The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /var/tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /var/tmp.

oval:org.secpod.oval:def:92314
sudo can use a custom log file. Rationale: A sudo log file simplifies auditing of sudo commands.

oval:org.secpod.oval:def:92317
The /tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. ...

oval:org.secpod.oval:def:92316
The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /var/tmp.

oval:org.secpod.oval:def:92319
USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status. Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing a pe ...

oval:org.secpod.oval:def:92318
The nodev mount option specifies that the filesystem cannot contain special devices. Rationale: Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.

oval:org.secpod.oval:def:92311
The nosuid mount option specifies that the filesystem cannot contain setuid files. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create setuid files in /tmp.

oval:org.secpod.oval:def:92310
The /var/tmp directory is a world-writable directory used for temporary storage by all users and some applications. Rationale: Since the /var/tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In additi ...

oval:org.secpod.oval:def:92313
sudo can be configured to run only from a psuedo-pty. Rationale: Attackers can run a malicious program using sudo which would fork a background process that remains even when the main program has finished executing.

oval:org.secpod.oval:def:92312
The noexec mount option specifies that the filesystem cannot contain executable binaries. Rationale: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.

oval:org.secpod.oval:def:92339
All password hashes should be shadowed.

oval:org.secpod.oval:def:92163
This test makes sure that '/etc/gshadow' has appropriate permission. If the target file or directory has an extended ACL then it will fail the mode check.

oval:org.secpod.oval:def:92166
The Apport Error Reporting Service automatically generates crash reports for debugging. Rationale: Apport collects potentially sensitive data, such as core dumps, stack traces, and logfiles. They can contain passwords, credit card numbers, serial numbers, and other private ma ...

oval:org.secpod.oval:def:708435
python-django: High-level Python web development framework Django could be made to crash or consume resources if it received specially crafted network traffic.

oval:org.secpod.oval:def:708314
frr: FRRouting suite of internet protocols FRR could be made to denial of service if it received a specially crafted message.

oval:org.secpod.oval:def:708290
ghostscript: PostScript and PDF interpreter Ghostscript could be made to run programs if it opened a specially crafted file.

oval:org.secpod.oval:def:708301
mozjs102: SpiderMonkey JavaScript library Several security issues were fixed in SpiderMonkey.

oval:org.secpod.oval:def:708364
ceph: distributed storage and file system Ceph could be made to run programs as an administrator.

oval:org.secpod.oval:def:708595
tang: network-based cryptographic binding server Tang could allow unintended access to secret keys.

oval:org.secpod.oval:def:708236
python-tornado: scalable, non-blocking web server and tools - documentation Tornado could be made to redirect users to arbitrary web site if it opened a specially crafted URL.

oval:org.secpod.oval:def:708368
ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708108
ghostscript: PostScript and PDF interpreter Details: USN-6017-1 fixed vulnerabilities in Ghostscript. This update provides the corresponding updates for Ubuntu 23.04. Original advisory Ghostscript could be made to crash or run programs as your login if it received a specially crafted input.

oval:org.secpod.oval:def:708358
tiff: Tag Image File Format library Several security issues were fixed in LibTIFF.

oval:org.secpod.oval:def:708379
libqb: generate man pages from Doxygen XML files Libqb could be made to crash or execute arbitrary code if it received a specially crafted message.

oval:org.secpod.oval:def:708241
c-ares: library for asynchronous name resolution Several security issues were fixed in c-ares.

oval:org.secpod.oval:def:708414
sox: Swiss army knife of sound processing SoX could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708243
libcap2: POSIX 1003.1e capabilities Several security issues were fixed in libcap2.

oval:org.secpod.oval:def:708403
thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird.

oval:org.secpod.oval:def:708574
krb5: MIT Kerberos Network Authentication Protocol Details: USN-6467-1 fixed a vulnerability in Kerberos. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. Original advisory Kerberos could be made to crash if it received specially crafted network ...

oval:org.secpod.oval:def:708130
freetype: FreeType 2 is a font engine library FreeType could be made to crash or possibly execute arbitrary code if it opened a specially crafted font file.

oval:org.secpod.oval:def:708575
gsl: A modern numerical library for C and C++ programmers GNU Scientific Library could be made to crash or execute arbitrary code if it received specially crafted input.

oval:org.secpod.oval:def:708434
mutt: text-based mailreader supporting MIME, GPG, PGP and threading Mutt could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708586
frr: FRRouting suite of internet protocols FRR could be made to crash if it received specially crafted network traffic.

oval:org.secpod.oval:def:708592
intel-microcode: Processor microcode for Intel CPUs The system could be made to crash or expose sensitive information under certain conditions.

oval:org.secpod.oval:def:708594
strongswan: IPsec VPN solution strongSwan could be made to crash or run programs if it received specially crafted network traffic.

oval:org.secpod.oval:def:708584
procps: /proc file system utilities procps-ng could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708210
avahi: IPv4LL network address configuration daemon Avahi could be made to crash if it received specially crafted DBus traffic.

oval:org.secpod.oval:def:708612
tracker-miners: Metadata database, indexer and search tool A system hardening measure could be bypassed.

oval:org.secpod.oval:def:708597
avahi: IPv4LL network address configuration daemon Avahi could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708585
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime - dotnet8: dotNET CLI tools and runtime Several security issues were fixed in .NET.

oval:org.secpod.oval:def:90542
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Several security issues were fixed in .NET.

oval:org.secpod.oval:def:708291
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime The maximum failed attempts security feature for .NET could be bypassed.

oval:org.secpod.oval:def:708346
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Several security issues were fixed in .NET.

oval:org.secpod.oval:def:708110
cloud-init: initialization and customization tool for cloud instances cloud-init could write sensitive information to logs.

oval:org.secpod.oval:def:708246
libx11: X11 client-side library libx11 could be made to crash if it received specially crafted network traffic.

oval:org.secpod.oval:def:708213
perl: Practical Extraction and Report Language Details: USN-6112-1 fixed vulnerabilities in Perl. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 22.10, and Ubuntu 23.04. Original advisory Perl could be made to install modules from untrusted sources.

oval:org.secpod.oval:def:708653
tar: GNU version of the tar archiving utility tar could be made to crash if it opened a specially crafted file.

oval:org.secpod.oval:def:708656
python3.11: An interactive high-level object-oriented language Python could be made to bypass security measures if it processed a malicious filename.

oval:org.secpod.oval:def:708669
gnome-control-center: utilities to configure the GNOME desktop GNOME Settings could allow unintended access to network services.

oval:org.secpod.oval:def:708604
rabbitmq-server: AMQP server written in Erlang RabbitMQ could be made to denial of service if it received a specially crafted HTTP request.

oval:org.secpod.oval:def:708339
gst-plugins-good1.0: GStreamer plugins GStreamer Good Plugins could be made to crash or run programs if it opened a specially crafted file.

oval:org.secpod.oval:def:708338
gst-plugins-base1.0: GStreamer plugins GStreamer Base Plugins could be made to crash or run programs if it opened a specially crafted file.

oval:org.secpod.oval:def:708343
poppler: PDF rendering library poppler could be made to crash if it opened a specially crafted file.

oval:org.secpod.oval:def:708440
libwebp: Lossy compression of digital photographic images libwebp could be made to crash or run programs if it opened a specially crafted file.

oval:org.secpod.oval:def:708438
thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird.

oval:org.secpod.oval:def:708375
inetutils: File Transfer Protocol client Inetutils could be made to crash or execute arbitrary code.

oval:org.secpod.oval:def:708292
thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird.

oval:org.secpod.oval:def:708226
mozjs102: SpiderMonkey JavaScript library Several security issues were fixed in SpiderMonkey.

oval:org.secpod.oval:def:708147
thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird.

oval:org.secpod.oval:def:708155
cups-filters: OpenPrinting CUPS Filters cups-filters could be made to crash or run programs if it received specially crafted network traffic.

oval:org.secpod.oval:def:708639
request-tracker4: An enterprise-grade issue tracking system Several security issues were fixed in Request Tracker.

oval:org.secpod.oval:def:708640
haproxy: fast and reliable load balancing reverse proxy HAProxy could be made to expose sensitive information.

oval:org.secpod.oval:def:708659
ghostscript: PostScript and PDF interpreter Ghostscript could be made to crash if it wrote a TIFF file.

oval:org.secpod.oval:def:708652
libreoffice: Office productivity suite Several security issues were fixed in LibreOffice.

oval:org.secpod.oval:def:708673
budgie-extras: Applet to provide an alternative means to launch applications Several security issues were fixed in budgie-extras.

oval:org.secpod.oval:def:708674
audiofile: Open-source version of the SGI audiofile library Several security issues were fixed in audiofile.

oval:org.secpod.oval:def:708675
yajl: Yet Another JSON Library Details: USN-6233-1 fixed vulnerabilities in YAJL. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. Original advisory Several security issues were fixed in YAJL.

oval:org.secpod.oval:def:708658
netatalk: Apple Filing Protocol service Netatalk could be made to crash or run programs if it received specially crafted network traffic.

oval:org.secpod.oval:def:708453
open-vm-tools: Open VMware Tools for virtual machines hosted on VMware Open VM Tools could allow unintended access to network services.

oval:org.secpod.oval:def:708330
open-vm-tools: Open VMware Tools for virtual machines hosted on VMware open-vm-tools could be made to bypass authentication.

oval:org.secpod.oval:def:708454
ruby-redcloth: Textile module for Ruby RedCloth could be made to crash if it received specially crafted input.

oval:org.secpod.oval:def:708360
webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK.

oval:org.secpod.oval:def:708283
python-django: High-level Python web development framework Django could be made to consume resources if it received specially crafted network traffic.

oval:org.secpod.oval:def:708397
python-git: Python library to interact with Git repositories GitPython could be made to run arbitrary commands on the host.

oval:org.secpod.oval:def:708120
python-django: High-level Python web development framework A Django hardening measure could be bypassed.

oval:org.secpod.oval:def:708233
requests: elegant and simple HTTP library for Python Requests could be made to expose sensitive information over the network.

oval:org.secpod.oval:def:708428
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime .NET could be made to crash if it received a specially crafted request.

oval:org.secpod.oval:def:94747
apache2: Apache HTTP server Several security issues were fixed in Apache HTTP Server.

oval:org.secpod.oval:def:708254
qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU.

oval:org.secpod.oval:def:96498
curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl.

oval:org.secpod.oval:def:96504
vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim.

oval:org.secpod.oval:def:708355
intel-microcode: Processor microcode for Intel CPUs Several security issues were fixed in Intel Microcode.

oval:org.secpod.oval:def:708352
linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - ...

oval:org.secpod.oval:def:708392
amd64-microcode: Processor microcode firmware for AMD CPUs AMD processors may allow an attacker to expose sensitive information due to a speculative execution vulnerability.

oval:org.secpod.oval:def:708315
openssh: secure shell for secure access to remote machines OpenSSH could be made to run programs as your login when using ssh-agent forwarding.

oval:org.secpod.oval:def:708374
clamav: Anti-virus utility for Unix ClamAV could be made to crash if it opened a specially crafted file.

oval:org.secpod.oval:def:708317
amd64-microcode: Processor microcode firmware for AMD CPUs AMD processors may allow an attacker to expose sensitive information due to a vector register speculative execution vulnerability.

oval:org.secpod.oval:def:708274
linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-lowlatency: Linux low latency kernel - linux-raspi: Linux kernel for Raspberry Pi systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: ...

oval:org.secpod.oval:def:708335
librsvg: renderer library for SVG files librsvg could be made to expose sensitive information.

oval:org.secpod.oval:def:708299
linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-oracle: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel.

oval:org.secpod.oval:def:708265
ruby3.1: Interpreter of object-oriented scripting language Ruby Several security issues were fixed in Ruby.

oval:org.secpod.oval:def:708305
ruby3.1: Interpreter of object-oriented scripting language Ruby - ruby3.0: Interpreter of object-oriented scripting language Ruby - ruby2.7: Object-oriented scripting language - ruby2.5: Object-oriented scripting language - ruby2.3: Object-oriented scripting language Several security issues were fix ...

oval:org.secpod.oval:def:708224
sysstat: system performance tools for Linux Sysstat could be made to crash or run programs if it processed specially crafted data.

oval:org.secpod.oval:def:708151
libwebp: Lossy compression of digital photographic images libwebp could be made to crash or run programs as your login if it opened a specially crafted file.

oval:org.secpod.oval:def:708590
python-pip: Python package installer Details: USN-6473-1 fixed vulnerabilities in urllib3. This update provides the corresponding updates for the urllib3 module bundled into pip. Original advisory Several security issues were fixed in pip.

oval:org.secpod.oval:def:708577
python-urllib3: HTTP library with thread-safe connection pooling Several security issues were fixed in urllib3.

oval:org.secpod.oval:def:708302
linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-oracle: Linux kernel for Oracle Cloud systems Several security issues were fixed in the Linux kernel.

oval:org.secpod.oval:def:708298
linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-kvm: Linux kernel for cloud environments - linux-lowlatency: Linux low latency kernel - linux-raspi: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel.

oval:org.secpod.oval:def:91659
samba: SMB/CIFS file, print, and login server for Unix Several security issues were fixed in Samba.

oval:org.secpod.oval:def:708680
thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird.

oval:org.secpod.oval:def:708217
libraw: raw image decoder library Several security issues were fixed in LibRaw.

oval:org.secpod.oval:def:708119
git: fast, scalable, distributed revision control system Several security issues were fixed in Git.

oval:org.secpod.oval:def:708308
connman: Intel Connection Manager daemon Several security issues were fixed in ConnMan.

oval:org.secpod.oval:def:708361
haproxy: fast and reliable load balancing reverse proxy HAProxy could allow unintended access to network services.

oval:org.secpod.oval:def:708607
gnutls28: GNU TLS library GnuTLS could be made to expose sensitive information over the network.

oval:org.secpod.oval:def:94746
squid: Web proxy cache server Several security issues were fixed in Squid.

oval:org.secpod.oval:def:708670
xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Several security issues were fixed in X.Org X Server.

oval:org.secpod.oval:def:708596
webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK.

oval:org.secpod.oval:def:708654
webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK.

oval:org.secpod.oval:def:708570
thunderbird: Mozilla Open Source mail and newsgroup client Several security issues were fixed in Thunderbird.

oval:org.secpod.oval:def:708264
cups: Common UNIX Printing System CUPS could be made to crash or expose sensitive information over the network.

oval:org.secpod.oval:def:708126
webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK.

oval:org.secpod.oval:def:708334
webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK.

oval:org.secpod.oval:def:708208
cups: Common UNIX Printing System CUPS could be made to crash or run programs if it received specially crafted network traffic.

oval:org.secpod.oval:def:91658
curl: HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl.

oval:org.secpod.oval:def:90539
vim: Vi IMproved - enhanced vi editor Several security issues were fixed in Vim.

oval:org.secpod.oval:def:708646
postgresql-15: Object-relational SQL database - postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database Several security issues were fixed in PostgreSQL.

oval:org.secpod.oval:def:92534
postgresql-15: Object-relational SQL database - postgresql-14: Object-relational SQL database - postgresql-12: Object-relational SQL database Several security issues were fixed in PostgreSQL.

oval:org.secpod.oval:def:708324
libvirt: Libvirt virtualization toolkit libvirt could be made to stop responding or crash if it received specially crafted commands.

oval:org.secpod.oval:def:708149
openjdk-17: Open Source Java implementation - openjdk-20: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK.

oval:org.secpod.oval:def:708340
openjdk-20: Open Source Java implementation Several security issues were fixed in OpenJDK 20.

oval:org.secpod.oval:def:708336
openjdk-17: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK.

oval:org.secpod.oval:def:92537
openjdk-17: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK.

oval:org.secpod.oval:def:92536
openjdk-17: Open Source Java implementation - openjdk-8: Open Source Java implementation - openjdk-lts: Open Source Java implementation Several security issues were fixed in OpenJDK.

oval:org.secpod.oval:def:708133
sqlparse: documentation for non-validating SQL parser in Python SQL parse could be made to denial of service if it received a specially crafted regular expression.

oval:org.secpod.oval:def:708395
frr: FRRouting suite of internet protocols FRR could be made to close sessions if it received speacially crafted network traffic.

oval:org.secpod.oval:def:90536
frr: FRRouting suite of internet protocols Several security issues were fixed in FRR.

oval:org.secpod.oval:def:708281
containerd: daemon to control runC Several security issues were fixed in containerd.

oval:org.secpod.oval:def:708158
runc: Open Container Project Several security issues were fixed in runC.

oval:org.secpod.oval:def:708218
golang-1.19: Go programming language compiler - metapackage - golang-1.20: Go programming language compiler - metapackage Several security issues were fixed in Go.

oval:org.secpod.oval:def:708222
libxml2: GNOME XML library Details: USN-6028-1 fixed vulnerabilities in libxml2. This update provides the corresponding updates for Ubuntu 23.04. Original advisory Several security issues were fixed in libxml2.

oval:org.secpod.oval:def:89581
openssl: Secure Socket Layer cryptographic library and tools - openssl1.0: Secure Socket Layer cryptographic library and tools Several security issues were fixed in OpenSSL.

oval:org.secpod.oval:def:708649
bluez: Bluetooth tools and daemons BlueZ could be made to give a physically proximate attacker keyboard and mouse control of a computer.

oval:org.secpod.oval:def:93726
curl: SOCKS5 heap buffer overflow.

oval:org.secpod.oval:def:708446
curl: HTTP, HTTPS, and FTP client and client libraries curl could be made to consume resources if it received specially crafted network traffic.

oval:org.secpod.oval:def:93725
curl: cookie injection with none file.

oval:org.secpod.oval:def:92272
Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and ta ...

oval:org.secpod.oval:def:98210
qemu: Machine emulator and virtualizer Several security issues were fixed in QEMU.

oval:org.secpod.oval:def:98213
libclamunrar: anti-virus utility for Unix - unrar support Several security issues were fixed in libclamunrar.

oval:org.secpod.oval:def:98214
golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Several security issues were fixed in Go.

oval:org.secpod.oval:def:708696
twisted: Event-based framework for internet applications Several security issues were fixed in Twisted.

oval:org.secpod.oval:def:708705
freeimage: Support library for graphics image formats Several security issues were fixed in FreeImage.

oval:org.secpod.oval:def:708707
xerces-c: Validating XML parser written in a portable subset of C++ Details: USN-6579-1 fixed a vulnerability in Xerces-C++. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04 and Ubuntu 23.10. Original advisory Xerces-C++ could be made to crash or run ...

oval:org.secpod.oval:def:98218
gnutls28: GNU TLS library Several security issues were fixed in GnuTLS.

oval:org.secpod.oval:def:708684
clamav: Anti-virus utility for Unix ClamAV was updated to remain compatible with signature database downloads.

oval:org.secpod.oval:def:708697
golang-1.20: Go programming language compiler - golang-1.21: Go programming language compiler Several security issues were fixed in Go.

oval:org.secpod.oval:def:708613
nghttp2: HTTP/2 C Library and tools nghttp2 could be made to consume resources if it received specially crafted network traffic.

oval:org.secpod.oval:def:708700
w3m: WWW browsable pager with excellent tables/frames support w3m could be made to crash or run programs as your login if it opened a malicious website.

oval:org.secpod.oval:def:708704
webkit2gtk: Web content engine library for GTK+ Several security issues were fixed in WebKitGTK.

oval:org.secpod.oval:def:708706
xorg-server: X.Org X11 server - xwayland: X server for running X clients under Wayland Several security issues were fixed in X.Org X Server.

oval:org.secpod.oval:def:708708
pam: Pluggable Authentication Modules PAM could be made to stop responding if it opened a specially crafted file.

oval:org.secpod.oval:def:708716
squid: Web proxy cache server Several security issues were fixed in Squid.

oval:org.secpod.oval:def:708718
puma: threaded HTTP 1.1 server for Ruby/Rack applications Puma could be made to consume resources if it received specially crafted network traffic.

oval:org.secpod.oval:def:708676
libssh: A tiny C SSH library A security issue was fixed in libssh.

oval:org.secpod.oval:def:96506
openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH.

oval:org.secpod.oval:def:708261
linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - linux-oracle: Linux kernel for Oracle Cloud systems Several security issues were ...

oval:org.secpod.oval:def:708252
linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-lowlatency: Linux low latency kernel - linux-raspi: Linux kernel for Raspberry Pi systems Several security issues were fixed in the Linux kernel.

oval:org.secpod.oval:def:708326
linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-ibm: Linux kernel for IBM cloud systems - linux-kvm: Linux kernel for cloud environments - ...

oval:org.secpod.oval:def:96508
openssh: secure shell for secure access to remote machines Several security issues were fixed in OpenSSH.

oval:org.secpod.oval:def:708636
linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-gcp: Linux kernel for Google Cloud Platform systems - linux-azure-6.2: Linux kernel for Microsoft Azure cloud systems - linux-azure-fde-6.2: Linux kernel for Microsoft Azure CVM cloud systems - linux-gcp-6.2: Linux kernel for Googl ...

oval:org.secpod.oval:def:708664
linux-gcp: Linux kernel for Google Cloud Platform systems - linux-kvm: Linux kernel for cloud environments Several security issues were fixed in the Linux kernel.

oval:org.secpod.oval:def:708642
linux: Linux kernel - linux-aws: Linux kernel for Amazon Web Services systems - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-lowlatency: Linux low latency kernel - linux-oracle: Linux kernel for Oracle Cloud systems - linux-raspi: Linux kernel for Raspberry Pi systems - linux ...

oval:org.secpod.oval:def:96499
python-cryptography: Cryptography Python library Several security issues were fixed in python-cryptography.

oval:org.secpod.oval:def:708699
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime - dotnet8: dotNET CLI tools and runtime Several security issues were fixed in dotnet6, dotnet7, and dotnet8.

oval:org.secpod.oval:def:708128
mysql-8.0: MySQL database - mysql-5.7: MySQL database Several security issues were fixed in MySQL.

oval:org.secpod.oval:def:708359
mysql-8.0: MySQL database Several security issues were fixed in MySQL.

oval:org.secpod.oval:def:708238
dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Several security issues were fixed in .NET.

oval:org.secpod.oval:def:708214
libssh: A tiny C SSH library Several security issues were fixed in libssh.

oval:org.secpod.oval:def:708712
libssh: A tiny C SSH library Several security issues were fixed in libssh.

oval:org.secpod.oval:def:708681
sqlite3: C library that implements an SQL database engine Several security issues were fixed in SQLite.

oval:org.secpod.oval:def:708709
zookeeper: High-performance coordination service for distributed applications Several security issues were fixed in ZooKeeper.

oval:org.secpod.oval:def:96502
glibc: GNU C Library Several security issues were fixed in GNU C Library.

oval:org.secpod.oval:def:91653
imagemagick: Image manipulation programs and library Several security issues were fixed in ImageMagick.

oval:org.secpod.oval:def:708278
php8.1: HTML-embedded scripting language interpreter - php7.4: HTML-embedded scripting language interpreter PHP could be made to expose sensitive information.

oval:org.secpod.oval:def:708376
php8.1: HTML-embedded scripting language interpreter Several security issues were fixed in PHP.

*CPE
cpe:/o:ubuntu:ubuntu_linux:23.04
XCCDF    2
xccdf_org.secpod_benchmark_SecPod_Ubuntu_23.04
xccdf_org.secpod_benchmark_general_Ubuntu_23.04

© SecPod Technologies