INSERTINTO`tsca`VALUES(1000,'Create Separate Partition for /tmp','The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.','Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.','','Configure /etc/fstab as appropriate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount.','[{\"cis\": [\"2.1\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}]'),(1001,'Set nodev option for /tmp Partition','The nodev mount option specifies that the filesystem cannot contain special devices.','Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.','','Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nodev /tmp','[{\"cis\": [\"2.2\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(1002,'Set nosuid option for /tmp Partition','The nosuid mount option specifies that the filesystem cannot contain set userid files.','Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp.','','Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,nosuid /tmp','[{\"cis\": [\"2.3\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(1003,'Set noexec option for /tmp partition','The noexec mount option specifies that the filesystem cannot contain executable binaries.','Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /tmp.','','Edit the /etc/fstab file and add noexec to the fourth field (mounting options). See the fstab(5) manual page for more information. # mount -o remount,noexec /tmp','[{\"cis\": [\"2.4\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(1004,'Create Separate Partition for /var','The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable.','Since the /var directory may contain world-writable files and directories, there is a risk of resource exhaustion if it is not bound to a separate partition.','','For new installations, during installation create a custom partition setup and specify a separate partition for /var. For systems that were previously installed, use the Logical Volume Manager (LVM) to create partitions.','[{\"cis\": [\"2.5\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(1005,'Bind mount the /var/tmp directory to /tmp','The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same manner /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in
INSERTINTO`tsca`VALUES(5041,'Ensure message of the day is configured properly','The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: m - machine architecture \r - operating system release s - operating system name v - operating system version','Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.','','Edit the /etc/motd file with the appropriate contents according to your site policy, remove any instances of m , \r , s , v or references to the OS platform OR If the motd is not used, this file can be removed. Run the following command to remove the motd file: # rm /etc/motd','[{\"cis\": [\"1.8.1.1\"]}, {\"cis_csc\": [\"5.1\"]}, {\"pci_dss\": [\"7.1\"]}, {\"tsc\": [\"CC6.4\"]}]'),(5042,'Ensure local login warning banner is configured properly','The contents of the /etc/issue file are displayed to users prior to login for local terminals. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: m - machine architecture \r - operating system release s - operating system name v - operating system version','Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the \" uname -a \" command once they have logged in.','','Edit the /etc/issue file with the appropriate contents according to your site policy, remove any instances of m , \r , s , v or references to the OS platform: # echo \"Authorized uses only. All activity may be monitored and reported.\" > /etc/issue','[{\"cis\": [\"1.8.1.2\"]}, {\"cis_csc\": [\"5.1\"]}, {\"pci_dss\": [\"7.1\"]}, {\"tsc\": [\"CC6.4\"]}]'),(5043,'Ensure remote login warning banner is configured properly','The contents of the /etc/issue.net file are displayed to users prior to login for remote connections from configured services. Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: m - machine architecture \r - operating system release s - operating system name v - operating system version','Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system
INSERTINTO`tsca`VALUES(15022,'Ensure \'Microsoftnetworkclient:Digitallysigncommunications(always)\' is set to \'Enabled\'','This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the \'Microsoftnetworkclientandserver:Digitallysigncommunications(fourrelatedsettings)\' section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: Enabled.','Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (always).','[{\"cis\": [\"2.3.8.1\"]}, {\"cis_csc\": [\"13\"]}, {\"pci_dss\": [\"4.1\"]}, {\"hipaa\": [\"164.312.a.2.IV\", \"164.312.e.1\", \"164.312.e.2.I\", \"164.312.e.2.II\"]}, {\"nist_800_53\": [\"SC.8\"]}, {\"tsc\": [\"CC6.1\", \"CC6.7\", \"CC7.2\"]}]'),(15023,'Ensure \'Microsoftnetworkclient:Digitallysigncommunications(ifserveragrees)\' is set to \'Enabled\'','This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled.','Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees).','[{\"cis\": [\"2.3.8.2\"]}, {\"cis_csc\": [\"13\"]}, {\"pci_dss\": [\"4.1\"]}, {\"hipaa\": [\"164.312.a.2.IV\", \"164.312.e.1\", \"164.312.e.2.I\", \"164.312.e.2.II\"]}, {\"nist_800_53\": [\"SC.8\"]}, {\"tsc\": [\"CC6.1\", \"CC6.7\", \"CC7.2\"]}]'),(15024,'Ensure \'Microsoftnetworkclient:Sendunencryptedpasswordtothird-partySMBservers\' is set to \'Disabled\'','This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you
INSERTINTO`tsca`VALUES(16175,'Ensure \'AllowaWindowsapptoshareapplicationdatabetweenusers\' is set to \'Disabled\'','Manages a Windows app\'sabilitytosharedatabetweenuserswhohaveinstalledtheapp.DataissharedthroughtheSharedLocalfolder.ThisfolderisavailablethroughtheWindows.StorageAPI.Therecommendedstateforthissettingis:Disabled.','Usersofasystemcouldaccidentallysharesensitivedatawithotherusersonthesamesystem.','','ToestablishtherecommendedconfigurationviaGP,setthefollowingUIpathtoDisabled:ComputerConfigurationPoliciesAdministrativeTemplatesWindowsComponentsAppPackageDeploymentAllowaWindowsapptoshareapplicationdatabetweenusersNote:ThisGroupPolicypathmaynotexistbydefault.ItisprovidedbytheGroupPolicytemplateAppxPackageManager.admx/admlthatisincludedwiththeMicrosoftWindows10RTM(Release1507)AdministrativeTemplates(ornewer).','[{\"cis\":[\"18.9.4.1\"]},{\"cis_csc\":[\"14.4\"]},{\"pci_dss\":[\"4.1\"]},{\"hipaa\":[\"164.312.a.2.IV\",\"164.312.e.1\",\"164.312.e.2.I\",\"164.312.e.2.II\"]},{\"nist_800_53\":[\"SC.8\"]},{\"tsc\":[\"CC6.1\",\"CC6.7\",\"CC7.2\"]}]'),(16176,'Ensure\'Allow Microsoft accounts to be optional\'issetto\'Enabled\'','ThispolicysettingletsyoucontrolwhetherMicrosoftaccountsareoptionalforWindowsStoreappsthatrequireanaccounttosignin.ThispolicyonlyaffectsWindowsStoreappsthatsupportit.Therecommendedstateforthissettingis:Enabled.','EnablingthissettingallowsanorganizationtousetheirenterpriseuseraccountsinsteadofusingtheirMicrosoftaccountswhenaccessingWindowsstoreapps.Thisprovidestheorganizationwithgreatercontroloverrelevantcredentials.Microsoftaccountscannotbecentrallymanagedandassuchenterprisecredentialsecuritypoliciescannotbeappliedtothem,whichcouldputanyinformationaccessedbyusingMicrosoftaccountsatrisk.','','ToestablishtherecommendedconfigurationviaGP,setthefollowingUIpathtoEnabled:ComputerConfigurationPoliciesAdministrativeTemplatesWindowsComponentsAppruntimeAllowMicrosoftaccountstobeoptionalNote:ThisGroupPolicypathmaynotexistbydefault.ItisprovidedbytheGroupPolicytemplateAppXRuntime.admx/admlthatisincludedwiththeMicrosoftWindows8.1&Server2012R2AdministrativeTemplates(ornewer).','[{\"cis\":[\"18.9.6.1\"]},{\"cis_csc\":[\"16.9\"]},{\"pci_dss\":[\"8.1\"]},{\"tsc\":[\"CC6.1\"]}]'),(16177,'Ensure\'Disallow Autoplay for non-volume devices\'issetto\'Enabled\'','ThispolicysettingdisallowsAutoPlayforMTPdeviceslikecamerasorphones.Therecommendedstateforthissettingis:Enabled.','Anattackercouldusethisfeaturetolaunchaprogramtodamageaclientcomputerordataonthecomputer.','','ToestablishtherecommendedconfigurationviaGP,setthefollowingUIpathtoEnabled:ComputerConfigurationPoliciesAdministrativeTemplatesWindowsComponentsAutoPlayPoliciesDisallowAutoplayfornon-volumedevicesNote:ThisGroupPolicypathmaynotexistbydefault.ItisprovidedbytheGroupPolicytemplateAutoPlay.admx/admlthatisincludedwiththeMicrosoftWindows8.0&Server2012(non-R2)AdministrativeTemplates(ornewer).','[{\"cis\":[\"18.9.8.1\"]},{\"cis_csc\":[\"8.3\"]},{\"pci_dss\":[\"2.2.4\"]},{\"nist_800_53\":[\"CM.1\"]},{\"tsc\":[\"CC5.2\"]}]'),(16178,'Ensure\'Set the default behavior for AutoRun\'issetto\'Enabled: Do not execute any autorun commands\'','ThispolicysettingsetsthedefaultbehaviorforAutoruncommands.Autoruncommandsaregenerallystoredinautorun.inffiles.Theyoftenlaunchtheinstallationprogramorotherroutines.Therecommendedstateforthissettingis:Enabled:Donotexecuteanyautoruncommands.','PriortoWindowsVista,whenmediacontaininganautoruncommandisinserted,thesystemwillautomaticallyexecutetheprogramwithoutuserintervention.Thiscreatesamajorsecurityconcernascodemaybeexecutedwithoutuser\'s knowledge. Th
INSERTINTO`tsca`VALUES(19165,'Ensure only strong Key Exchange algorithms are used.','Key exchange is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing use of a cryptographic algorithm. If the sender and receiver wish to exchange encrypted messages, each must be equipped to encrypt messages to be sent and decrypt messages received Note: Some organizations may have stricter requirements for approved Key Exchange algorithms. Ensure that Key Exchange algorithms used are in compliance with site policy.','Key exchange methods that are considered weak should be removed. A key exchange method may be weak because too few bits are used or the hashing algorithm is considered too weak. Using weak algorithms could expose connections to man-in-the-middle attacks.','','Edit /etc/ssh/sshd_config or a file in /ssh/sshd_config.d/ ending in .conf and add or modify the KexAlgorithms line to contain a comma separated list of the site approved key exchange algorithms. Example: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256','[{\"cis\": [\"5.3.15\"]}, {\"cis_csc_v7\": [\"14.4\"]}, {\"cmmc_v2.0\": [\"SC.3.177\", \"SC.3.185\"]}, {\"iso_27001-2013\": [\"A.13.1.1\", \"A.10.1.1\"]}, {\"mitre_techniques\": [\"T1527\", \"T1119\", \"T1530\", \"T1114\", \"T1070\", \"T1208\", \"T1040\", \"T1145\", \"T1492\", \"T1493\"]}, {\"pci_dss_v3.2.1\": [\"4.1\"]}]'),(19166,'Ensure SSH Idle Timeout Interval is configured.','The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. - ClientAliveInterval sets a timeout interval in seconds after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. - ClientAliveCountMax sets the number of client alive messages which may be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. The default value is 3. > The client alive messages are sent through the encrypted channel. > Setting ClientAliveCountMax to 0 disables connection termination. Example: If the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time.','Having no timeout value associated with a connection could allow an ssh session to remain active after the connection with the client has been interrupted. Setting a timeout value reduces this risk. - The recommended ClientAliveInterval setting is 300 seconds (5 minutes). - The recommended ClientAliveCountMax setting is 3. - The ssh session would send three keep alive messages at 5 minute intervals. If no response is received after the third keep alive message, the ssh session would be terminated after 15 minutes.','','Edit the /etc/ssh/sshd_config file to set the parameters according to site policy. This should include ClientAliveInterval between 1 and 300 and ClientAliveCountMax between 1 and 3: ClientAliveInterval 300 ClientAliveCountMax 3','[{\"cis\": [\"5.3.16\"]}, {\"cis_csc_v7\": [\"5.1\"]}, {\"cmmc_v2.0\": [\"AC.1.002\", \"CM.2.061\", \"SC.3.180\"]}, {\"iso_27001-2013\": [\"A.8.1.3\", \"A.14.2.5\"]}, {\"mitre_techniques\": [\"T1110\", \"T1003\", \"T1081\", \"T1097\", \"T1178\", \"T1072\", \"T1067\", \"T1495\", \"T1019\", \"T1177\", \"T1485\", \"T1486\", \"T1491\", \"T1488\", \"T1487\", \"T1490\", \"T1146\", \"T1148\", \"T1015\", \"T1133\", \"T1200\", \"T1076\", \"T1051\", \"T1176\", \"T1501\", \"T1087\", \"T1098\", \"T1139\", \"T1197\", \"T1092\", \"T1136\", \"T1011\", \"T1147\", \"T1130\", \"T1174\", \"T1053\", \"T1166\", \"T1206\", \"T1503\", \"T1214\", \"T1187\", \"T1208\", \"T1142\", \"T1075\", \"T1201\", \"T1145\",
INSERTINTO`tsca`VALUES(24574,'Ensure the \'ALL\' Audit Option on \'SYS.AUD$\' Is Enabled.','The logging of attempts to alter the audit trail in the SYS.AUD$ table (open for read/update/delete/view) will provide a record of any activities that may indicate unauthorized attempts to access the audit trail. Enabling the audit option will cause these activities to be audited.','As the logging of attempts to alter the SYS.AUD$ table can provide forensic evidence of the initiation of a pattern of unauthorized activities, this logging capability should be enabled.','','AUDIT ALL ON SYS.AUD$ BY ACCESS;','[{\"cis\": [\"6.1.14\"]}, {\"cis_csc\": [\"6.2\", \"6.3\"]}]'),(24575,'Ensure the \'PROCEDURE\' Audit Option Is Enabled.','In this statement audit, PROCEDURE means any procedure, function, package or library. Enabling this audit option causes any attempt, successful or not, to create or drop any of these types of objects to be audited, regardless of privilege or lack thereof. Java schema objects (sources, classes, and resources) are considered the same as procedures for the purposes of auditing SQL statements.','Any unauthorized attempts to create or drop a procedure in another\'sschemashouldcauseconcern,whethersuccessfulornot.Changestocriticalstoredcodecandramaticallychangethebehavioroftheapplicationandproduceserioussecurityconsequences,includingenablingprivilegeescalationandintroducingSQLinjectionvulnerabilities.Auditrecordsofsuchchangescanbehelpfulinforensics.','','AUDITPROCEDURE;','[{\"cis\":[\"6.1.15\"]},{\"cis_csc\":[\"6.2\",\"6.3\"]}]'),(24576,'Ensurethe\'ALTER SYSTEM\'AuditOptionIsEnabled.','ALTERSYSTEMallowsonetochangeinstancesettings,includingsecuritysettingsandauditingoptions.Additionally,ALTERSYSTEMcanbeusedtorunoperatingsystemcommandsusingundocumentedOraclefunctionality.EnablingtheauditoptionwillauditallattemptstoperformALTERSYSTEM,whethersuccessfulornotandregardlessofwhetherornottheALTERSYSTEMprivilegeisheldbytheuserattemptingtheaction.','Anyunauthorizedattempttoalterthesystemshouldbecauseforconcern.Alterationsoutsideofsomespecifiedmaintenancewindowmaybeofconcern.Inforensics,theseauditrecordscouldbequiteuseful.','','AUDITALTERSYSTEM;','[{\"cis\":[\"6.1.16\"]},{\"cis_csc\":[\"6.2\",\"6.3\"]}]'),(24577,'Ensurethe\'TRIGGER\'AuditOptionIsEnabled.','ATRIGGERmaybeusedtomodifyDMLactionsorinvokeother(recursive)actionswhensometypesofuser-initiatedactionsoccur.Enablingthisauditoptionwillcauseauditingofanyattempt,successfulornot,tocreate,drop,enableordisableanyschematriggerinanyschemaregardlessofprivilegeorlackthereof.Forenablinganddisablingatrigger,itcoversbothALTERTRIGGERandALTERTABLE.','Triggersareoftenpartofschemasecurity,datavalidationandothercriticalconstraintsuponactionsanddata.Atriggerinanotherschemamaybeusedtoescalateprivileges,redirectoperations,transformdataandperformothersortsofperhapsundesiredactions.Anyunauthorizedattempttocreate,droporalteratriggerinanotherschemamaybecauseforinvestigation.','','AUDITTRIGGER;','[{\"cis\":[\"6.1.17\"]},{\"cis_csc\":[\"6.2\",\"6.3\"]}]'),(24578,'Ensurethe\'CREATE SESSION\'AuditOptionIsEnabled.','Enablingthisauditoptionwillcauseauditingofallattemptstoconnecttothedatabase,whethersuccessfulornot,aswellasauditsessiondisconnects/logoffs.ThecommandstoauditSESSION,CONNECTorCREATESESSIONallaccomplishthesamething-theyinitiatestatementauditingoftheconnectstatementusedtocreateadatabasesession.','Auditingattemptstoconnecttothedatabaseisbasicandmandatedbymostsecurityinitiatives.Anyattempttol
INSERTINTO`tsca`VALUES(27303,'Ensure \'DonotallowLPTportredirection\' is set to \'Enabled\'.','This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. The recommended state for this setting is: Enabled.','In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow LPT port redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.','[{\"cis\": [\"18.9.65.3.3.5\"]}, {\"pci_dss\": [\"2.2.5\"]}, {\"tsc\": [\"CC6.3\"]}]'),(27304,'Ensure \'DonotallowsupportedPlugandPlaydeviceredirection\' is set to \'Enabled\'.','This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled.','In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow supported Plug and Play device redirection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.','[{\"cis\": [\"18.9.65.3.3.6\"]}, {\"pci_dss\": [\"2.2.5\"]}, {\"tsc\": [\"CC6.3\"]}]'),(27305,'Ensure \'Alwayspromptforpassworduponconnection\' is set to \'Enabled\'.','This policy setting specifies whether Remote Desktop Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. The recommended state for this setting is: Enabled.','Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user\'scomputercouldconnecttoaRemoteDesktopServerthroughtheRemoteDesktopConnectionshortcut,eventhoughtheymaynotknowtheuser\'s password.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In the Microsoft Windows Vista Administrative Templates, this setting was named Always prompt client for password upon connection, but it was renamed starting with the Windows Server 2008 (non-R2) Administrative Templates.','[{\"cis\": [\"18.9.65.3.9.1\"]}, {\"pci_dss\": [\"8.2.1\"]}, {\"tsc\": [\"CC6.1\"]}]'),(27306,'Ensure
INSERTINTO`tsca`VALUES(31035,'Ensure Guest Access to Shared Folders Is Disabled.','Allowing guests to connect to shared folders enables users to access selected shared folders and their contents from different computers on a network.','Not allowing guests to connect to shared folders mitigates the risk of an untrusted user doing basic reconnaissance and possibly use privilege escalation attacks to take control of the system.','Unauthorized users could access shared files on the system.','Graphical Method: Perform the following steps to no longer allow guest user access to shared folders: 1. Open System Settings 2. Select Users & Groups 3. Select the i next to the Guest User 4. Set Allow guests to connect to shared folders to disabled Terminal Method: Run the following commands to verify that shared folders are not accessible to guest users: $ /usr/bin/sudo /usr/sbin/sysadminctl -smbGuestAccess off.','[{\"cis\": [\"2.12.2\"]}, {\"cis_csc_v8\": [\"3.3\"]}, {\"cis_csc_v7\": [\"14.6\"]}, {\"cmmc_v2.0\": [\"AC.L1-3.1.1\", \"AC.L1-3.1.2\", \"AC.L2-3.1.3\", \"AC.L2-3.1.5\", \"MP.L2-3.8.2\"]}, {\"hipaa\": [\"164.308(a)(3)(i)\", \"164.308(a)(3)(ii)(A)\", \"164.312(a)(1)\"]}, {\"iso_27001-2013\": [\"A.9.1.1\"]}, {\"mitre_techniques\": [\"T1004\", \"T1015\", \"T1021\", \"T1023\", \"T1031\", \"T1034\", \"T1035\", \"T1036\", \"T1037\", \"T1044\", \"T1047\", \"T1050\", \"T1051\", \"T1053\", \"T1054\", \"T1070\", \"T1072\", \"T1073\", \"T1075\", \"T1076\", \"T1078\", \"T1080\", \"T1081\", \"T1084\", \"T1089\", \"T1096\", \"T1097\", \"T1133\", \"T1134\", \"T1145\", \"T1146\", \"T1150\", \"T1152\", \"T1156\", \"T1157\", \"T1159\", \"T1160\", \"T1162\", \"T1163\", \"T1165\", \"T1168\", \"T1169\", \"T1184\", \"T1185\", \"T1196\", \"T1197\", \"T1198\", \"T1200\", \"T1209\", \"T1213\", \"T1484\", \"T1489\", \"T1492\", \"T1494\", \"T1501\", \"T1504\", \"T1528\", \"T1530\", \"T1537\", \"T1538\"]}, {\"nist_sp_800-53\": [\"AC-5\", \"AC-6\"]}, {\"pci_dss_v3.2.1\": [\"7.1\", \"7.1.1\", \"7.1.2\", \"7.1.3\"]}, {\"pci_dss_v4.0\": [\"1.3.1\", \"7.1\"]}, {\"soc_2\": [\"CC5.2\", \"CC6.1\"]}]'),(31036,'Ensure Automatic Login Is Disabled.','The automatic login feature saves a user\'ssystemaccesscredentialsandbypassestheloginscreen.Instead,thesystemautomaticallyloadstotheuser\'s desktop screen.','Disabling automatic login decreases the likelihood of an unauthorized person gaining access to a system.','If automatic login is not disabled, an unauthorized user could gain access to the system without supplying any credentials.','Graphical Method: Perform the following steps to set automatic login to off: 1. Open System Settings 2. Select Users & Groups 3. Set Automatic login in as... to Off Terminal Method: Run the following command to disable automatic login: $ /usr/bin/sudo /usr/bin/defaults delete /Library/Preferences/com.apple.loginwindow autoLoginUser Profile Method: Create or edit a configuration profile with the following information: 1. The PayloadType string is com.apple.loginwindow 2. The key to include is com.apple.login.mcx.DisableAutoLoginClient 3. The key must be set to <true/> Note: If both the profile is enabled and a user is set to autologin, the profile will take precedent. In this case, the graphical or terminal remediation method should also be applied in case the profile is ever removed.','[{\"cis\": [\"2.12.3\"]}, {\"cis_csc_v8\": [\"4.7\"]}, {\"cis_csc_v7\": [\"4.2\"]}, {\"iso_27001-2013\": [\"A.9.4.3\"]}, {\"mitre_techniques\": [\"T1003\", \"T1017\", \"T1019\", \"T1028\", \"T1035\", \"T1047\", \"T1051\", \"T1053\", \"T1055\", \"T1067\", \"T1072\", \"T1075\", \"T1076\", \"T1077\", \"T1078\", \"T1084\", \"T1086\", \"T1088\", \"T1097\", \"T1098\", \"T1100\", \"T1134\", \"T1136\", \"T1169\", \"T1175\", \"T1184\", \"T1190\", \"T1206\", \"T1208\", \"T1210\", \"T1214\", \"T1215\", \"T1218\", \"T1495\", \"T1501\", \"T1505\", \"T1525\"]}, {\"pci_dss_v3.2.1\": [\"2.1\", \"2.1.1\"]}, {\"pci_dss_v4.0\": [\"2.2.2\", \"2.3.1\"]}, {\"soc_2\": [\"CC6.3\"]}]'),(31037,'Ensure Security Auditing Is Enabled.','macOS\'sauditfacility,
