[DRAFT] DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the [DRAFT] DISA STIG for Red Hat Enterprise Linux 8. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
account_disable_post_pw_expiration medium Set Account Expiration Following Inactivity Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:
INACTIVE=
If a password is currently on the verge of expiration, then day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.
SRG-OS-000118-GPOS-00060
CCI-000017
CCI-000795
account_temp_expire_date unknown Assign Expiration Date to Temporary Accounts If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
SRG-OS-000002-GPOS-00002
SRG-OS-000123-GPOS-00064
CCI-000016
CCI-001682
accounts_max_concurrent_login_sessions low Limit the Number of Concurrent Login Sessions Allowed Per User Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:
* hard maxlogins 
SRG-OS-000027-GPOS-00008
CCI-000054
accounts_password_minlen_login_defs medium Set Password Minimum Length in login.defs Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_LEN 


The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.
accounts_password_pam_dcredit medium Ensure PAM Enforces Password Requirements - Minimum Digit Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. SRG-OS-000071-GPOS-00039
CCI-000194
accounts_password_pam_difok medium Ensure PAM Enforces Password Requirements - Minimum Different Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal to require differing characters when changing passwords.
SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_enforce_local medium Ensure PAM Enforces Password Requirements - Enforce for Local Accounts Only The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. The pam_pwquality module's local_users_only parameter controls requirements for enforcing password complexity by pam_pwquality only for local user accounts and ignoring centralized user account management password complexity configurations. Enable the local_users_only setting in /etc/security/pwquality.conf to require password complexity enforcement for only local user accounts. SRG-OS-000001-GPOS-00001
CCI-000015
accounts_password_pam_enforce_root medium Ensure PAM Enforces Password Requirements - Enforce for root User Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. The pam_pwquality module's enforce_for_root parameter controls requirements for enforcing password complexity for the root user. Enable the enforce_for_root setting in /etc/security/pwquality.conf to require the root user to use complex passwords. SRG-OS-000071-GPOS-00039
SRG-OS-000070-GPOS-00038
SRG-OS-000266-GPOS-00101
SRG-OS-000078-GPOS-00046
SRG-OS-000072-GPOS-00040
SRG-OS-000069-GPOS-00037
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000194
CCI-000193
CCI-001619
CCI-000205
CCI-000195
CCI-000192
CCI-000366
accounts_password_pam_lcredit medium Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. SRG-OS-000070-GPOS-00038
CCI-000193
accounts_password_pam_maxclassrepeat medium Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class Use of a complex password helps to increase the time and resources required to comrpomise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_maxrepeat medium Set Password Maximum Consecutive Repeating Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_minlen medium Ensure PAM Enforces Password Requirements - Minimum Length The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromose the password.
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. SRG-OS-000078-GPOS-00046
CCI-000205
accounts_password_pam_ocredit medium Ensure PAM Enforces Password Requirements - Minimum Special Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords. SRG-OS-000266-GPOS-00101
CCI-001619
accounts_password_pam_ucredit medium Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters Use of a complex password helps to increase the time and resources reuiqred to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. SRG-OS-000069-GPOS-00037
CCI-000192
accounts_password_pam_unix_remember medium Limit Password Reuse Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_unix or pam_pwhistory PAM modules.

In the file /etc/pam.d/system-auth, append remember= to the line which refers to the pam_unix.so or pam_pwhistory.somodule, as shown below:
  • for the pam_unix.so case:
    password sufficient pam_unix.so ...existing_options... remember=
  • for the pam_pwhistory.so case:
    password requisite pam_pwhistory.so ...existing_options... remember=
The DoD STIG requirement is 5 passwords.
SRG-OS-000077-GPOS-00045
CCI-000200
accounts_password_set_max_life_existing medium Set Existing Passwords Maximum Age Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 60 USER
SRG-OS-000076-GPOS-00044
CCI-000199
accounts_password_set_min_life_existing medium Set Existing Passwords Minimum Age Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
SRG-OS-000075-GPOS-00043
CCI-000198
accounts_passwords_pam_faillock_deny medium Set Deny For Failed Password Attempts Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. To configure the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
SRG-OS-000021-GPOS-00005
SRG-OS-000329-GPOS-00128
CCI-000044
CCI-002238
accounts_passwords_pam_faillock_enforce_local medium Enforce pam_faillock for Local Accounts Only The operating system must provide automated mechanisms for supporting account management functions. Enterprise environments make application account management challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. The pam_faillock module's local_users_only parameter controls requirements for enforcing failed lockout attempts only for local user accounts and ignoring centralized user account management failed attempt configurations. Enable the local_users_only setting in /etc/security/faillock.conf to require failed password attempts for only local user accounts. SRG-OS-000001-GPOS-00001
CCI-000015
accounts_passwords_pam_faillock_interval medium Set Interval For Counting Failed Password Attempts By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. Modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • Add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • Add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
    
  • Add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
SRG-OS-000021-GPOS-00005
SRG-OS-000329-GPOS-00128
CCI-000044
CCI-002238
accounts_passwords_pam_faillock_unlock_time medium Set Lockout Time for Failed Password Attempts Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. To configure the system to lock out accounts after a number of incorrect login attempts and require an administrator to unlock the account using pam_faillock.so, modify the content of both /etc/pam.d/system-auth and /etc/pam.d/password-auth as follows:

  • add the following line immediately before the pam_unix.so statement in the AUTH section:
    auth required pam_faillock.so preauth silent deny= unlock_time= fail_interval=
  • add the following line immediately after the pam_unix.so statement in the AUTH section:
    auth [default=die] pam_faillock.so authfail deny= unlock_time= fail_interval=
  • add the following line immediately before the pam_unix.so statement in the ACCOUNT section:
    account required pam_faillock.so
If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user.
SRG-OS-000021-GPOS-00005
SRG-OS-000329-GPOS-00128
CCI-000044
CCI-002238
accounts_umask_etc_bashrc unknown Ensure the Default Bash Umask is Set Correctly The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_umask_etc_csh_cshrc unknown Ensure the Default C Shell Umask is Set Correctly The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
accounts_umask_etc_profile unknown Ensure the Default Umask is Set Correctly in /etc/profile The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:
umask 
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
audit_access_failed medium Configure auditing of unsuccessful file accesses Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation. Ensure that unsuccessful attempts to access a file are audited. The following rules configure audit as described above:
## Unsuccessful file access (any other opens) This has to go last.
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-access
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_access_success medium Configure auditing of successful file accesses Auditing of successful attempts to access a file helps in investigation of activities performed on the system. Ensure that successful attempts to access a file are audited. The following rules configure audit as described above:
## Successful file access (any other opens) This has to go last.
## These next two are likely to result in a whole lot of events
-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
-a always,exit -F arch=b64 -S open,openat,open_by_handle_at -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-access
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_basic_configuration medium Configure basic parameters of Audit system Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure. Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above:
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/10-base-config.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/10-base-config.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
audit_create_failed medium Configure auditing of unsuccessful file creations Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions. Ensure that unsuccessful attempts to create a file are audited. The following rules configure audit as described above:
## Unsuccessful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-create
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_create_success medium Configure auditing of successful file creations Auditing of successful attempts to create a file helps in investigation of actions which happened on the system. Ensure that successful attempts to create a file are audited. The following rules configure audit as described above:
## Successful file creation (open with O_CREAT)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S open -F a1&0100 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b32 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
-a always,exit -F arch=b64 -S creat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-create
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
audit_delete_failed medium Configure auditing of unsuccessful file deletions Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities. Ensure that unsuccessful attempts to delete a file are audited. The following rules configure audit as described above:
## Unsuccessful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-delete
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_delete_success medium Configure auditing of successful file deletions Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system. Ensure that successful attempts to delete a file are audited. The following rules configure audit as described above:
## Successful file delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-delete
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_immutable_login_uids medium Configure immutable Audit login UIDs If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. Configure kernel to prevent modification of login UIDs once they are set. Changing login UUIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable

The Audit provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/11-loginuid.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/11-loginuid.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
audit_modify_failed medium Configure auditing of unsuccessful file modifications Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions. Ensure that unsuccessful attempts to modify a file are audited. The following rules configure audit as described above:
## Unsuccessful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-modification
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_modify_success medium Configure auditing of successful file modifications Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system. Ensure that successful attempts to modify a file are audited. The following rules configure audit as described above:
## Successful file modifications (open for write or truncate)
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S open -F a1&01003 -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
-a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-modification
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_module_load medium Configure auditing of loading and unloading of kernel modules Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities. Ensure that loading and unloading of kernel modules is audited. The following rules configure audit as described above:
## These rules watch for kernel module insertion. By monitoring
## the syscall, we do not need any watches on programs.
-a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
-a always,exit -F arch=b32 -S delete_module -F key=module-unload
-a always,exit -F arch=b64 -S delete_module -F key=module-unload
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/43-module-load.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/43-module-load.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
audit_ospp_general medium Perform general configuration of Audit for OSPP Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with Audit logs, malicious access to files storing information about system users and groups etc. Configure some basic Audit parameters specific for OSPP profile. In particular, configure Audit to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration. Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls. The following rules configure audit as described above:
## The purpose of these rules is to meet the requirements for Operating
## System Protection Profile (OSPP)v4.2. These rules depends on having
## the following rule files copied to /etc/audit/rules.d:
##
## 10-base-config.rules, 11-loginuid.rules,
## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
## 30-ospp-v42-5-perm-change-failed.rules,
## 30-ospp-v42-5-perm-change-success.rules,
## 30-ospp-v42-6-owner-change-failed.rules,
## 30-ospp-v42-6-owner-change-success.rules
##
## original copies may be found in /usr/share/audit/sample-rules/


## User add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch passwd and
## shadow for writes
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/passwd -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b32 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F arch=b64 -S open -F a1&03 -F path=/etc/shadow -F auid>=1000 -F auid!=unset -F key=user-modify

## User enable and disable. This is entirely handled by pam.

## Group add delete modify. This is covered by pam. However, someone could
## open a file and directly create or modify a user, so we'll watch group and
## gshadow for writes
-a always,exit -F path=/etc/passwd -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/shadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=user-modify
-a always,exit -F path=/etc/group -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify
-a always,exit -F path=/etc/gshadow -F perm=wa -F auid>=1000 -F auid!=unset -F key=group-modify


## Use of special rights for config changes. This would be use of setuid
## programs that relate to user accts. This is not all setuid apps because
## requirements are only for ones that affect system configuration.
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes

## Privilege escalation via su or sudo. This is entirely handled by pam.

## Audit log access
-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid>=1000 -F auid!=unset -F key=access-audit-trail
## Attempts to Alter Process and Session Initiation Information
-a always,exit -F path=/var/run/utmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/btmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session
-a always,exit -F path=/var/log/wtmp -F perm=wa -F auid>=1000 -F auid!=unset -F key=session

## Attempts to modify MAC controls
-a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid>=1000 -F auid!=unset -F key=MAC-policy

## Software updates. This is entirely handled by rpm.

## System start and shutdown. This is entirely handled by systemd

## Kernel Module loading. This is handled in 43-module-load.rules

## Application invocation. The requirements list an optional requirement
## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
## state results from that policy. This would be handled entirely by
## that daemon.

The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_owner_change_failed medium Configure auditing of unsuccessful ownership changes Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities. Ensure that unsuccessful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above:
## Unsuccessful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-owner-change
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-failed.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_owner_change_success medium Configure auditing of successful ownership changes Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system. Ensure that successful attempts to change an ownership of files or directories are audited. The following rules configure audit as described above:
## Successful ownership change
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
-a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-owner-change
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-6-owner-change-success.rules /etc/audit/rules.d/
The file has the following SHA-256 checksum:
7eb41a6aaf6737c2571b6424fae7fa53af4b41a9115b6c5732a5778ccd9900ad
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_perm_change_failed medium Configure auditing of unsuccessful permission changes Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities. Ensure that unsuccessful attempts to change file or directory permissions are audited. The following rules configure audit as described above:
## Unsuccessful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccessful-perm-change
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-failed.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_perm_change_success medium Configure auditing of successful permission changes Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system. Ensure that successful attempts to modify permissions of iles or directories are audited. The following rules configure audit as described above:
## Successful permission change
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid>=1000 -F auid!=unset -F key=successful-perm-change
The Audit package provides pre-configured rules in /usr/share/audit/sample-rules. The above content can be found in /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules. To deploy this configuration, it is recommended to copy it over to the /etc/audit/rules.d/ directory:
cp /usr/share/audit/sample-rules/30-ospp-v42-5-perm-change-success.rules /etc/audit/rules.d/
Load new Audit rules into kernel by running:
augenrules --load
Note: This rule utilizes a file provided by Audit package to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
audit_rules_usergroup_modification_passwd medium Record Events that Modify User/Group Information - /etc/passwd In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000477-GPOS-00222
SRG-OS-000476-GPOS-00221
SRG-OS-000475-GPOS-00220
SRG-OS-000474-GPOS-00219
SRG-OS-000473-GPOS-00218
SRG-OS-000472-GPOS-00217
SRG-OS-000471-GPOS-00216
SRG-OS-000471-GPOS-00215
SRG-OS-000470-GPOS-00214
SRG-OS-000468-GPOS-00212
SRG-OS-000467-GPOS-00211
SRG-OS-000466-GPOS-00210
SRG-OS-000465-GPOS-00209
SRG-OS-000463-GPOS-00207
SRG-OS-000462-GPOS-00206
SRG-OS-000064-GPOS-00033
SRG-OS-000461-GPOS-00205
SRG-OS-000458-GPOS-00203
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
CCI-000018
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
auditd_audispd_syslog_plugin_activated medium Configure auditd to use audispd's syslog plugin The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include a plug-in for audit event multiplexor (audispd) to pass audit records to the local syslog server To configure the auditd service to use the syslog plug-in of the audispd audit event multiplexor, set the active line in /etc/audit/plugins.d/syslog.conf to yes. Restart the auditd service:
$ sudo service auditd restart
CCI-000136
auditd_data_retention_flush medium Configure auditd flush priority Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk. The auditd service can be configured to synchronously write audit event data to disk. Add or correct the following line in /etc/audit/auditd.conf to ensure that audit event data is fully synchronized with the log files on the disk:
flush = 
CCI-001576
auditd_freq medium Set number of records to cause an explicit flush to audit logs If option freq isn't set to 50, the flush to disk may happen after higher number of records, increasing the danger of audit loss. To configure Audit daemon to issue an explicit flush to disk command after writing 50 records, set freq to 50 in /etc/audit/auditd.conf.
auditd_local_events medium Include Local Events in Audit Logs If option local_events isn't set to yes only events from network will be aggregated. To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting.
auditd_log_format medium Resolve information before writing to audit logs If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them. To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf.
auditd_name_format medium Set hostname as computer node name in audit logs If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish. To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf. SRG-OS-000479-GPOS-00224
SRG-OS-000342-GPOS-00133
CCI-001851
auditd_write_logs medium Write Audit Logs to the Disk If write_logs isn't set to yes, the Audit logs will not be written to the disk. To configure Audit daemon to write Audit logs to the disk, set write_logs to yes in /etc/audit/auditd.conf. This is the default setting.
banner_etc_issue medium Modify the System Login Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
CCI-000048
CCI-000050
chronyd_client_only unknown Disable chrony daemon from acting as server Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode.
chronyd_no_chronyc_network unknown Disable network management of chrony daemon Not exposing the management interface of the chrony daemon on the network diminishes the attack space. The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc.
clean_components_post_updating low Ensure yum Removes Previous Package Versions Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. SRG-OS-000437-GPOS-00194
CCI-002617
configure_bashrc_exec_tmux medium Support session locking with tmux Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc.
configure_bind_crypto_policy medium Configure BIND to use System Crypto Policy Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";
configure_crypto_policy high Configure System Cryptography Policy Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. To configure the system cryptography policy to use ciphers only from the policy, run the following command:
$ sudo update-crypto-policies --set 
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
configure_kerberos_crypto_policy medium Configure Kerberos to use System Crypto Policy Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, kerberos is configured to use the system-wide crypto policy settings.
configure_libreswan_crypto_policy medium Configure Libreswan to use System Crypto Policy Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config
configure_openssl_crypto_policy medium Configure OpenSSL library to use System Crypto Policy Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive.
configure_ssh_crypto_policy medium Configure SSH to use System Crypto Policy Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.
configure_tmux_lock_after_time medium Configure tmux to lock session after inactivity Locking the session after a period of inactivity limits the potential exposure if the session is left unattended. To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to nonzero value in /etc/tmux.conf.
configure_tmux_lock_command medium Configure the tmux Lock Command The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock. To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf:
set -g lock-command vlock
. The console can now be locked with the following key combination:
ctrl+b :lock-session
SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
CCI-000056
CCI-000058
configure_usbguard_auditbackend medium Log USBGuard daemon audit events using Linux Audit Using the Linux Audit logging allows for centralized trace of events. To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit.
coredump_disable_backtraces unknown Disable core dump backtraces A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.
coredump_disable_storage unknown Disable storing core dump A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. The Storage option in [Coredump] section of /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
dconf_db_up_to_date high Make sure that the dconf databases are up-to-date with regards to respective keyfiles Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them. By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
dconf update
command.
dconf_gnome_banner_enabled medium Enable GNOME3 Login Warning Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
dconf_gnome_login_banner_text medium Set the GNOME3 Login Warning Banner Text An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.
SRG-OS-000023-GPOS-00006
CCI-000048
disable_ctrlaltdel_burstaction high Disable Ctrl-Alt-Del Burst Action A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
disable_ctrlaltdel_reboot high Disable Ctrl-Alt-Del Reboot Activation A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
disable_host_auth medium Disable Host-Based Authentication SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts. SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.

To disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
disable_users_coredumps unknown Disable Core Dumps for All Users A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:
*     hard   core    0
dnf-automatic_apply_updates medium Configure dnf-automatic to Install Available Updates Automatically Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. The automated installation of updates ensures that recent security patches are applied in a timely manner. To ensure that the packages comprising the available updates will be automatically installed by dnf-automatic, set apply_updates to yes under [commands] section in /etc/dnf/automatic.conf.
dnf-automatic_security_updates_only low Configure dnf-automatic to Install Only Security Updates By default, dnf-automatic installs all available updates. Reducing the amount of updated packages only to updates that were issued as a part of a security advisory increases the system stability. To configure dnf-automatic to install only security updates automatically, set upgrade_type to security under [commands] section in /etc/dnf/automatic.conf.
enable_dracut_fips_module medium Enable Dracut FIPS Module Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To enable FIPS mode, run the following command:
fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
SRG-OS-000033-GPOS-00014
SRG-OS-000120-GPOS-00061
SRG-OS-000478-GPOS-00223
SRG-OS-000396-GPOS-00176
CCI-000068
CCI-000803
CCI-002450
enable_fips_mode high Enable FIPS Mode Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To enable FIPS mode, run the following command:
fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
  • Setting the system crypto policy in /etc/crypto-policies/config to FIPS
  • Loading the Dracut fips module
Furthermore, the system running in FIPS mode should be FIPS certified by NIST.
SRG-OS-000033-GPOS-00014
SRG-OS-000120-GPOS-00061
SRG-OS-000478-GPOS-00223
SRG-OS-000396-GPOS-00176
CCI-000068
CCI-000803
CCI-002450
encrypt_partitions high Encrypt Partitions The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Encryption.html.
SRG-OS-000185-GPOS-00079
SRG-OS-000404-GPOS-00183
SRG-OS-000405-GPOS-00184
CCI-001199
CCI-002475
CCI-002476
ensure_gpgcheck_globally_activated high Ensure gpgcheck Enabled In Main yum Configuration Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_local_packages high Ensure gpgcheck Enabled for Local Packages Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_never_disabled high Ensure gpgcheck Enabled for All yum Package Repositories Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_redhat_gpgkey_installed high Ensure Red Hat GPG Key Installed Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
SRG-OS-000366-GPOS-00153
CCI-001749
grub2_audit_argument medium Enable Auditing for Processes Which Start Prior to the Audit Daemon Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system in /boot/grub2/grubenv, in the manner below:
# grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) audit=1"
SRG-OS-000254-GPOS-00095
SRG-OS-000037-GPOS-00015
CCI-001464
CCI-000130
grub2_audit_backlog_limit_argument medium Extend Audit Backlog Limit for the Audit Daemon audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 audit=1 audit_backlog_limit=8192"
grub2_disable_interactive_boot medium Verify that Interactive Boot is Disabled Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security. Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 8 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of
systemd.confirm_spawn=(1|yes|true|on)
from the kernel arguments in that file to disable interactive boot. It is also required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
SRG-OS-000080-GPOS-00048
CCI-000213
grub2_kernel_trust_cpu_rng medium Configure kernel to trust the CPU random number generator The Linux kernel offers an option which signifies if the kernel should trust data provided by CPU hardware random number generator. Hardware random number generators can provide random data very quickly and are used to generate random cryptographic keys. They can be useful during boot time when other means of getting random data can be slow because there is not yet enough entropy in the system. There exist two ways how to ensure that the Linux kernel trusts the CPU hardware random number generator. If the option is configured during kernel compilation, e.g. the option CONFIG_RANDOM_TRUST_CPU is set to Y, make sure that it is not overridden with the boot parameter. There must not exist the boot parameter random.trust_cpu=off. If the option is not compiled in, make sure that random.trust_cpu=on is configured as a boot parameter by running the following command:
sudo grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) random.trust_cpu=on"
grub2_page_poison_argument medium Enable page allocator poisoning Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="page_poison=1"
grub2_pti_argument high Enable Kernel Page-Table Isolation (KPTI) Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="pti=on"
grub2_slub_debug_argument medium Enable SLUB/SLAB allocator poisoning Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="slub_debug=P"
grub2_uefi_password high Set the UEFI Boot Loader Password Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
$ grub2-setpassword
When prompted, enter the password that was selected.

Once the superuser password has been added, update the grub.cfg file by running:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
SRG-OS-000080-GPOS-00048
CCI-000213
grub2_vsyscall_argument medium Disable vsyscalls Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system in /etc/default/grub, in the manner below:
GRUB_CMDLINE_LINUX="vsyscall=none"
installed_OS_is_vendor_supported high The Installed Operating System Is Vendor Supported An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
kerberos_disable_no_keytab medium Disable Kerberos by removing host keytab The key derivation function (KDF) in Kerberos is not FIPS compatible. Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab.
kernel_module_atm_disabled medium Disable ATM Support Disabling ATM protects the system against exploitation of any flaws in its implementation. The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install atm /bin/true
kernel_module_bluetooth_disabled medium Disable Bluetooth Kernel Module If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
CCI-000085
CCI-001551
kernel_module_can_disabled medium Disable CAN Support Disabling CAN protects the system against exploitation of any flaws in its implementation. The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install can /bin/true
kernel_module_cramfs_disabled low Disable Mounting of cramfs Removing support for unneeded filesystem types reduces the local attack surface of the server. To configure the system to prevent the cramfs kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install cramfs /bin/true
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
kernel_module_firewire-core_disabled medium Disable IEEE 1394 (FireWire) Support Disabling FireWire protects the system against exploitation of any flaws in its implementation. The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install firewire-core /bin/true
kernel_module_sctp_disabled medium Disable SCTP Support Disabling SCTP protects the system against exploitation of any flaws in its implementation. The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install sctp /bin/true
kernel_module_tipc_disabled medium Disable TIPC Support Disabling TIPC protects the system against exploitation of any flaws in its implementation. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to a file in the directory /etc/modprobe.d:
install tipc /bin/true
mount_option_boot_nodev medium Add nodev Option to /boot The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /boot. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
mount_option_boot_nosuid medium Add nosuid Option to /boot The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions. The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot.
mount_option_dev_shm_nodev low Add nodev Option to /dev/shm The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_dev_shm_noexec low Add noexec Option to /dev/shm Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_dev_shm_nosuid low Add nosuid Option to /dev/shm The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_home_nodev unknown Add nodev Option to /home The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.
mount_option_home_nosuid medium Add nosuid Option to /home The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
mount_option_nodev_nonroot_local_partitions unknown Add nodev Option to Non-Root Local Partitions The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions.
mount_option_tmp_nodev unknown Add nodev Option to /tmp The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
mount_option_tmp_noexec unknown Add noexec Option to /tmp Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
mount_option_tmp_nosuid unknown Add nosuid Option to /tmp The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
mount_option_var_log_audit_nodev medium Add nodev Option to /var/log/audit The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
mount_option_var_log_audit_noexec medium Add noexec Option to /var/log/audit Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
mount_option_var_log_audit_nosuid medium Add nosuid Option to /var/log/audit The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files. The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
mount_option_var_log_nodev medium Add nodev Option to /var/log The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
mount_option_var_log_noexec medium Add noexec Option to /var/log Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
mount_option_var_log_nosuid medium Add nosuid Option to /var/log The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files. The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
mount_option_var_nodev medium Add nodev Option to /var The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.
mount_option_var_tmp_nodev unknown Add nodev Option to /var/tmp The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
mount_option_var_tmp_noexec unknown Add noexec Option to /var/tmp Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
mount_option_var_tmp_nosuid unknown Add nosuid Option to /var/tmp The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
no_empty_passwords high Prevent Login to Accounts With Empty Password If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth to prevent logins with empty passwords. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
no_tmux_in_shells medium Prevent user from disabling the screen lock Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock. The tmux terminal multiplexer is used to implement autimatic session locking. It should not be listed in /etc/shells.
openssl_use_strong_entropy medium OpenSSL uses strong entropy source This rule ensures that openssl invocations always uses SP800-90A compliant random number generator as a default behavior. By default, OpenSSL doesn't always use a SP800-90A compliant random number generator. A way to configure OpenSSL to always use a strong source is to setup a wrapper that defines a shell function that shadows the actual openssl binary, and that ensures that the -rand /dev/random option is added to every openssl invocation. To do so, place the following shell snippet exactly as-is to /etc/profile.d/openssl-rand.sh:
# provide a default -rand /dev/random option to openssl commands that
# support it

# written inefficiently for maximum shell compatibility
openssl()
(
  openssl_bin=/usr/bin/openssl

  case "$*" in
    # if user specified -rand, honor it
    *\ -rand\ *|*\ -help*) exec $openssl_bin "$@" ;;
  esac

  cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`
  for i in `$openssl_bin list -commands`; do
    if $openssl_bin list -options "$i" | grep -q '^rand '; then
      cmds=" $i $cmds"
    fi
  done

  case "$cmds" in
    *\ "$1"\ *)
      cmd="$1"; shift
      exec $openssl_bin "$cmd" -rand /dev/random "$@" ;;
  esac

  exec $openssl_bin "$@"
)
package_abrt-addon-ccpp_removed low Uninstall abrt-addon-ccpp Package abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin. The abrt-addon-ccpp package can be removed with the following command:
$ sudo yum erase abrt-addon-ccpp
package_abrt-addon-kerneloops_removed low Uninstall abrt-addon-kerneloops Package abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org. The abrt-addon-kerneloops package can be removed with the following command:
$ sudo yum erase abrt-addon-kerneloops
package_abrt-addon-python_removed low Uninstall abrt-addon-python Package abrt-addon-python contains python hook and python analyzer plugin for handling uncaught exceptions in python programs. The abrt-addon-python package can be removed with the following command:
$ sudo yum erase abrt-addon-python
package_abrt-cli_removed low Uninstall abrt-cli Package abrt-cli contains a command line client for controlling abrt daemon over sockets. The abrt-cli package can be removed with the following command:
$ sudo yum erase abrt-cli
package_abrt-plugin-logger_removed low Uninstall abrt-plugin-logger Package abrt-plugin-logger is an ABRT plugin which writes a report to a specified file. The abrt-plugin-logger package can be removed with the following command:
$ sudo yum erase abrt-plugin-logger
package_abrt-plugin-rhtsupport_removed low Uninstall abrt-plugin-rhtsupport Package abrt-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. The abrt-plugin-rhtsupport package can be removed with the following command:
$ sudo yum erase abrt-plugin-rhtsupport
package_abrt-plugin-sosreport_removed low Uninstall abrt-plugin-sosreport Package abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report. The abrt-plugin-sosreport package can be removed with the following command:
$ sudo yum erase abrt-plugin-sosreport
package_abrt_removed medium Uninstall Automatic Bug Reporting Tool (abrt) Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. The Automatic Bug Reporting Tool (abrt) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrt package can be removed with the following command:
$ sudo yum erase abrt
package_aide_installed medium Install AIDE The AIDE package must be installed if it is to be available for integrity checking. The aide package can be installed with the following command:
$ sudo yum install aide
package_audispd-plugins_installed medium Install audispd-plugins Package audispd-plugins provides plugins for the real-time interface to the audit subsystem, audispd. These plugins can do things like relay events to remote machines or analyze events for suspicious behavior. The audispd-plugins package can be installed with the following command:
$ sudo yum install audispd-plugins
package_audit_installed medium Ensure the audit Subsystem is Installed The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. The audit package should be installed.
package_chrony_installed medium The Chrony package is installed Time synchronization is important to support time sensitive security mechanisms like Kerberos and also ensures log files have consistent time records across the enterprise, which aids in forensic investigations. System time should be synchronized between all systems in an environment. This is typically done by establishing an authoritative time server or set of servers and having all systems synchronize their clocks to them. The chrony package can be installed with the following command:
$ sudo yum install chrony
package_crypto-policies_installed medium Install crypto-policies package Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The crypto-policies package can be installed with the following command:
$ sudo yum install crypto-policies
package_dnf-automatic_installed medium Install dnf-automatic Package dnf-automatic is an alternative command line interface (CLI) to dnf upgrade suitable for automatic, regular execution. The dnf-automatic package can be installed with the following command:
$ sudo yum install dnf-automatic
package_dnf-plugin-subscription-manager_installed medium Install dnf-plugin-subscription-manager Package This package provides plugins to interact with repositories and subscriptions from the Red Hat entitlement platform; contains subscription-manager and product-id plugins. The dnf-plugin-subscription-manager package can be installed with the following command:
$ sudo yum install dnf-plugin-subscription-manager
package_fapolicyd_installed medium Install fapolicyd Package fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. The fapolicyd package can be installed with the following command:
$ sudo yum install fapolicyd
package_firewalld_installed medium Install firewalld Package The firewalld package should be installed to provide access control methods. The firewalld package can be installed with the following command:
$ sudo yum install firewalld
package_gnutls-utils_installed medium Ensure gnutls-utils is installed GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools. The gnutls-utils package can be installed with the following command:
$ sudo yum install gnutls-utils
package_gssproxy_removed low Uninstall gssproxy Package gssproxy is a proxy for GSS API credential handling. The gssproxy package can be removed with the following command:
$ sudo yum erase gssproxy
package_iprutils_removed low Uninstall iprutils Package iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. The iprutils package can be removed with the following command:
$ sudo yum erase iprutils
package_krb5-workstation_removed medium Uninstall krb5-workstation Package Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd). Currently, Kerberos does not utilize FIPS 140-2 cryptography and is not permitted on Government networks, nor is it permitted in many regulatory environments such as HIPAA. The krb5-workstation package can be removed with the following command:
$ sudo yum erase krb5-workstation
package_libcap-ng-utils_installed medium Install libcap-ng-utils Package libcap-ng-utils contains applications to analyze the posix posix capabilities of all the programs running on a system. libcap-ng-utils also lets system operators set the file system based capabilities. The libcap-ng-utils package can be installed with the following command:
$ sudo yum install libcap-ng-utils
package_nfs-utils_removed low Uninstall nfs-utils Package nfs-utils provides a daemon for the kernel NFS server and related tools. This package also contains the showmount program. showmount queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, showmount can display the clients which are mounted on that host. The nfs-utils package can be removed with the following command:
$ sudo yum erase nfs-utils
package_openscap-scanner_installed medium Install openscap-scanner Package openscap-scanner contains the oscap command line tool. This tool is a configuration and vulnerability scanner, capable of performing compliance checking using SCAP content. The openscap-scanner package can be installed with the following command:
$ sudo yum install openscap-scanner
package_openssh-clients_installed medium Install OpenSSH client software This package includes utilities to make encrypted connections and transfer files securely to SSH servers. The openssh-clients package can be installed with the following command:
$ sudo yum install openssh-clients
package_openssh-server_installed medium Install the OpenSSH Server Package Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. The openssh-server package should be installed. The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-000481
SRG-OS-000425-GPOS-00189
SRG-OS-000424-GPOS-00188
SRG-OS-000426-GPOS-00190
CCI-002418
CCI-002420
CCI-002421
CCI-002422
package_policycoreutils-python-utils_installed medium Install policycoreutils-python-utils package This package is required to operate and manage an SELinux environment and its policies. It provides utilities such as semanage, audit2allow, audit2why, chcat and sandbox. The policycoreutils-python-utils package can be installed with the following command:
$ sudo yum install policycoreutils-python-utils
package_policycoreutils_installed high Install policycoreutils Package Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and run_init to run /etc/init.d scripts in the proper context. The policycoreutils package can be installed with the following command:
$ sudo yum install policycoreutils
package_rsyslog-gnutls_installed medium Ensure rsyslog-gnutls is installed The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. TLS protocol support for rsyslog is installed. The rsyslog-gnutls package can be installed with the following command:
$ sudo yum install rsyslog-gnutls
package_rsyslog_installed medium Ensure rsyslog is Installed The rsyslog package provides the rsyslog daemon, which provides system logging services. Rsyslog is installed by default. The rsyslog package can be installed with the following command:
 $ sudo yum install rsyslog
SRG-OS-000205-GPOS-00083
CCI-001311
CCI-001312
package_scap-security-guide_installed medium Install scap-security-guide Package The scap-security-guide package provides a guide for configuration of the system from the final system's security point of view. The guidance is specified in the Security Content Automation Protocol (SCAP) format and constitutes a catalog of practical hardening advice, linked to government requirements where applicable. The SCAP Security Guide project bridges the gap between generalized policy requirements and specific implementation guidelines. A system administrator can use the oscap CLI tool from the openscap-scanner package, or the SCAP Workbench GUI tool from the scap-workbench package, to verify that the system conforms to provided guidelines. Refer to the scap-security-guide(8) manual page for futher information. The scap-security-guide package can be installed with the following command:
$ sudo yum install scap-security-guide
package_sendmail_removed medium Uninstall Sendmail Package The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command:
$ sudo yum erase sendmail
package_subscription-manager_installed medium Install subscription-manager Package Red Hat Subscription Manager is a local service which tracks installed products and subscriptions on a local system to help manage subscription assignments. It communicates with the backend subscription service (the Customer Portal or an on-premise server such as Subscription Asset Manager) and works with content management tools such as yum. The subscription-manager package can be installed with the following command:
$ sudo yum install subscription-manager
package_sudo_installed medium Install sudo Package sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done. The sudo package can be installed with the following command:
$ sudo yum install sudo
package_tmux_installed medium Install the tmux Package A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The tmux package allows for a session lock to be implemented and configured.
To enable console screen locking, install the tmux package. The tmux package can be installed with the following command:
$ sudo yum install tmux
Instruct users to begin new terminal sessions with the following command:
$ tmux
The console can now be locked with the following key combination:
ctrl+b :lock-session
SRG-OS-000030-GPOS-00011
CCI-000058
package_usbguard_installed medium Install usbguard Package usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes. The usbguard package can be installed with the following command:
$ sudo yum install usbguard
partition_for_home low Ensure /home Located On Separate Partition Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001208
partition_for_var low Ensure /var Located On Separate Partition Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
partition_for_var_log medium Ensure /var/log Located On Separate Partition Placing /var/log in its own partition enables better separation between log files and other files in /var/. System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
partition_for_var_log_audit low Ensure /var/log/audit Located On Separate Partition Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Audit logs are stored in the /var/log/audit directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000341-GPOS-00132
CCI-000366
CCI-001849
require_singleuser_auth medium Require Authentication for Single User Mode This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
SRG-OS-000080-GPOS-00048
CCI-000213
rsyslog_remote_tls medium Configure TLS for rsyslog remote logging For protection of data being logged, the connection to the remote logging server needs to be authenticated and encrypted. Configure rsyslog to use Transport Layer Security (TLS) support for logging to remote server for the Forwarding Output Module in /etc/rsyslog.conf using action. You can use the following command:
echo 'action(type="omfwd" protocol="tcp" Target="<remote system>" port="6514"
    StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" streamdriver.CheckExtendedKeyPurpose="on")' >> /etc/rsyslog.conf
Replace the <remote system> in the above command with an IP address or a host name of the remote logging server.
rsyslog_remote_tls_cacert medium Configure CA certificate for rsyslog remote logging The CA certificate needs to be set or rsyslog.service fails to start with
error: ca certificate is not set, cannot continue
Configure CA certificate for rsyslog logging to remote server using Transport Layer Security (TLS) using correct path for the DefaultNetstreamDriverCAFile global option in /etc/rsyslog.conf, for example with the following command:
echo 'global(DefaultNetstreamDriverCAFile="/etc/pki/tls/cert.pem")' >> /etc/rsyslog.conf
Replace the /etc/pki/tls/cert.pem in the above command with the path to the file with CA certificate generated for the purpose of remote logging.
securetty_root_login_console_only medium Restrict Virtual Console Root Logins Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. To restrict root logins through the (deprecated) virtual console devices, ensure lines of this form do not appear in /etc/securetty:
vc/1
vc/2
vc/3
vc/4
SRG-OS-000109-GPOS-00056
CCI-000770
selinux_policytype medium Configure SELinux Policy Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
SRG-OS-000445-GPOS-00199
CCI-002696
selinux_state medium Ensure SELinux State is Enforcing Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000445-GPOS-00199
CCI-002165
CCI-002696
service_auditd_enabled medium Enable auditd Service Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
SRG-OS-000037-GPOS-00015
SRG-OS-000038-GPOS-00016
SRG-OS-000039-GPOS-00017
SRG-OS-000040-GPOS-00018
SRG-OS-000041-GPOS-00019
SRG-OS-000041-GPOS-00019
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000254-GPOS-00095
SRG-OS-000255-GPOS-00096
SRG-OS-000365-GPOS-00152
CCI-000126
CCI-000130
CCI-000131
CCI-000132
CCI-000133
CCI-000134
CCI-000134
CCI-000135
CCI-001464
CCI-001487
CCI-001814
service_debug-shell_disabled medium Disable debug-shell SystemD Service This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service
service_fapolicyd_enabled medium Enable the File Access Policy Service The fapolicyd service (File Access Policy Daemon) implements application whitelisting to decide file access rights. The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service
service_firewalld_enabled medium Verify firewalld Enabled Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
service_kdump_disabled medium Disable KDump Kernel Crash Analyzer (kdump) Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
service_systemd-coredump_disabled unknown Disable acquiring, saving, and processing core dumps A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.
service_usbguard_enabled medium Enable the USBGuard Service The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices. The USBGuard service should be enabled. The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service
smartcard_configure_cert_checking medium Configure Smart Card Certificate Status Checking Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:
cert_policy = ca, ocsp_on, signature;
SRG-OS-000375-GPOS-00160
SRG-OS-000376-GPOS-00161
SRG-OS-000377-GPOS-00162
CCI-001948
CCI-001953
CCI-001954
ssh_client_rekey_limit medium Configure session renegotiation for SSH client By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited. The RekeyLimit parameter specifies how often the session key is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit to file /etc/ssh/ssh_config.d/02-rekey-limit.conf. Make sure that there is no other RekeyLimit configuration preceding the include directive in the main config file /etc/ssh/ssh_config. Check also other files in /etc/ssh/ssh_config.d directory. Files are processed according to lexicographical order of file names. Make sure that there is no file processed before 02-rekey-limit.conf containing definition of RekeyLimit.
ssh_client_use_strong_rng_csh medium SSH client uses strong entropy to seed (for CSH like shells) Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. To set up SSH client to use entropy from a high-quality source, make sure that the appropriate shell environment variable is configured. The SSH_USE_STRONG_RNG environment variable determines how many bytes of entropy to use. Make sure that the file /etc/profile.d/cc-ssh-strong-rng.csh contains line
setenv SSH_USE_STRONG_RNG 32
.
ssh_client_use_strong_rng_sh medium SSH client uses strong entropy to seed (Bash-like shells) Some SSH implementations use the openssl library for entropy, which by default, doesn't use high-entropy sources. Randomness is needed to generate considerably more secure data-encryption keys. Plaintext padding, initialization vectors in encryption algorithms, and high-quality entropy eliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. To set up SSH client to use entropy from a high-quality source, make sure that the appropriate shell environment variable is configured. The SSH_USE_STRONG_RNG environment variable determines how many bytes of entropy to use. Make sure that the file /etc/profile.d/cc-ssh-strong-rng.sh contains line
export SSH_USE_STRONG_RNG=32
.
sshd_disable_empty_passwords high Disable SSH Access via Empty Passwords Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no

Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000106-GPOS-00053
CCI-000366
CCI-000766
sshd_disable_gssapi_auth medium Disable GSSAPI Authentication GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI. To disable GSSAPI authentication, add or correct the following line in the /etc/ssh/sshd_config file:
GSSAPIAuthentication no
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000318
CCI-000368
CCI-001812
CCI-001813
CCI-001814
sshd_disable_kerb_auth medium Disable Kerberos Authentication Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Vulnerabilities in the system's Kerberos implementations may be subject to exploitation. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos. To disable Kerberos authentication, add or correct the following line in the /etc/ssh/sshd_config file:
KerberosAuthentication no
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000318
CCI-000368
CCI-001812
CCI-001813
CCI-001814
sshd_disable_root_login medium Disable SSH Root Login Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
SRG-OS-000109-GPOS-00056
CCI-000366
CCI-000770
sshd_enable_strictmodes medium Enable Use of Strict Mode Checking If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected. To enable StrictModes in SSH, add or correct the following line in the /etc/ssh/sshd_config file:
StrictModes yes
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sshd_enable_warning_banner medium Enable SSH Warning Banner The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
sshd_rekey_limit medium Force frequent session key renegotiation By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited. The RekeyLimit parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed. To decrease the default limits, put line RekeyLimit to file /etc/ssh/sshd_config.
sshd_set_idle_timeout medium Set SSH Idle Timeout Interval Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
SRG-OS-000126-GPOS-00066
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000879
CCI-001133
CCI-002361
sshd_set_keepalive medium Set SSH Client Alive Count Max This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0. SRG-OS-000126-GPOS-00066
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000879
CCI-001133
CCI-002361
sshd_use_strong_rng medium SSH server uses strong entropy to seed SSH implementation in RHEL8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line
SSH_USE_STRONG_RNG=32
sssd_enable_smartcards medium Enable Smartcards in SSSD Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to true under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = true
SRG-OS-000377-GPOS-00162
CCI-001954
sssd_offline_cred_expiration medium Configure SSSD to Expire Offline Credentials If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD should be configured to expire offline credentials after 1 day. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
SRG-OS-000383-GPOS-00166
CCI-002007
sysctl_fs_protected_hardlinks unknown Enable Kernel Parameter to Enforce DAC on Hardlinks By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_hardlinks = 1
sysctl_fs_protected_symlinks unknown Enable Kernel Parameter to Enforce DAC on Symlinks By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_symlinks = 1
sysctl_kernel_core_pattern unknown Disable storing core dumps A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:
$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.core_pattern = |/bin/false
sysctl_kernel_dmesg_restrict medium Restrict Access to Kernel Message Buffer Unprivileged access to the kernel syslog can expose sensitive kernel address information. To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.dmesg_restrict = 1
SRG-OS-000206-GPOS-00084
CCI-001314
sysctl_kernel_kexec_load_disabled medium Disable Kernel Image Loading Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kexec_load_disabled = 1
sysctl_kernel_kptr_restrict medium Restrict Exposed Kernel Pointer Addresses Access Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures that can contain functions pointers. If a write vulnereability occurs in the kernel allowing a write access to any of this structure, the kernel can be compromise. This option disallow any program withtout the CAP_SYSLOG capability from getting the kernel pointers addresses, replacing them with 0. To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kptr_restrict = 1
sysctl_kernel_perf_event_paranoid medium Disallow kernel profiling by unprivileged users Kernel profiling can reveal sensitive information about kernel behaviour. To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:
$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_event_paranoid = 2
sysctl_kernel_unprivileged_bpf_disabled medium Disable Access to Network bpf() Syscall From Unprivileged Processes Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state. To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1
sysctl_kernel_yama_ptrace_scope medium Restrict usage of ptrace to descendant processes Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.yama.ptrace_scope = 1
sysctl_net_core_bpf_jit_harden medium Harden the operation of the BPF just-in-time compiler When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms. To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.core.bpf_jit_harden = 2
sysctl_net_ipv4_conf_all_accept_redirects medium Disable Accepting ICMP Redirects for All IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001503
CCI-001551
sysctl_net_ipv4_conf_all_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_conf_all_log_martians unknown Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.log_martians = 1
CCI-000126
sysctl_net_ipv4_conf_all_rp_filter medium Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_all_secure_redirects medium Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.secure_redirects = 0
CCI-001503
CCI-001551
sysctl_net_ipv4_conf_all_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_conf_default_accept_redirects medium Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_default_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_default_log_martians unknown Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected. To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.log_martians = 1
CCI-000126
sysctl_net_ipv4_conf_default_rp_filter medium Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_conf_default_secure_redirects medium Configure Kernel Parameter for Accepting Secure Redirects By Default Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required. To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.secure_redirects = 0
CCI-001551
sysctl_net_ipv4_conf_default_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_icmp_echo_ignore_broadcasts medium Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknown Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged. To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_ignore_bogus_error_responses = 1
sysctl_net_ipv4_ip_forward medium Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network. To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv4_tcp_syncookies medium Enable Kernel Parameter to Use TCP Syncookies on IPv4 Interfaces A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests. To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv6_conf_all_accept_ra unknown Configure Accepting Router Advertisements on All IPv6 Interfaces An illicit router advertisement message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra = 0
sysctl_net_ipv6_conf_all_accept_redirects medium Disable Accepting ICMP Redirects for All IPv6 Interfaces An illicit ICMP redirect message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0
CCI-001551
sysctl_net_ipv6_conf_all_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_net_ipv6_conf_default_accept_ra unknown Disable Accepting Router Advertisements on all IPv6 Interfaces by Default An illicit router advertisement message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra = 0
sysctl_net_ipv6_conf_default_accept_redirects medium Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces An illicit ICMP redirect message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
CCI-001551
sysctl_net_ipv6_conf_default_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0
SRG-OS-000480-GPOS-00232
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00225
SRG-OS-000360-GPOS-00147
CCI-000366
sysctl_user_max_user_namespaces low Disable the use of user namespaces User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces. To set the runtime status of the user.max_user_namespaces kernel parameter, run the following command:
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set to large non-zero value.
timer_dnf-automatic_enabled medium Enable dnf-automatic Timer The dnf-automatic is an alternative command line interface (CLI) to dnf upgrade with specific facilities to make it suitable to be executed automatically and regularly from systemd timers, cron jobs and similar. The tool is controlled by dnf-automatic.timer SystemD timer. The dnf-automatic timer can be enabled with the following command:
$ sudo systemctl enable dnf-automatic.timer
usbguard_allow_hid_and_hub medium Authorize Human Interface Devices and USB hubs in USBGuard daemon Without allowing Human Interface Devices, it might not be possible to interact with the system. Without allowing hubs, it might not be possible to use any USB devices on the system. To allow authorization of USB devices combining human interface device and hub capabilities by USBGuard daemon, add the line allow with-interface match_all { 03:*:* 09:00:* } to /etc/usbguard/rules.conf.
use_pam_wheel_for_su medium Enforce usage of pam_wheel for su authentication The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice. To ensure that only users who are members of the wheel group can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:
auth             required        pam_wheel.so use_uid