Coverage - DISA, Linux
Current revisions
Operating System |
Source Benchmark version |
Oracle Linux 8 |
V2R2 |
Red Hat Enterprise Linux 8 |
V2R1 |
Red Hat Enterprise Linux 9 |
V2R2 |
Control Coverage
Summary
Detail
Unmapped Controls
The following controls are not mapped:
OracleLinux 8 (15/244 [6%])
- V-248534
- Title: OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
- NOTE: Locking a user due to inappropriate encryption is not currently available in simp. A mechanism to address this rule will be implemented in a future release.
- V-248545
- Title: OL 8 must prevent system daemons from using Kerberos for authentication.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-248565
- Title: The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
- NOTE: There is currently no mechanism to control the content of /etc/crypto-policies/back-ends/opensslcnf.config. One may be implemented in the future.
- V-248567
- Title: OL 8 system commands must have mode 755 or less permissive.
- NOTE: We do not currently have a mechanism for scanning the filesystem’s for enforcement.
- V-248619
- Title: OL 8 must prevent special devices on non-root local partitions.
- NOTE: There is no way to safely change this on a running system.
- V-248625
- Title: OL 8 file systems must not interpret character or block special devices that are imported via NFS.
- NOTE: There is no way to safely change this on a running system.
- V-248807
- Title: OL 8 audit tools must have a mode of “0755” or less permissive.
- NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
- V-248808
- Title: OL 8 audit tools must be owned by root.
- NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
- V-248809
- Title: OL 8 audit tools must be group-owned by root.
- NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
- V-248850
- Title: OL 8 must mount “/var/log” with the “nodev” option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-248851
- Title: OL 8 must mount “/var/log” with the “nosuid” option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-248852
- Title: OL 8 must mount “/var/log” with the “noexec” option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-248853
- Title: OL 8 must mount “/var/log/audit” with the “nodev” option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-248854
- Title: OL 8 must mount “/var/log/audit” with the “nosuid” option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-248855
- Title: OL 8 must mount “/var/log/audit” with the “noexec” option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
RedHat 8 (17/230 [7%])
- V-230221
- Title: RHEL 8 must be a vendor-supported release.
- NOTE: The product won’t automatically do kernel updates, this could cause significant issues for customers who are not prepared for the kernel updates.
- V-230223
- Title: RHEL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
- NOTE: The product will not enable FIPS mode on any system, if customers are prepared to turn FIPS mode on, they will need to manually enable it.
- V-230232
- Title: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
- NOTE: Locking a user due to inappropriate encryption is not currently available in simp. A mechanism to address this rule will be implemented in a future release.
- V-230234
- Title: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
- NOTE: The product will not set any passwords for superusers.
- V-230235
- Title: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
- NOTE: The product will not set any passwords for superusers.
- V-230238
- Title: RHEL 8 must prevent system daemons from using Kerberos for authentication.
- NOTE: The product will not walk the entire filesystem looking for .keytab files, it could cause problems in systems leveraging large file shares.
- V-230257
- Title: RHEL 8 system commands must have mode 755 or less permissive.
- NOTE: The product will not walk the filesystem looking for system commands. This could cause issues on systems utilizing large file shares.
- V-230258
- Title: RHEL 8 system commands must be owned by root.
- NOTE: The product will not walk the filesystem looking for system commands. This could cause issues on systems utilizing large file shares.
- V-230259
- Title: RHEL 8 system commands must be group-owned by root or a system account.
- NOTE: The product will not walk the filesystem looking for system commands. This could cause issues on systems utilizing large file shares.
- V-230264
- Title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
- NOTE: The product will not configure anything within the /etc/yum.repos.d directory. It is likely customers will be configuring their own repositories and turning gpgcheck on automatically could cause loss of access to critical internal repos.
- V-230301
- Title: RHEL 8 must prevent special devices on non-root local partitions.
- NOTE: There is no way to safely change this on a running system.
- V-230307
- Title: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
- NOTE: There is no way to safely change this on a running system.
- V-230514
- Title: RHEL 8 must mount /var/log with the nodev option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-230515
- Title: RHEL 8 must mount /var/log with the nosuid option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-230516
- Title: RHEL 8 must mount /var/log with the noexec option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-230517
- Title: RHEL 8 must mount /var/log/audit with the nodev option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-230518
- Title: RHEL 8 must mount /var/log/audit with the nosuid option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
RedHat 9 (49/404 [12%])
- V-257777
- Title: RHEL 9 must be a vendor-supported release.
- NOTE: The product will not automatically update the kernel to the latest version as it could cause various unforeseen issues in systems that haven’t tested the upgrade first.
- V-257843
- Title: A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
- NOTE: There is no way to safely change this on a running system.
- V-257845
- Title: RHEL 9 must use a separate file system for /var.
- NOTE: There is no way to safely change this on a running system.
- V-257846
- Title: RHEL 9 must use a separate file system for /var/log.
- NOTE: There is no way to safely change this on a running system.
- V-257847
- Title: RHEL 9 must use a separate file system for the system audit data path.
- NOTE: There is no way to safely change this on a running system.
- V-257848
- Title: RHEL 9 must use a separate file system for /var/tmp.
- NOTE: There is no way to safely change this on a running system.
- V-257850
- Title: RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257851
- Title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257852
- Title: RHEL 9 must prevent code from being executed on file systems that contain user home directories.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257854
- Title: RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
- NOTE: There is no way to safely change this on a running system.
- V-257855
- Title: RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
- NOTE: There is no way to safely change this on a running system.
- V-257856
- Title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
- NOTE: There is no way to safely change this on a running system.
- V-257860
- Title: RHEL 9 must mount /boot with the nodev option.
- NOTE: There is no way to safely change this on a running system.
- V-257861
- Title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
- NOTE: There is no way to safely change this on a running system.
- V-257862
- Title: RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
- NOTE: There is no way to safely change this on a running system.
- V-257869
- Title: RHEL 9 must mount /var with the nodev option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257870
- Title: RHEL 9 must mount /var/log with the nodev option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257871
- Title: RHEL 9 must mount /var/log with the noexec option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257872
- Title: RHEL 9 must mount /var/log with the nosuid option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257873
- Title: RHEL 9 must mount /var/log/audit with the nodev option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257874
- Title: RHEL 9 must mount /var/log/audit with the noexec option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257875
- Title: RHEL 9 must mount /var/log/audit with the nosuid option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257881
- Title: RHEL 9 must prevent special devices on non-root local partitions.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-257882
- Title: RHEL 9 system commands must have mode 755 or less permissive.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257883
- Title: RHEL 9 library directories must have mode 755 or less permissive.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257884
- Title: RHEL 9 library files must have mode 755 or less permissive.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257887
- Title: RHEL 9 audit tools must have a mode of 0755 or less permissive.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257918
- Title: RHEL 9 system commands must be owned by root.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257919
- Title: RHEL 9 system commands must be group-owned by root or a system account.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257920
- Title: RHEL 9 library files must be owned by root.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257921
- Title: RHEL 9 library files must be group-owned by root or a system account.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257922
- Title: RHEL 9 library directories must be owned by root.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257923
- Title: RHEL 9 library directories must be group-owned by root or a system account.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257924
- Title: RHEL 9 audit tools must be owned by root.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257925
- Title: RHEL 9 audit tools must be group-owned by root.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257941
- Title: RHEL 9 network interfaces must not be in promiscuous mode.
- NOTE: The product will not configure network interfaces automatically
- V-258130
- Title: RHEL 9 must prevent system daemons from using Kerberos for authentication.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-258149
- Title: RHEL 9 must be configured to forward audit records via TCP to a different system or media from the system being audited via rsyslog.
- NOTE: The product cannot set a specific remote logging server. The user will need to configure this manually.
- V-258155
- Title: RHEL 9 must allocate audit record storage capacity to store at least one week’s worth of audit records.
- NOTE: We cannot automate deciding how large a weeks worth of logs is. This is a manual process.
- V-258230
- Title: RHEL 9 must enable FIPS mode.
- NOTE: Turning fips mode on in a machine that isn’t already configured for it will cause connection issues to anything not configured to work in fips mode. It is more likely that the user will lose access to their systems or important services than it working out of the box.
- V-258231
- Title: RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
- NOTE: Locking a user due to inappropriate encryption is not currently available in simp. A mechanism to address this rule will be implemented in a future release.
- V-258232
- Title: RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.
- NOTE: There is currently no mechanism to control the content of /etc/ipsec.conf. One may be implemented in the future.
- V-258234
- Title: RHEL 9 must have the crypto-policies package installed.
- NOTE: Turning fips mode on in a machine that isn’t already configured for it will cause connection issues to anything not configured to work in fips mode. It is more likely that the user will lose access to their systems or important services than it working out of the box.
- V-258236
- Title: RHEL 9 crypto policy must not be overridden.
- NOTE: Turning fips mode on in a machine that isn’t already configured for it will cause connection issues to anything not configured to work in fips mode. It is more likely that the user will lose access to their systems or important services than it working out of the box.
- V-258237
- Title: RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
- NOTE: Turning fips mode on in a machine that isn’t already configured for it will cause connection issues to anything not configured to work in fips mode. It is more likely that the user will lose access to their systems or important services than it working out of the box.
- V-258238
- Title: RHEL 9 must implement DOD-approved TLS encryption in the GnuTLS package.
- NOTE: Turning fips mode on in a machine that isn’t already configured for it will cause connection issues to anything not configured to work in fips mode. It is more likely that the user will lose access to their systems or important services than it working out of the box.
- V-258239
- Title: RHEL 9 must implement DOD-approved encryption in the OpenSSL package.
- NOTE: There is currently no mechanism to control the content of /etc/crypto-policies/back-ends/opensslcnf.config. One may be implemented in the future.
- V-258240
- Title: RHEL 9 must implement DOD-approved TLS encryption in the OpenSSL package.
- NOTE: There is currently no mechanism to control the content of /etc/crypto-policies/back-ends/opensslcnf.config. One may be implemented in the future.
- V-258242
- Title: RHEL 9 must implement DOD-approved encryption in the bind package.
- NOTE: There is currently no mechanism to control the content of /etc/named.conf. One may be implemented in the future.
Mapped
The following controls are mapped:
OracleLinux 8 (229/244 [93%])
- V-248519
- Title: The OL 8 audit package must be installed.
- V-248520
- Title: OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
- V-248521
- Title: OL 8 must be a vendor-supported release.
- V-248524
- Title: OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
- NOTE: Fips mode is enabled as requested by this rule, however, the scan still fails.
- V-248527
- Title: OL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
- V-248533
- Title: OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
- V-248535
- Title: The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
- V-248537
- Title: OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
- NOTE: The grub password will be set in /etc/grub2.conf to the password defined in simp_grub::password in hieradata
- V-248540
- Title: OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
- NOTE: The grub password will be set in /etc/grub2.conf to the password defined in simp_grub::password in hieradata
- V-248541
- Title: OL 8 operating systems must require authentication upon booting into rescue mode.
- V-248542
- Title: OL 8 operating systems must require authentication upon booting into emergency mode.
- V-248543
- Title: The OL 8 “pam_unix.so” module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
- V-248544
- Title: The OL 8 “pam_unix.so” module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
- V-248546
- Title: The krb5-workstation package must not be installed on OL 8.
- V-248547
- Title: The krb5-server package must not be installed on OL 8.
- V-248549
- Title: OL 8 must have the “policycoreutils” package installed.
- V-248552
- Title: OL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
- V-248554
- Title: The OL 8 “/var/log/messages” file must have mode 0640 or less permissive.
- V-248555
- Title: The OL 8 “/var/log/messages” file must be owned by root.
- V-248556
- Title: The OL 8 “/var/log/messages” file must be group-owned by root.
- V-248557
- Title: The OL 8 “/var/log” directory must have mode 0755 or less permissive.
- V-248558
- Title: The OL 8 “/var/log” directory must be owned by root.
- V-248559
- Title: The OL 8 “/var/log” directory must be group-owned by root.
- V-248563
- Title: The OL 8 SSH server must be configured to use strong entropy.
- V-248574
- Title: YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.
- NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
- V-248575
- Title: OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
- NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
- V-248577
- Title: OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.
- V-248578
- Title: OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.
- V-248579
- Title: OL 8 must restrict access to the kernel message buffer.
- V-248580
- Title: OL 8 must prevent kernel profiling by unprivileged users.
- V-248581
- Title: OL 8 must require users to provide a password for privilege escalation.
- NOTE: Enforcing this rule will only remove
!authenticate
from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
- V-248582
- Title: OL 8 must require users to reauthenticate for privilege escalation and changing roles.
- NOTE: Enforcing this rule will only remove
!authenticate
from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
- V-248583
- Title: OL 8 must restrict privilege elevation to authorized personnel.
- NOTE: There is currently no mechanisme in the product to remove all occurrences of ‘ALL’ from sudoers. A mechanism to report, but not change, the existence of this statement in sudoers will be implemented in a future release.
- V-248584
- Title: OL 8 must use the invoking user’s password for privilege escalation when using “sudo”.
- NOTE: Automatically remediating this could cause some automated processes that require root access to fail. Since this will be site-specific this will not be enforced.
- V-248585
- Title: OL 8 must require reauthentication when using the “sudo” command.
- V-248586
- Title: OL 8 must have the package required for multifactor authentication installed.
- V-248595
- Title: YUM must remove all software components after updated versions have been installed on OL 8.
- V-248596
- Title: OL 8 must enable the SELinux targeted policy.
- V-248597
- Title: There must be no “shosts.equiv” files on the OL 8 operating system.
- V-248598
- Title: There must be no “.shosts” files on the OL 8 operating system.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-248601
- Title: The OL 8 SSH public host key files must have mode “0644” or less permissive.
- V-248602
- Title: The OL 8 SSH private host key files must have mode “0640” or less permissive.
- NOTE: The product parses the output of ‘sshd -T’ for the key that the system uses for communication and ensures that key is appropriately protected. The other keys in that location may not have the correct permissions applied. https://github.com/simp/pupmod-simp-ssh/issues/150 has been created to address this issue.
- V-248603
- Title: The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
- V-248605
- Title: The OL 8 SSH daemon must not allow authentication using known host’s authentication.
- V-248606
- Title: The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
- V-248607
- Title: The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
- V-248608
- Title: OL 8 must use a separate file system for “/var”.
- NOTE: There is no way to safely change this on a running system.
- V-248609
- Title: OL 8 must use a separate file system for “/var/log”.
- NOTE: There is no way to safely change this on a running system.
- V-248610
- Title: OL 8 must use a separate file system for the system audit data path.
- NOTE: There is no way to safely change this on a running system.
- V-248611
- Title: OL 8 must use a separate file system for “/tmp”.
- NOTE: There is no way to safely change this on a running system.
- V-248613
- Title: OL 8 must not permit direct logons to the root account using remote access via SSH.
- V-248615
- Title: OL 8 must have the rsyslog service enabled and active.
- V-248617
- Title: OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
- NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
- V-248624
- Title: OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
- V-248626
- Title: OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
- NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
- V-248629
- Title: OL 8 must disable the “kernel.core_pattern”.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-248632
- Title: OL 8 must disable storing core dumps.
- V-248633
- Title: OL 8 must disable core dump backtraces.
- V-248644
- Title: All OL 8 local interactive user accounts must be assigned a home directory upon creation.
- V-248649
- Title: Unattended or automatic logon via the OL 8 graphical user interface must not be allowed.
- V-248650
- Title: OL 8 must not allow users to override SSH environment variables.
- V-248652
- Title: OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
- V-248653
- Title: OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
- V-248654
- Title: OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- V-248655
- Title: OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- V-248656
- Title: OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-248657
- Title: OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-248660
- Title: OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
- V-248661
- Title: OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
- V-248662
- Title: OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
- V-248663
- Title: OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
- V-248664
- Title: OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-248665
- Title: OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-248666
- Title: OL 8 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
- V-248674
- Title: OL 8 must have the tmux package installed.
- NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
- V-248675
- Title: OL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.
- NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
- V-248677
- Title: OL 8 must prevent users from disabling session control mechanisms.
- NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
- V-248686
- Title: OL 8 must ensure the password complexity module is enabled in the password-auth file.
- V-248687
- Title: OL 8 must enforce password complexity by requiring that at least one uppercase character be used.
- V-248688
- Title: OL 8 must enforce password complexity by requiring that at least one lowercase character be used.
- V-248689
- Title: OL 8 must enforce password complexity by requiring that at least one numeric character be used.
- V-248690
- Title: OL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
- V-248691
- Title: OL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
- V-248692
- Title: OL 8 must require the change of at least four character classes when passwords are changed.
- V-248693
- Title: OL 8 must require the change of at least eight characters when passwords are changed.
- V-248694
- Title: OL 8 passwords for new users or password changes must have a 24 hours/one day minimum password lifetime restriction in “/etc/shadow”.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-248695
- Title: OL 8 passwords for new users or password changes must have a 24 hours/one day minimum password lifetime restriction in “/etc/login.defs”.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-248696
- Title: OL 8 user account passwords must have a 60-day maximum password lifetime restriction.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-248697
- Title: OL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-248699
- Title: OL 8 passwords must have a minimum of 15 characters.
- V-248700
- Title: OL 8 passwords for new users must have a minimum of 15 characters.
- V-248705
- Title: The OL 8 lastlog command must have a mode of “0750” or less permissive.
- V-248706
- Title: The OL 8 lastlog command must be owned by root.
- V-248707
- Title: The OL 8 lastlog command must be group-owned by root.
- V-248709
- Title: All OL 8 passwords must contain at least one special character.
- V-248710
- Title: OL 8 must prohibit the use of cached authentications after one day.
- V-248711
- Title: OL 8 must prevent the use of dictionary words for passwords.
- V-248712
- Title: OL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
- V-248714
- Title: OL 8 must not allow accounts configured with blank or null passwords.
- V-248715
- Title: OL 8 must not allow blank or null passwords in the system-auth file.
- V-248716
- Title: OL 8 must not allow blank or null passwords in the password-auth file.
- V-248717
- Title: OL 8 must display the date and time of the last successful account logon upon logon.
- *NOTE: This check will fail if there is a commented out line that looks like “#PrintLastLog = " even if the correct value of "PrintLastLog = true" exists in the /etc/ssh/sshd_config file.*
- V-248718
- Title: OL 8 must display the date and time of the last successful account logon upon an SSH logon.
- V-248719
- Title: OL 8 default permissions must be defined in such a way that all authenticated users can read and modify only their own files.
- V-248722
- Title: The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
- V-248724
- Title: The OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
- V-248726
- Title: The OL 8 System must take appropriate action when an audit processing failure occurs.
- V-248728
- Title: The OL 8 audit system must take appropriate action when the audit storage volume is full.
- V-248729
- Title: The OL 8 audit system must audit local events.
- V-248730
- Title: OL 8 must label all offloaded audit logs before sending them to the central log server.
- V-248731
- Title: OL 8 must resolve audit information before writing to disk.
- V-248732
- Title: OL 8 audit logs must have a mode of “0600” or less permissive to prevent unauthorized read access.
- V-248733
- Title: OL 8 audit logs must be owned by root to prevent unauthorized read access.
- V-248734
- Title: OL 8 audit logs must be group-owned by root to prevent unauthorized read access.
- V-248735
- Title: The OL 8 audit log directory must be owned by root to prevent unauthorized read access.
- V-248736
- Title: The OL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
- V-248737
- Title: The OL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
- V-248738
- Title: The OL 8 audit system must protect auditing rules from unauthorized change.
- V-248739
- Title: The OL 8 audit system must protect logon UIDs from unauthorized change.
- V-248740
- Title: OL 8 must generate audit records for all account creation events that affect “/etc/shadow”.
- V-248741
- Title: OL 8 must generate audit records for all account creation events that affect “/etc/security/opasswd”.
- V-248742
- Title: OL 8 must generate audit records for all account creation events that affect “/etc/passwd”.
- V-248743
- Title: OL 8 must generate audit records for all account creation events that affect “/etc/gshadow”.
- V-248744
- Title: OL 8 must generate audit records for all account creation events that affect “/etc/group”.
- V-248745
- Title: OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect “/etc/sudoers”.
- V-248746
- Title: OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect “/etc/sudoers.d/”.
- V-248747
- Title: OL 8 must generate audit records for any use of the “su” command.
- V-248748
- Title: The OL 8 audit system must be configured to audit any use of the “setxattr”, “fsetxattr”, “lsetxattr”, “removexattr”, “fremovexattr”, and “lremovexattr” system calls.
- V-248753
- Title: OL 8 must generate audit records for any use of the “chage” command.
- V-248754
- Title: OL 8 must generate audit records for any uses of the “chcon” command.
- V-248756
- Title: OL 8 must generate audit records for any use of the “ssh-agent” command.
- V-248757
- Title: OL 8 must generate audit records for any use of the “passwd” command.
- V-248758
- Title: OL 8 must generate audit records for any use of the “mount” command.
- V-248759
- Title: OL 8 must generate audit records for any use of the “umount” command.
- V-248760
- Title: OL 8 must generate audit records for any use of the “mount” syscall.
- V-248761
- Title: OL 8 must generate audit records for any use of the “unix_update” command.
- V-248762
- Title: OL 8 must generate audit records for any use of the “postdrop” command.
- V-248763
- Title: OL 8 must generate audit records for any use of the “postqueue” command.
- V-248764
- Title: OL 8 must generate audit records for any use of the “semanage” command.
- V-248765
- Title: OL 8 must generate audit records for any use of the “setfiles” command.
- V-248766
- Title: OL 8 must generate audit records for any use of the “userhelper” command.
- V-248767
- Title: OL 8 must generate audit records for any use of the “setsebool” command.
- V-248768
- Title: OL 8 must generate audit records for any use of the “unix_chkpwd” command.
- V-248769
- Title: OL 8 must generate audit records for any use of the “ssh-keysign” command.
- V-248770
- Title: OL 8 must generate audit records for any use of the “setfacl” command.
- V-248771
- Title: OL 8 must generate audit records for any use of the “pam_timestamp_check” command.
- V-248772
- Title: OL 8 must generate audit records for any use of the “newgrp” command.
- V-248773
- Title: OL 8 must generate audit records for any use of the “init_module” and “finit_module” system calls.
- V-248774
- Title: OL 8 must generate audit records for any use of the “rename”, “unlink”, “rmdir”, “renameat”, and “unlinkat” system calls.
- V-248779
- Title: OL 8 must generate audit records for any use of the “gpasswd” command.
- V-248781
- Title: OL 8 must generate audit records for any use of the delete_module syscall.
- V-248782
- Title: OL 8 must generate audit records for any use of the “crontab” command.
- V-248783
- Title: OL 8 must generate audit records for any use of the “chsh” command.
- V-248784
- Title: OL 8 must generate audit records for any use of the “truncate”, “ftruncate”, “creat”, “open”, “openat”, and “open_by_handle_at” system calls.
- V-248790
- Title: OL 8 must generate audit records for any use of the “chown”, “fchown”, “fchownat”, and “lchown” system calls.
- V-248791
- Title: OL 8 must generate audit records for any use of the “chmod”, “fchmod”, and “fchmodat” system calls.
- V-248797
- Title: OL 8 must generate audit records for any use of the “sudo” command.
- V-248798
- Title: OL 8 must generate audit records for any use of the “usermod” command.
- V-248799
- Title: OL 8 must generate audit records for any use of the “chacl” command.
- V-248800
- Title: OL 8 must generate audit records for any use of the “kmod” command.
- V-248802
- Title: OL 8 must generate audit records for any attempted modifications to the “lastlog” file.
- V-248806
- Title: OL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
- NOTE: The product will set the mode of the files referenced in this rule to “700” and “600” rather then “750” and “640”. This will lock down the files and keep them secure so only admins and ISSMs can access them.
- V-248812
- Title: OL 8 must have the packages required for offloading audit logs installed.
- V-248813
- Title: OL 8 must have the packages required for encrypting offloaded audit logs installed.
- V-248815
- Title: OL 8 must take appropriate action when the internal event queue is full.
- V-248818
- Title: OL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
- V-248821
- Title: OL 8 must disable the chrony daemon from acting as a server.
- V-248822
- Title: OL 8 must disable network management of the chrony daemon.
- V-248823
- Title: OL 8 must not have the telnet-server package installed.
- V-248824
- Title: OL 8 must not have any automated bug reporting tools installed.
- V-248825
- Title: OL 8 must not have the sendmail package installed.
- V-248827
- Title: OL 8 must not have the rsh-server package installed.
- V-248829
- Title: OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
- V-248830
- Title: OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
- V-248831
- Title: OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
- V-248832
- Title: OL 8 must disable the transparent inter-process communication (TIPC) protocol.
- V-248833
- Title: OL 8 must disable mounting of cramfs.
- V-248834
- Title: OL 8 must disable IEEE 1394 (FireWire) Support.
- V-248837
- Title: OL 8 must be configured to disable the ability to use USB mass storage devices.
- V-248840
- Title: A firewall must be installed on OL 8.
- V-248841
- Title: A firewall must be active on OL 8.
- V-248843
- Title: OL 8 Bluetooth must be disabled.
- NOTE: /etc/modprobe.d/bluetooth.conf contains the content “install bluetooth /bin/false” as requested, however, the test appears to be skipping the evaluation of this file and instead is looking for “blacklist bluetooth”. Which is making the test fail.
- V-248844
- Title: OL 8 must mount “/dev/shm” with the “nodev” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248845
- Title: OL 8 must mount “/dev/shm” with the “nosuid” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248846
- Title: OL 8 must mount “/dev/shm” with the “noexec” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248847
- Title: OL 8 must mount “/tmp” with the “nodev” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248848
- Title: OL 8 must mount “/tmp” with the “nosuid” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248849
- Title: OL 8 must mount “/tmp” with the “noexec” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248856
- Title: OL 8 must mount “/var/tmp” with the “nodev” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248857
- Title: OL 8 must mount “/var/tmp” with the “nosuid” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248858
- Title: OL 8 must mount “/var/tmp” with the “noexec” option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-248859
- Title: The OL 8 “fapolicy” module must be installed.
- V-248862
- Title: OL 8 must have the USBGuard installed.
- V-248867
- Title: All OL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
- V-248868
- Title: OL 8 must force a frequent session key renegotiation for SSH connections to the server.
- V-248870
- Title: The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
- V-248871
- Title: OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
- V-248873
- Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
- V-248874
- Title: The root account must be the only account having unrestricted access to the OL 8 system.
- V-248875
- Title: OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- V-248876
- Title: OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- V-248877
- Title: OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
- V-248878
- Title: OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
- V-248879
- Title: OL 8 must not forward IPv4 source-routed packets.
- V-248880
- Title: OL 8 must not forward IPv6 source-routed packets.
- V-248881
- Title: OL 8 must not forward IPv4 source-routed packets by default.
- V-248882
- Title: OL 8 must not forward IPv6 source-routed packets by default.
- V-248883
- Title: OL 8 must not enable IPv6 packet forwarding unless the system is a router.
- V-248884
- Title: OL 8 must not accept router advertisements on all IPv6 interfaces.
- V-248885
- Title: OL 8 must not accept router advertisements on all IPv6 interfaces by default.
- V-248886
- Title: OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
- V-248887
- Title: OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
- V-248888
- Title: OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
- V-248889
- Title: OL 8 must disable access to the network “bpf” syscall from unprivileged processes.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-248890
- Title: OL 8 must restrict the use of “ptrace” to descendant processes.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-248891
- Title: OL 8 must restrict exposed kernel pointer addresses access.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-248892
- Title: OL 8 must disable the use of user namespaces.
- V-248893
- Title: OL 8 must use reverse path filtering on all IPv4 interfaces.
- V-248894
- Title: OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
- V-248895
- Title: OL 8 must be configured to prevent unrestricted mail relaying.
- V-248900
- Title: OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
- V-248901
- Title: The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
- NOTE: The UsePrivilegeSeparation ssh server config option was deprecated in openssh version 7.4 the product won’t use this parameter unless the openssh version is less than 7.4.
- V-248902
- Title: If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
- V-248903
- Title: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
- V-248904
- Title: OL 8 must not have the “gssproxy” package installed if not required for operational support.
- V-248905
- Title: OL 8 must not have the “iprutils” package installed if not required for operational support.
- V-248906
- Title: OL 8 must not have the “tuned” package installed if not required for operational support.
- V-252658
- Title: OL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
- V-257259
- Title: OL 8 must terminate idle user sessions.
RedHat 8 (213/230 [92%])
- V-230231
- Title: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
- V-230233
- Title: The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
- V-230236
- Title: RHEL 8 operating systems must require authentication upon booting into rescue mode.
- V-230237
- Title: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
- V-230239
- Title: The krb5-workstation package must not be installed on RHEL 8.
- V-230241
- Title: RHEL 8 must have policycoreutils package installed.
- V-230244
- Title: RHEL 8 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
- V-230245
- Title: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
- V-230246
- Title: The RHEL 8 /var/log/messages file must be owned by root.
- V-230247
- Title: The RHEL 8 /var/log/messages file must be group-owned by root.
- V-230248
- Title: The RHEL 8 /var/log directory must have mode 0755 or less permissive.
- V-230249
- Title: The RHEL 8 /var/log directory must be owned by root.
- V-230250
- Title: The RHEL 8 /var/log directory must be group-owned by root.
- V-230253
- Title: RHEL 8 must ensure the SSH server uses strong entropy.
- V-230255
- Title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
- V-230265
- Title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
- V-230266
- Title: RHEL 8 must prevent the loading of a new kernel for later execution.
- V-230267
- Title: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.
- V-230268
- Title: RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.
- V-230269
- Title: RHEL 8 must restrict access to the kernel message buffer.
- V-230270
- Title: RHEL 8 must prevent kernel profiling by unprivileged users.
- V-230271
- Title: RHEL 8 must require users to provide a password for privilege escalation.
- NOTE: Enforcing this rule will only remove
!authenticate
from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
- V-230272
- Title: RHEL 8 must require users to reauthenticate for privilege escalation.
- NOTE: Enforcing this rule will only remove
!authenticate
from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
- V-230273
- Title: RHEL 8 must have the packages required for multifactor authentication installed.
- V-230280
- Title: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
- V-230281
- Title: YUM must remove all software components after updated versions have been installed on RHEL 8.
- V-230282
- Title: RHEL 8 must enable the SELinux targeted policy.
- V-230283
- Title: There must be no shosts.equiv files on the RHEL 8 operating system.
- V-230284
- Title: There must be no .shosts files on the RHEL 8 operating system.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-230286
- Title: The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
- V-230287
- Title: The RHEL 8 SSH private host key files must have mode 0640 or less permissive.
- NOTE: The product parses the output of ‘sshd -T’ for the key that the system uses for communication and ensures that key is appropriately protected. The other keys in that location may not have the correct permissions applied. https://github.com/simp/pupmod-simp-ssh/issues/150 has been created to address this issue.
- V-230288
- Title: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
- V-230290
- Title: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
- V-230291
- Title: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
- V-230292
- Title: RHEL 8 must use a separate file system for /var.
- NOTE: There is no way to safely change this on a running system.
- V-230293
- Title: RHEL 8 must use a separate file system for /var/log.
- NOTE: There is no way to safely change this on a running system.
- V-230294
- Title: RHEL 8 must use a separate file system for the system audit data path.
- NOTE: There is no way to safely change this on a running system.
- V-230295
- Title: A separate RHEL 8 filesystem must be used for the /tmp directory.
- NOTE: There is no way to safely change this on a running system.
- V-230296
- Title: RHEL 8 must not permit direct logons to the root account using remote access via SSH.
- V-230298
- Title: The rsyslog service must be running in RHEL 8.
- V-230300
- Title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
- NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
- V-230306
- Title: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
- V-230308
- Title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
- NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
- V-230311
- Title: RHEL 8 must disable the kernel.core_pattern.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-230313
- Title: RHEL 8 must disable core dumps for all users.
- V-230314
- Title: RHEL 8 must disable storing core dumps.
- V-230315
- Title: RHEL 8 must disable core dump backtraces.
- V-230324
- Title: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
- V-230330
- Title: RHEL 8 must not allow users to override SSH environment variables.
- V-230332
- Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- V-230333
- Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
- V-230334
- Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- V-230335
- Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- V-230336
- Title: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-230337
- Title: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-230340
- Title: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
- V-230341
- Title: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
- V-230342
- Title: RHEL 8 must log user name information when unsuccessful logon attempts occur.
- V-230343
- Title: RHEL 8 must log user name information when unsuccessful logon attempts occur.
- V-230344
- Title: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-230345
- Title: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-230346
- Title: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
- V-230356
- Title: RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
- V-230357
- Title: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
- V-230358
- Title: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
- V-230359
- Title: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
- V-230360
- Title: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
- V-230361
- Title: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
- V-230362
- Title: RHEL 8 must require the change of at least four character classes when passwords are changed.
- V-230363
- Title: RHEL 8 must require the change of at least 8 characters when passwords are changed.
- V-230364
- Title: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-230365
- Title: RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/login.defs.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-230366
- Title: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.
- V-230367
- Title: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
- V-230369
- Title: RHEL 8 passwords must have a minimum of 15 characters.
- V-230370
- Title: RHEL 8 passwords for new users must have a minimum of 15 characters.
- V-230373
- Title: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
- V-230375
- Title: All RHEL 8 passwords must contain at least one special character.
- V-230376
- Title: RHEL 8 must prohibit the use of cached authentications after one day.
- V-230377
- Title: RHEL 8 must prevent the use of dictionary words for passwords.
- V-230378
- Title: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
- V-230380
- Title: RHEL 8 must not allow accounts configured with blank or null passwords.
- V-230381
- Title: RHEL 8 must display the date and time of the last successful account logon upon logon.
- *NOTE: This check will fail if there is a commented out line that looks like “#PrintLastLog = " even if the correct value of "PrintLastLog = true" exists in the /etc/ssh/sshd_config file.*
- V-230382
- Title: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
- V-230383
- Title: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
- V-230386
- Title: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
- V-230388
- Title: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
- V-230390
- Title: The RHEL 8 System must take appropriate action when an audit processing failure occurs.
- V-230392
- Title: The RHEL 8 audit system must take appropriate action when the audit storage volume is full.
- V-230393
- Title: The RHEL 8 audit system must audit local events.
- V-230394
- Title: RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
- V-230395
- Title: RHEL 8 must resolve audit information before writing to disk.
- V-230396
- Title: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
- V-230397
- Title: RHEL 8 audit logs must be owned by root to prevent unauthorized read access.
- V-230398
- Title: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.
- V-230399
- Title: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access.
- V-230400
- Title: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
- V-230401
- Title: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
- V-230402
- Title: RHEL 8 audit system must protect auditing rules from unauthorized change.
- V-230403
- Title: RHEL 8 audit system must protect logon UIDs from unauthorized change.
- V-230404
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
- V-230405
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
- V-230406
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
- V-230407
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
- V-230408
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
- V-230409
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
- V-230410
- Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.
- V-230411
- Title: The RHEL 8 audit package must be installed.
- V-230412
- Title: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
- V-230413
- Title: The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
- V-230418
- Title: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
- V-230419
- Title: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
- V-230421
- Title: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.
- V-230422
- Title: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.
- V-230423
- Title: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.
- V-230424
- Title: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.
- V-230425
- Title: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.
- V-230426
- Title: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.
- V-230427
- Title: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.
- V-230428
- Title: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.
- V-230429
- Title: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.
- V-230430
- Title: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.
- V-230431
- Title: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.
- V-230432
- Title: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.
- V-230433
- Title: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.
- V-230434
- Title: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.
- V-230435
- Title: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.
- V-230436
- Title: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.
- V-230437
- Title: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.
- V-230438
- Title: Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.
- V-230439
- Title: Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.
- V-230444
- Title: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.
- V-230446
- Title: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.
- V-230447
- Title: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.
- V-230448
- Title: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.
- V-230449
- Title: Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.
- V-230455
- Title: Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.
- V-230456
- Title: Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.
- V-230462
- Title: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.
- V-230463
- Title: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.
- V-230464
- Title: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.
- V-230465
- Title: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.
- V-230467
- Title: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.
- V-230471
- Title: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
- NOTE: The product will set the mode of the files referenced in this rule to “700” and “600” rather then “750” and “640”. This will lock down the files and keep them secure so only admins and ISSMs can access them.
- V-230472
- Title: RHEL 8 audit tools must have a mode of 0755 or less permissive.
- V-230473
- Title: RHEL 8 audit tools must be owned by root.
- V-230474
- Title: RHEL 8 audit tools must be group-owned by root.
- V-230477
- Title: RHEL 8 must have the packages required for offloading audit logs installed.
- V-230478
- Title: RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
- V-230480
- Title: RHEL 8 must take appropriate action when the internal event queue is full.
- V-230483
- Title: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
- V-230485
- Title: RHEL 8 must disable the chrony daemon from acting as a server.
- V-230486
- Title: RHEL 8 must disable network management of the chrony daemon.
- V-230487
- Title: RHEL 8 must not have the telnet-server package installed.
- V-230488
- Title: RHEL 8 must not have any automated bug reporting tools installed.
- V-230489
- Title: RHEL 8 must not have the sendmail package installed.
- V-230492
- Title: RHEL 8 must not have the rsh-server package installed.
- V-230494
- Title: RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
- V-230495
- Title: RHEL 8 must disable the controller area network (CAN) protocol.
- V-230496
- Title: RHEL 8 must disable the stream control transmission protocol (SCTP).
- V-230497
- Title: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
- V-230498
- Title: RHEL 8 must disable mounting of cramfs.
- V-230499
- Title: RHEL 8 must disable IEEE 1394 (FireWire) Support.
- V-230503
- Title: RHEL 8 must be configured to disable USB mass storage.
- V-230507
- Title: RHEL 8 Bluetooth must be disabled.
- V-230508
- Title: RHEL 8 must mount /dev/shm with the nodev option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230509
- Title: RHEL 8 must mount /dev/shm with the nosuid option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230510
- Title: RHEL 8 must mount /dev/shm with the noexec option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230511
- Title: RHEL 8 must mount /tmp with the nodev option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230512
- Title: RHEL 8 must mount /tmp with the nosuid option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230513
- Title: RHEL 8 must mount /tmp with the noexec option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230519
- Title: RHEL 8 must mount /var/log/audit with the noexec option.
- NOTE: The product will not enforce specific mountpoints or their options other than tmp mounts.
- V-230520
- Title: RHEL 8 must mount /var/tmp with the nodev option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230521
- Title: RHEL 8 must mount /var/tmp with the nosuid option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230522
- Title: RHEL 8 must mount /var/tmp with the noexec option.
- NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
- V-230526
- Title: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
- V-230527
- Title: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.
- V-230531
- Title: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
- V-230533
- Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
- V-230534
- Title: The root account must be the only account having unrestricted access to the RHEL 8 system.
- V-230535
- Title: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- V-230536
- Title: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
- V-230537
- Title: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
- V-230538
- Title: RHEL 8 must not forward IPv6 source-routed packets.
- V-230539
- Title: RHEL 8 must not forward IPv6 source-routed packets by default.
- V-230540
- Title: RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
- V-230541
- Title: RHEL 8 must not accept router advertisements on all IPv6 interfaces.
- V-230542
- Title: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
- V-230543
- Title: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
- V-230544
- Title: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
- V-230545
- Title: RHEL 8 must disable access to network bpf syscall from unprivileged processes.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-230546
- Title: RHEL 8 must restrict usage of ptrace to descendant processes.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-230547
- Title: RHEL 8 must restrict exposed kernel pointer addresses access.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-230548
- Title: RHEL 8 must disable the use of user namespaces.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-230549
- Title: RHEL 8 must use reverse path filtering on all IPv4 interfaces.
- NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
- V-230550
- Title: RHEL 8 must be configured to prevent unrestricted mail relaying.
- V-230555
- Title: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
- V-230556
- Title: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
- V-230557
- Title: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
- V-230558
- Title: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
- V-230559
- Title: The gssproxy package must not be installed unless mission essential on RHEL 8.
- V-230560
- Title: The iprutils package must not be installed unless mission essential on RHEL 8.
- V-230561
- Title: The tuned package must not be installed unless mission essential on RHEL 8.
- V-237640
- Title: The krb5-server package must not be installed on RHEL 8.
- V-237641
- Title: RHEL 8 must restrict privilege elevation to authorized personnel.
- NOTE: There is currently no mechanisme in the product to remove all occurrences of ‘ALL’ from sudoers. A mechanism to report, but not change, the existence of this statement in sudoers will be implemented in a future release.
- V-237642
- Title: RHEL 8 must use the invoking user’s password for privilege escalation when using “sudo”.
- NOTE: Automatically remediating this could cause some automated processes that require root access to fail. Since this will be site-specific this will not be enforced.
- V-237643
- Title: RHEL 8 must require re-authentication when using the “sudo” command.
- V-244524
- Title: The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
- V-244541
- Title: RHEL 8 must not allow blank or null passwords in the password-auth file.
- V-244554
- Title: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
- V-251706
- Title: The RHEL 8 operating system must not have accounts configured with blank or null passwords.
- V-251714
- Title: RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less.
- V-257258
- Title: RHEL 8.7 and higher must terminate idle user sessions.
RedHat 9 (355/404 [87%])
- V-257781
- Title: The graphical display manager must not be the default target on RHEL 9 unless approved.
- V-257782
- Title: RHEL 9 must enable the hardware random number generator entropy gatherer service.
- V-257783
- Title: RHEL 9 systemd-journald service must be enabled.
- V-257784
- Title: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
- V-257785
- Title: The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
- V-257786
- Title: RHEL 9 debug-shell systemd service must be disabled.
- V-257787
- Title: RHEL 9 must require a boot loader superuser password.
- NOTE: The grub password is set via the password_pbkdf2 parameter, however, the rule explicitly checks for GRUB2_PASSWORD. The grub username and password are being set which meets the requirement of the rule, but the check for the rule is not checking for all possible methods of setting a password for a user.
- V-257788
- Title: RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
- NOTE: If the parameter is missing from any entries in /boot/loader/entries, the test will fail.
- NOTE: The product will not modify /boot/loader/entries unless the OS version is 9.3 or higher.
- V-257790
- Title: RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
- V-257791
- Title: RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
- V-257792
- Title: RHEL 9 must disable virtual system calls.
- NOTE: If the parameter is missing from any entries in /boot/loader/entries, the test will fail.
- NOTE: The product will not modify /boot/loader/entries unless the OS version is 9.3 or higher.
- V-257793
- Title: RHEL 9 must clear the page allocator to prevent use-after-free attacks.
- NOTE: If the parameter is missing from any entries in /boot/loader/entries, the test will fail.
- NOTE: The product will not modify /boot/loader/entries unless the OS version is 9.3 or higher.
- V-257794
- Title: RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
- NOTE: If the parameter is missing from any entries in /boot/loader/entries, the test will fail.
- NOTE: The product will not modify /boot/loader/entries unless the OS version is 9.3 or higher.
- V-257795
- Title: RHEL 9 must enable mitigations against processor-based vulnerabilities.
- NOTE: If the parameter is missing from any entries in /boot/loader/entries, the test will fail.
- NOTE: The product will not modify /boot/loader/entries unless the OS version is 9.3 or higher.
- V-257796
- Title: RHEL 9 must enable auditing of processes that start prior to the audit daemon.
- NOTE: If the parameter is missing from any entries in /boot/loader/entries, the test will fail.
- NOTE: The product will not modify /boot/loader/entries unless the OS version is 9.3 or higher.
- V-257797
- Title: RHEL 9 must restrict access to the kernel message buffer.
- V-257798
- Title: RHEL 9 must prevent kernel profiling by nonprivileged users.
- V-257799
- Title: RHEL 9 must prevent the loading of a new kernel for later execution.
- V-257800
- Title: RHEL 9 must restrict exposed kernel pointer addresses access.
- V-257801
- Title: RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
- V-257802
- Title: RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
- V-257803
- Title: RHEL 9 must disable the kernel.core_pattern.
- V-257804
- Title: RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
- V-257805
- Title: RHEL 9 must be configured to disable the Controller Area Network kernel module.
- V-257806
- Title: RHEL 9 must be configured to disable the FireWire kernel module.
- V-257807
- Title: RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
- V-257808
- Title: RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
- V-257809
- Title: RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
- V-257810
- Title: RHEL 9 must disable access to network bpf system call from nonprivileged processes.
- V-257811
- Title: RHEL 9 must restrict usage of ptrace to descendant processes.
- V-257812
- Title: RHEL 9 must disable core dump backtraces.
- V-257813
- Title: RHEL 9 must disable storing core dumps.
- V-257814
- Title: RHEL 9 must disable core dumps for all users.
- V-257815
- Title: RHEL 9 must disable acquiring, saving, and processing core dumps.
- V-257816
- Title: RHEL 9 must disable the use of user namespaces.
- V-257818
- Title: The kdump service on RHEL 9 must be disabled.
- V-257820
- Title: RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
- V-257821
- Title: RHEL 9 must check the GPG signature of locally installed software packages before installation.
- V-257822
- Title: RHEL 9 must have GPG signature verification enabled for all software repositories.
- V-257824
- Title: RHEL 9 must remove all software components after updated versions have been installed.
- V-257825
- Title: RHEL 9 subscription-manager package must be installed.
- V-257826
- Title: RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
- V-257827
- Title: RHEL 9 must not have the sendmail package installed.
- V-257828
- Title: RHEL 9 must not have the nfs-utils package installed.
- V-257829
- Title: RHEL 9 must not have the ypserv package installed.
- V-257830
- Title: RHEL 9 must not have the rsh-server package installed.
- V-257831
- Title: RHEL 9 must not have the telnet-server package installed.
- V-257832
- Title: RHEL 9 must not have the gssproxy package installed.
- V-257833
- Title: RHEL 9 must not have the iprutils package installed.
- V-257834
- Title: RHEL 9 must not have the tuned package installed.
- V-257835
- Title: RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
- V-257836
- Title: RHEL 9 must not have the quagga package installed.
- V-257837
- Title: A graphical display manager must not be installed on RHEL 9 unless approved.
- V-257838
- Title: RHEL 9 must have the openssl-pkcs11 package installed.
- NOTE: This is getting set in the /etc/sssd/conf.d/50_puppet_service_pam.conf file, while the check is looking in /etc/sssd/sssd.conf. The check should be updated to look in the correct file.
- V-257839
- Title: RHEL 9 must have the gnutls-utils package installed.
- V-257840
- Title: RHEL 9 must have the nss-tools package installed.
- V-257841
- Title: RHEL 9 must have the rng-tools package installed.
- V-257842
- Title: RHEL 9 must have the s-nail package installed.
- V-257844
- Title: RHEL 9 must use a separate file system for /tmp.
- V-257849
- Title: RHEL 9 file system automount function must be disabled unless required.
- V-257863
- Title: RHEL 9 must mount /dev/shm with the nodev option.
- V-257864
- Title: RHEL 9 must mount /dev/shm with the noexec option.
- V-257865
- Title: RHEL 9 must mount /dev/shm with the nosuid option.
- V-257866
- Title: RHEL 9 must mount /tmp with the nodev option.
- V-257867
- Title: RHEL 9 must mount /tmp with the noexec option.
- V-257868
- Title: RHEL 9 must mount /tmp with the nosuid option.
- V-257876
- Title: RHEL 9 must mount /var/tmp with the nodev option.
- V-257877
- Title: RHEL 9 must mount /var/tmp with the noexec option.
- V-257878
- Title: RHEL 9 must mount /var/tmp with the nosuid option.
- V-257880
- Title: RHEL 9 must disable mounting of cramfs.
- V-257885
- Title: RHEL 9 /var/log directory must have mode 0755 or less permissive.
- V-257886
- Title: RHEL 9 /var/log/messages file must have mode 0640 or less permissive.
- V-257888
- Title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
- V-257889
- Title: All RHEL 9 local initialization files must have mode 0740 or less permissive.
- V-257890
- Title: All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
- V-257891
- Title: RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
- V-257892
- Title: RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
- V-257893
- Title: RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
- V-257894
- Title: RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
- V-257895
- Title: RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
- V-257896
- Title: RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
- V-257897
- Title: RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
- V-257898
- Title: RHEL 9 /etc/group file must be owned by root.
- V-257899
- Title: RHEL 9 /etc/group file must be group-owned by root.
- V-257900
- Title: RHEL 9 /etc/group- file must be owned by root.
- V-257901
- Title: RHEL 9 /etc/group- file must be group-owned by root.
- V-257902
- Title: RHEL 9 /etc/gshadow file must be owned by root.
- V-257903
- Title: RHEL 9 /etc/gshadow file must be group-owned by root.
- V-257904
- Title: RHEL 9 /etc/gshadow- file must be owned by root.
- V-257905
- Title: RHEL 9 /etc/gshadow- file must be group-owned by root.
- V-257906
- Title: RHEL 9 /etc/passwd file must be owned by root.
- V-257907
- Title: RHEL 9 /etc/passwd file must be group-owned by root.
- V-257908
- Title: RHEL 9 /etc/passwd- file must be owned by root.
- V-257909
- Title: RHEL 9 /etc/passwd- file must be group-owned by root.
- V-257910
- Title: RHEL 9 /etc/shadow file must be owned by root.
- V-257911
- Title: RHEL 9 /etc/shadow file must be group-owned by root.
- V-257912
- Title: RHEL 9 /etc/shadow- file must be owned by root.
- V-257913
- Title: RHEL 9 /etc/shadow- file must be group-owned by root.
- V-257914
- Title: RHEL 9 /var/log directory must be owned by root.
- V-257915
- Title: RHEL 9 /var/log directory must be group-owned by root.
- V-257916
- Title: RHEL 9 /var/log/messages file must be owned by root.
- V-257917
- Title: RHEL 9 /var/log/messages file must be group-owned by root.
- V-257926
- Title: RHEL 9 cron configuration files directory must be owned by root.
- V-257927
- Title: RHEL 9 cron configuration files directory must be group-owned by root.
- V-257933
- Title: RHEL 9 /etc/crontab file must have mode 0600.
- V-257934
- Title: RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
- V-257935
- Title: RHEL 9 must have the firewalld package installed.
- V-257936
- Title: The firewalld service on RHEL 9 must be active.
- V-257939
- Title: RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
- V-257942
- Title: RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
- V-257943
- Title: RHEL 9 must have the chrony package installed.
- V-257944
- Title: RHEL 9 chronyd service must be enabled.
- V-257946
- Title: RHEL 9 must disable the chrony daemon from acting as a server.
- V-257947
- Title: RHEL 9 must disable network management of the chrony daemon.
- V-257948
- Title: RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
- NOTE: The product will warn users if they don’t have the minimum number of servers configured, but it cannot determine which dns servers to configure on its own.
- V-257949
- Title: RHEL 9 must configure a DNS processing mode in Network Manager.
- V-257951
- Title: RHEL 9 must be configured to prevent unrestricted mail relaying.
- V-257953
- Title: RHEL 9 must forward mail from postmaster to the root account using a postfix alias.
- V-257954
- Title: RHEL 9 libreswan package must be installed.
- V-257955
- Title: There must be no shosts.equiv files on RHEL 9.
- V-257956
- Title: There must be no .shosts files on RHEL 9.
- NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
- V-257957
- Title: RHEL 9 must be configured to use TCP syncookies.
- V-257958
- Title: RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
- V-257959
- Title: RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
- V-257960
- Title: RHEL 9 must log IPv4 packets with impossible addresses.
- V-257961
- Title: RHEL 9 must log IPv4 packets with impossible addresses by default.
- V-257962
- Title: RHEL 9 must use reverse path filtering on all IPv4 interfaces.
- V-257963
- Title: RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- V-257964
- Title: RHEL 9 must not forward IPv4 source-routed packets by default.
- V-257965
- Title: RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
- V-257966
- Title: RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
- V-257967
- Title: RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
- V-257968
- Title: RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
- V-257969
- Title: RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
- V-257970
- Title: RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
- V-257971
- Title: RHEL 9 must not accept router advertisements on all IPv6 interfaces.
- V-257972
- Title: RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
- V-257973
- Title: RHEL 9 must not forward IPv6 source-routed packets.
- V-257974
- Title: RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
- V-257975
- Title: RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
- V-257976
- Title: RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
- V-257977
- Title: RHEL 9 must not forward IPv6 source-routed packets by default.
- V-257978
- Title: All RHEL 9 networked systems must have SSH installed.
- V-257979
- Title: All RHEL 9 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
- V-257980
- Title: RHEL 9 must have the openssh-clients package installed.
- V-257981
- Title: RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a SSH logon.
- V-257982
- Title: RHEL 9 must log SSH connection attempts and failures to the server.
- V-257983
- Title: RHEL 9 SSHD must accept public key authentication.
- V-257984
- Title: RHEL 9 SSHD must not allow blank passwords.
- V-257985
- Title: RHEL 9 must not permit direct logons to the root account using remote access via SSH.
- V-257986
- Title: RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.
- V-257987
- Title: RHEL 9 SSH daemon must be configured to use system-wide crypto policies.
- V-257988
- Title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH client connections.
- NOTE: This check is incorrectly checking /etc/crypto-policies/back-ends/openssh.config for the values when it should be checking /etc/crypto-policies/back-ends/opensshserver.config. The values being requested by the rule are set in the server file instead of conflicting with the client values being requested in another rule in the openssh.config file.
- V-257989
- Title: RHEL 9 must implement DOD-approved encryption ciphers to protect the confidentiality of SSH server connections.
- NOTE: This check is incorrectly checking /etc/crypto-policies/back-ends/openssh.config for the values when it should be checking /etc/crypto-policies/back-ends/opensshserver.config. The values being requested by the rule are set in the server file instead of conflicting with the client values being requested in another rule in the openssh.config file.
- V-257991
- Title: RHEL 9 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms.
- NOTE: This check is incorrectly checking /etc/crypto-policies/back-ends/openssh.config for the values when it should be checking /etc/crypto-policies/back-ends/opensshserver.config. The values being requested by the rule are set in the server file instead of conflicting with the client values being requested in another rule in the openssh.config file.
- V-257992
- Title: RHEL 9 must not allow a noncertificate trusted host SSH logon to the system.
- V-257993
- Title: RHEL 9 must not allow users to override SSH environment variables.
- V-257994
- Title: RHEL 9 must force a frequent session key renegotiation for SSH connections to the server.
- V-257995
- Title: RHEL 9 must be configured so that all network connections associated with SSH traffic terminate after becoming unresponsive.
- V-257996
- Title: RHEL 9 must be configured so that all network connections associated with SSH traffic are terminated after 10 minutes of becoming unresponsive.
- V-257997
- Title: RHEL 9 SSH server configuration file must be group-owned by root.
- V-257998
- Title: RHEL 9 SSH server configuration file must be owned by root.
- V-257999
- Title: RHEL 9 SSH server configuration file must have mode 0600 or less permissive.
- V-258000
- Title: RHEL 9 SSH private host key files must have mode 0640 or less permissive.
- NOTE: The product parses the output of ‘sshd -T’ for the key that the system uses for communication and ensures that key is appropriately protected. The other keys in that location may not have the correct permissions applied. https://github.com/simp/pupmod-simp-ssh/issues/150 has been created to address this issue.
- V-258001
- Title: RHEL 9 SSH public host key files must have mode 0644 or less permissive.
- V-258002
- Title: RHEL 9 SSH daemon must not allow compression or must only allow compression after successful authentication.
- V-258003
- Title: RHEL 9 SSH daemon must not allow GSSAPI authentication.
- V-258004
- Title: RHEL 9 SSH daemon must not allow Kerberos authentication.
- V-258005
- Title: RHEL 9 SSH daemon must not allow rhosts authentication.
- V-258006
- Title: RHEL 9 SSH daemon must not allow known hosts authentication.
- V-258007
- Title: RHEL 9 SSH daemon must disable remote X connections for interactive users.
- NOTE: The UsePrivilegeSeparation ssh server config option was deprecated in openssh version 7.4 the product won’t use this parameter unless the openssh version is less than 7.4.
- V-258008
- Title: RHEL 9 SSH daemon must perform strict mode checking of home directory configuration files.
- V-258009
- Title: RHEL 9 SSH daemon must display the date and time of the last successful account logon upon an SSH logon.
- V-258011
- Title: RHEL 9 SSH daemon must prevent remote hosts from connecting to the proxy display.
- NOTE: The UsePrivilegeSeparation ssh server config option was deprecated in openssh version 7.4 the product won’t use this parameter unless the openssh version is less than 7.4.
- V-258013
- Title: RHEL 9 must prevent a user from overriding the banner-message-enable setting for the graphical user interface.
- V-258014
- Title: RHEL 9 must disable the graphical user interface automount function unless required.
- V-258015
- Title: RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
- V-258017
- Title: RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
- V-258018
- Title: RHEL 9 must not allow unattended or automatic logon via the graphical user interface.
- V-258019
- Title: RHEL 9 must be able to initiate directly a session lock for all connection types using smart card when the smart card is removed.
- V-258020
- Title: RHEL 9 must prevent a user from overriding the disabling of the graphical user smart card removal action.
- V-258021
- Title: RHEL 9 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions.
- V-258022
- Title: RHEL 9 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
- V-258023
- Title: RHEL 9 must automatically lock graphical user sessions after 15 minutes of inactivity.
- V-258024
- Title: RHEL 9 must prevent a user from overriding the session idle-delay setting for the graphical user interface.
- V-258026
- Title: RHEL 9 must prevent a user from overriding the session lock-delay setting for the graphical user interface.
- V-258027
- Title: RHEL 9 must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
- V-258029
- Title: RHEL 9 must disable the ability of a user to restart the system from the login screen.
- V-258030
- Title: RHEL 9 must prevent a user from overriding the disable-restart-buttons setting for the graphical user interface.
- V-258032
- Title: RHEL 9 must prevent a user from overriding the Ctrl-Alt-Del sequence settings for the graphical user interface.
- V-258033
- Title: RHEL 9 must disable the user list at logon for graphical user interfaces.
- V-258034
- Title: RHEL 9 must be configured to disable USB mass storage.
- V-258035
- Title: RHEL 9 must have the USBGuard package installed.
- V-258036
- Title: RHEL 9 must have the USBGuard package enabled.
- V-258037
- Title: RHEL 9 must enable Linux audit logging for the USBGuard daemon.
- V-258039
- Title: RHEL 9 Bluetooth must be disabled.
- V-258041
- Title: RHEL 9 user account passwords for new users or password changes must have a 60-day maximum password lifetime restriction in /etc/login.defs.
- V-258042
- Title: RHEL 9 user account passwords must have a 60-day maximum password lifetime restriction.
- NOTE: The product will cannot enforce this on existing user’s passwords, only new ones that are created from the time of remediation.
- V-258043
- Title: All RHEL 9 local interactive user accounts must be assigned a home directory upon creation.
- V-258045
- Title: RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.
- V-258046
- Title: RHEL 9 system accounts must not have an interactive login shell.
- NOTE: All system accounts found will be set to nologin except for the following: - root - sync - shutdown - halt The rule checks at least one of these accounts and flags it as a failure, which is a false negative. It is specifically failing because of the halt and sync accounts. Remediating these accounts could cause loss of access to the system or unexpected system failures.
- V-258048
- Title: All RHEL 9 interactive users must have a primary group that exists.
- V-258049
- Title: RHEL 9 must disable account identifiers (individuals, groups, roles, and devices) after 35 days of inactivity.
- V-258051
- Title: All RHEL 9 local interactive users must have a home directory assigned in the /etc/passwd file.
- V-258054
- Title: RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur.
- V-258055
- Title: RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
- V-258056
- Title: RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
- V-258057
- Title: RHEL 9 must maintain an account lock until the locked account is released by an administrator.
- V-258059
- Title: The root account must be the only account having unrestricted access to RHEL 9 system.
- V-258060
- Title: RHEL 9 must ensure account lockouts persist.
- V-258061
- Title: RHEL 9 groups must have unique Group ID (GID).
- V-258068
- Title: RHEL 9 must automatically exit interactive command shell user sessions after 15 minutes of inactivity.
- NOTE: We set the TMOUT environment variable as requested by the rule, however, it is not in the exact format being checked so the test will fail.
- V-258069
- Title: RHEL 9 must limit the number of concurrent sessions to ten for all accounts and/or account types.
- V-258070
- Title: RHEL 9 must log username information when unsuccessful logon attempts occur.
- V-258071
- Title: RHEL 9 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
- V-258072
- Title: RHEL 9 must define default permissions for the bash shell.
- NOTE: There is no reliable way to remove extraneous umask commands without causing other errors. However, the umask that the product sets should take precedence over any others in the file since it will be located at the bottom.
- V-258073
- Title: RHEL 9 must define default permissions for the c shell.
- NOTE: There is no reliable way to remove extraneous umask commands without causing other errors. However, the umask that the product sets should take precedence over any others in the file since it will be located at the bottom.
- V-258074
- Title: RHEL 9 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
- V-258075
- Title: RHEL 9 must define default permissions for the system default profile.
- NOTE: There is no reliable way to remove extraneous umask commands without causing other errors. However, the umask that the product sets should take precedence over any others in the file since it will be located at the bottom.
- V-258076
- Title: RHEL 9 must display the date and time of the last successful account logon upon logon.
- NOTE: The last login will be displayed as requested, however, the remediation didn’t happen in the spot that the rule is checking so this will be a false negative. The lastlogin time will be configured in login_defs.
- V-258077
- Title: RHEL 9 must terminate idle user sessions.
- V-258078
- Title: RHEL 9 must use a Linux Security Module configured to enforce limits on system services.
- V-258079
- Title: RHEL 9 must enable the SELinux targeted policy.
- V-258081
- Title: RHEL 9 must have policycoreutils package installed.
- V-258082
- Title: RHEL 9 policycoreutils-python-utils package must be installed.
- V-258083
- Title: RHEL 9 must have the sudo package installed.
- V-258084
- Title: RHEL 9 must require reauthentication when using the “sudo” command.
- V-258085
- Title: RHEL 9 must use the invoking user’s password for privilege escalation when using “sudo”.
- V-258086
- Title: RHEL 9 must require users to reauthenticate for privilege escalation.
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- V-258087
- Title: RHEL 9 must restrict privilege elevation to authorized personnel.
- V-258088
- Title: RHEL 9 must restrict the use of the “su” command.
- V-258089
- Title: RHEL 9 fapolicy module must be installed.
- V-258090
- Title: RHEL 9 fapolicy module must be enabled.
- V-258091
- Title: RHEL 9 must ensure the password complexity module in the system-auth file is configured for three retries or less.
- NOTE: This is getting set in the /etc/security/pwquality.conf file, while the check is looking in /etc/pam.d/system-auth. The check should be updated to look in the correct file.
- V-258094
- Title: RHEL 9 must not allow blank or null passwords.
- V-258097
- Title: RHEL 9 must ensure the password complexity module is enabled in the password-auth file.
- V-258098
- Title: RHEL 9 must ensure the password complexity module is enabled in the system-auth file.
- V-258099
- Title: RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
- V-258100
- Title: RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
- V-258101
- Title: RHEL 9 must enforce password complexity rules for the root account.
- V-258102
- Title: RHEL 9 must enforce password complexity by requiring that at least one lowercase character be used.
- V-258103
- Title: RHEL 9 must enforce password complexity by requiring that at least one numeric character be used.
- V-258104
- Title: RHEL 9 passwords for new users or password changes must have a 24 hours minimum password lifetime restriction in /etc/login.defs.
- V-258105
- Title: RHEL 9 passwords must have a 24 hours minimum password lifetime restriction in /etc/shadow.
- NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
- V-258106
- Title: RHEL 9 must require users to provide a password for privilege escalation.
- NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
- V-258107
- Title: RHEL 9 passwords must be created with a minimum of 15 characters.
- V-258109
- Title: RHEL 9 must enforce password complexity by requiring that at least one special character be used.
- V-258110
- Title: RHEL 9 must prevent the use of dictionary words for passwords.
- V-258111
- Title: RHEL 9 must enforce password complexity by requiring that at least one uppercase character be used.
- V-258112
- Title: RHEL 9 must require the change of at least eight characters when passwords are changed.
- V-258113
- Title: RHEL 9 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
- V-258114
- Title: RHEL 9 must require the maximum number of repeating characters be limited to three when passwords are changed.
- V-258115
- Title: RHEL 9 must require the change of at least four character classes when passwords are changed.
- V-258116
- Title: RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
- V-258117
- Title: RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
- V-258118
- Title: RHEL 9 must not be configured to bypass password requirements for privilege escalation.
- NOTE: Enforcing this rule will only remove
!authenticate
from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
- V-258120
- Title: RHEL 9 must not have accounts configured with blank or null passwords.
- V-258121
- Title: RHEL 9 must use the common access card (CAC) smart card driver.
- V-258122
- Title: RHEL 9 must enable certificate based smart card authentication.
- NOTE: This is getting set in the /etc/sssd/conf.d/50_puppet_service_pam.conf file, while the check is looking in /etc/sssd/sssd.conf. The check should be updated to look in the correct file.
- V-258123
- Title: RHEL 9 must implement certificate status checking for multifactor authentication.
- NOTE: This is getting set in the /etc/sssd/conf.d/99999_puppet_custom.conf file, while the check is looking in /etc/sssd/conf.d/certificate_verification.conf. The check should be updated to look in the correct file.
- V-258124
- Title: RHEL 9 must have the pcsc-lite package installed.
- V-258125
- Title: The pcscd service on RHEL 9 must be active.
- V-258126
- Title: RHEL 9 must have the opensc package installed.
- V-258128
- Title: RHEL 9 must require authentication to access emergency mode.
- V-258129
- Title: RHEL 9 must require authentication to access single-user mode.
- V-258133
- Title: RHEL 9 must prohibit the use of cached authenticators after one day.
- V-258134
- Title: RHEL 9 must have the AIDE package installed.
- V-258137
- Title: RHEL 9 must use cryptographic mechanisms to protect the integrity of audit tools.
- NOTE: This is getting set in the /etc/aide.conf.d/audit_config.aide file, while the check is looking in /etc/aide.conf. The check should be updated to look in the correct file.
- V-258140
- Title: RHEL 9 must have the rsyslog package installed.
- V-258141
- Title: RHEL 9 must have the packages required for encrypting offloaded audit logs installed.
- V-258142
- Title: The rsyslog service on RHEL 9 must be active.
- V-258143
- Title: RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
- V-258144
- Title: All RHEL 9 remote access methods must be monitored.
- NOTE: This is getting set in the /etc/rsyslog.simp.d/99_simp_local/99_remote_access_methods.conf file, while the check is looking in /etc/rsyslog.conf. The check should be updated to look in the correct file.
- V-258145
- Title: RHEL 9 must be configured to offload audit records onto a different system from the system being audited via syslog.
- V-258146
- Title: RHEL 9 must authenticate the remote logging server for offloading audit logs via rsyslog.
- NOTE: The rule wants $ActionSendStreamDriverMode to be set to ‘1’, however, this is the legacy format for setting this parameter. The product will correctly set StreamDriver.Mode to ‘1’ in the imptcp module of /etc/rsyslog.simp.d/00_simp_pre_logging/global.conf, which will achieve the same thing.
- V-258147
- Title: RHEL 9 must encrypt the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
- NOTE: The rule wants $ActionSendStreamDriverMode to be set to ‘1’, however, this is the legacy format for setting this parameter. The product will correctly set StreamDriver.Mode to ‘1’ in the imptcp module of /etc/rsyslog.simp.d/00_simp_pre_logging/global.conf, which will achieve the same thing.
- V-258148
- Title: RHEL 9 must encrypt via the gtls driver the transfer of audit records offloaded onto a different system or media from the system being audited via rsyslog.
- NOTE: The rule wants $DefaultNetstreamDriver to be set to ‘gtls’, however, this is the legacy format for setting this parameter. The product will correctly set defaultNetstreamDriver to ‘gtls’ in the global section of /etc/rsyslog.simp.d/00_simp_pre_logging/global.conf, which will achieve the same thing.
- V-258151
- Title: RHEL 9 audit package must be installed.
- V-258152
- Title: RHEL 9 audit service must be enabled.
- V-258153
- Title: RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
- V-258154
- Title: RHEL 9 audit system must take appropriate action when the audit storage volume is full.
- V-258156
- Title: RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
- V-258157
- Title: RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.
- V-258158
- Title: RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.
- V-258159
- Title: RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
- V-258160
- Title: RHEL 9 audit system must take appropriate action when the audit files have reached maximum size.
- V-258161
- Title: RHEL 9 must label all offloaded audit logs before sending them to the central log server.
- V-258162
- Title: RHEL 9 must take appropriate action when the internal event queue is full.
- V-258163
- Title: RHEL 9 System Administrator (SA) and/or information system security officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
- V-258164
- Title: RHEL 9 audit system must audit local events.
- V-258165
- Title: RHEL 9 audit logs must be group-owned by root or by a restricted logging group to prevent unauthorized read access.
- V-258166
- Title: RHEL 9 audit log directory must be owned by root to prevent unauthorized read access.
- V-258167
- Title: RHEL 9 audit logs file must have mode 0600 or less permissive to prevent unauthorized access to the audit log.
- V-258168
- Title: RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.
- V-258169
- Title: RHEL 9 must produce audit records containing information to establish the identity of any individual or process associated with the event.
- V-258170
- Title: RHEL 9 must write audit records to disk.
- V-258171
- Title: RHEL 9 must allow only the information system security manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
- NOTE: The product will set the mode of the files referenced in this rule to “700” and “600” rather then “750” and “640”. This will lock down the files and keep them secure so only admins and ISSMs can access them.
- V-258172
- Title: RHEL 9 /etc/audit/auditd.conf file must have 0640 or less permissive to prevent unauthorized access.
- NOTE: The product will set the mode of the files referenced in this rule to “700” and “600” rather then “750” and “640”. This will lock down the files and keep them secure so only admins and ISSMs can access them.
- V-258173
- Title: RHEL 9 must allocate an audit_backlog_limit of sufficient size to capture processes that start prior to the audit daemon.
- V-258175
- Title: RHEL 9 audispd-plugins package must be installed.
- V-258176
- Title: RHEL 9 must audit uses of the “execve” system call.
- V-258177
- Title: RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat system calls.
- V-258178
- Title: RHEL 9 must audit all uses of the chown, fchown, fchownat, and lchown system calls.
- V-258179
- Title: RHEL 9 must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
- V-258180
- Title: RHEL 9 must audit all uses of umount system calls.
- V-258181
- Title: RHEL 9 must audit all uses of the chacl command.
- V-258182
- Title: RHEL 9 must audit all uses of the setfacl command.
- V-258183
- Title: RHEL 9 must audit all uses of the chcon command.
- V-258184
- Title: RHEL 9 must audit all uses of the semanage command.
- V-258185
- Title: RHEL 9 must audit all uses of the setfiles command.
- V-258186
- Title: RHEL 9 must audit all uses of the setsebool command.
- V-258187
- Title: RHEL 9 must audit all uses of the rename, unlink, rmdir, renameat, and unlinkat system calls.
- V-258188
- Title: RHEL 9 must audit all uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls.
- V-258189
- Title: RHEL 9 must audit all uses of the delete_module system call.
- V-258190
- Title: RHEL 9 must audit all uses of the init_module and finit_module system calls.
- V-258191
- Title: RHEL 9 must audit all uses of the chage command.
- V-258192
- Title: RHEL 9 must audit all uses of the chsh command.
- V-258193
- Title: RHEL 9 must audit all uses of the crontab command.
- V-258194
- Title: RHEL 9 must audit all uses of the gpasswd command.
- V-258195
- Title: RHEL 9 must audit all uses of the kmod command.
- V-258196
- Title: RHEL 9 must audit all uses of the newgrp command.
- V-258197
- Title: RHEL 9 must audit all uses of the pam_timestamp_check command.
- V-258198
- Title: RHEL 9 must audit all uses of the passwd command.
- V-258199
- Title: RHEL 9 must audit all uses of the postdrop command.
- V-258200
- Title: RHEL 9 must audit all uses of the postqueue command.
- V-258201
- Title: RHEL 9 must audit all uses of the ssh-agent command.
- V-258202
- Title: RHEL 9 must audit all uses of the ssh-keysign command.
- V-258203
- Title: RHEL 9 must audit all uses of the su command.
- V-258204
- Title: RHEL 9 must audit all uses of the sudo command.
- V-258205
- Title: RHEL 9 must audit all uses of the sudoedit command.
- V-258206
- Title: RHEL 9 must audit all uses of the unix_chkpwd command.
- V-258207
- Title: RHEL 9 must audit all uses of the unix_update command.
- V-258208
- Title: RHEL 9 must audit all uses of the userhelper command.
- V-258209
- Title: RHEL 9 must audit all uses of the usermod command.
- V-258210
- Title: RHEL 9 must audit all uses of the mount command.
- V-258211
- Title: Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.
- V-258212
- Title: Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.
- V-258213
- Title: Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.
- V-258214
- Title: Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.
- V-258215
- Title: Successful/unsuccessful uses of the umount system call in RHEL 9 must generate an audit record.
- V-258216
- Title: Successful/unsuccessful uses of the umount2 system call in RHEL 9 must generate an audit record.
- V-258217
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
- V-258218
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/ directory.
- V-258219
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
- V-258220
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
- V-258221
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd.
- V-258222
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
- V-258223
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
- V-258224
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.
- V-258225
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.
- V-258226
- Title: RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.
- V-258227
- Title: RHEL 9 must take appropriate action when a critical audit processing failure occurs.
- V-258228
- Title: RHEL 9 audit system must protect logon UIDs from unauthorized change.
- V-258229
- Title: RHEL 9 audit system must protect auditing rules from unauthorized change.
- V-258233
- Title: RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.