1. Introduction
2. Licensing
3. Installing Sicura Enterprise
4. Server install from RPM
5. Server install from ISO
6. Upgrade Sicura Enterprise
7. Server Installation via Control Repo
8. Enable SIMP Compliance Engine
9. Configure SIMP Compliance Engine
10. Included Compliance Profiles
11. Console install via Puppet
12. Agent Install via Puppet
13. Coverage - CIS, Windows
14. Coverage - CIS, Linux
15. Coverage - CMMC, Windows
16. Coverage - CMMC, Linux
17. Coverage - DISA, Windows
18. Coverage - DISA, Linux
19. Coverage - NIST 800-171 r2, Windows
20. Linux DISA Module Usage
21. Windows CIS module usage
22. Linux CIS Module Usage
23. Linux SSG Module Usage

Coverage - DISA, Linux

Current revisions

Control Coverage

Summary

| OS | Unmapped Controls | Paper Policy | Mapped | Total | | — | — | — | — | — | | RedHat 7 | | 9 (5%) | 151 (94%) | 160 | | RedHat 8 | 1 (0%) | 20 (8%) | 210 (90%) | 231 | | OracleLinux 7 | | 9 (5%) | 149 (94%) | 158 | | OracleLinux 8 | | 18 (7%) | 224 (92%) | 242 |

Detail

Unmapped Controls

The following controls are not mapped:

RedHat 8 (1/231 [0%])

• V-230271
  • Title: RHEL 8 must require users to provide a password for privilege escalation.
  • NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.

Paper Policy

The following controls require administrative documentation:

OracleLinux 7 (9/158 [5%])

• V-221653
  • Title: The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-221692
  • Title: The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.
  • NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
• V-221700
  • Title: Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
  • NOTE: Configuring this would require user input for a password. The product does not currently support user input.
• V-221702
  • Title: Oracle Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
  • NOTE: Configuring this would require user input for a password. The product does not currently support user input.
• V-221719
  • Title: The Oracle Linux operating system must be a vendor supported release.
  • NOTE: If this check fails then the scan was not run on a supported Oracle Linux 7 operating system.
• V-221748
  • Title: The Oracle Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-221754
  • Title: The Oracle Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
  • NOTE: There is no way to safely change this on a running system.
• V-221755
  • Title: The Oracle Linux operating system must use a separate file system for /var.
  • NOTE: There is no way to safely change this on a running system.
• V-237627
  • Title: The Oracle Linux operating system must restrict privilege elevation to authorized personnel.
  • NOTE: There is currently no mechanisme in the product to remove all occurrences of ‘ALL’ from sudoers. A mechanism to report, but not change, the existence of this statement in sudoers will be implemented in a future release.

    OracleLinux 8 (18/242 [7%])

• V-248521
  • Title: OL 8 must be a vendor-supported release.
  • NOTE: If this check fails then the scan was not run on a supported RHEL Linux 8 operating system.
• V-248534
  • Title: OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
  • NOTE: Locking a user due to inappropriate encryption is not currently available in simp. A mechanism to address this rule will be implemented in a future release.
• V-248540
  • Title: OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
  • NOTE: Remediating this rule requires user input for username and a password, the product does not currently support user input to provide this information.
• V-248545
  • Title: OL 8 must prevent system daemons from using Kerberos for authentication.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-248565
  • Title: The OL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
  • NOTE: There is currently no mechanism to control the content of /etc/crypto-policies/back-ends/opensslcnf.config. One may be implemented in the future.
• V-248598
  • Title: There must be no “.shosts” files on the OL 8 operating system.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-248619
  • Title: OL 8 must prevent special devices on non-root local partitions.
  • NOTE: There is no way to safely change this on a running system.
• V-248625
  • Title: OL 8 file systems must not interpret character or block special devices that are imported via NFS.
  • NOTE: There is no way to safely change this on a running system.
• V-248697
  • Title: OL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-248807
  • Title: OL 8 audit tools must have a mode of “0755” or less permissive.
  • NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
• V-248808
  • Title: OL 8 audit tools must be owned by root.
  • NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
• V-248809
  • Title: OL 8 audit tools must be group-owned by root.
  • NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
• V-248850
  • Title: OL 8 must mount “/var/log” with the “nodev” option.
  • NOTE: There is no way to safely change this on a running system.
• V-248851
  • Title: OL 8 must mount “/var/log” with the “nosuid” option.
  • NOTE: There is no way to safely change this on a running system.
• V-248852
  • Title: OL 8 must mount “/var/log” with the “noexec” option.
  • NOTE: There is no way to safely change this on a running system.
• V-248853
  • Title: OL 8 must mount “/var/log/audit” with the “nodev” option.
  • NOTE: There is no way to safely change this on a running system.
• V-248854
  • Title: OL 8 must mount “/var/log/audit” with the “nosuid” option.
  • NOTE: There is no way to safely change this on a running system.
• V-248855
  • Title: OL 8 must mount “/var/log/audit” with the “noexec” option.
  • NOTE: There is no way to safely change this on a running system.

    RedHat 7 (9/160 [5%])

• V-204429
  • Title: The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.
  • NOTE: Automatically remediating this could cause some automated processes that require root access to fail. Since this will be site-specific this will not be enforced.
• V-204438
  • Title: Red Hat Enterprise Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
  • NOTE: Configuring this would require user input for a password. The product does not currently support user input.
• V-204440
  • Title: Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.
  • NOTE: Configuring this would require user input for a password. The product does not currently support user input.
• V-204458
  • Title: The Red Hat Enterprise Linux operating system must be a vendor supported release.
  • NOTE: If this check fails then the scan was not run on a supported RHEL Linux 7 operating system.
• V-204487
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-204493
  • Title: The Red Hat Enterprise Linux operating system must be configured so that a separate file system is used for user home directories (such as /home or an equivalent).
  • NOTE: The product does not manage the /home mount because it is unsafe to change /home to a separate mountpoint on a running system.
• V-204494
  • Title: The Red Hat Enterprise Linux operating system must use a separate file system for /var.
  • NOTE: The product does not manage the /var mount because it is unsafe to change /var to a separate mountpoint on a running system.
• V-204495
  • Title: The Red Hat Enterprise Linux operating system must use a separate file system for the system audit data path.
  • NOTE: The product does not manage mounts because it is unsafe to change mounts to a separate mountpoint on a running system.
• V-214799
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.

    RedHat 8 (20/231 [8%])

• V-230221
  • Title: RHEL 8 must be a vendor-supported release.
  • NOTE: If this check fails then the scan was not run on a supported RHEL Linux 8 operating system.
• V-230232
  • Title: RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
  • NOTE: Locking a user due to inappropriate encryption is not currently available in simp. A mechanism to address this rule will be implemented in a future release.
• V-230238
  • Title: RHEL 8 must prevent system daemons from using Kerberos for authentication.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-230255
  • Title: The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package.
  • NOTE: There is currently no mechanism to control the content of /etc/crypto-policies/back-ends/opensslcnf.config. One may be implemented in the future.
• V-230257
  • Title: RHEL 8 system commands must have mode 755 or less permissive.
  • NOTE: We do not currently have a mechanism for scanning the filesystem’s for enforcement.
• V-230258
  • Title: RHEL 8 system commands must be owned by root.
  • NOTE: We do not currently have a mechanism for scanning the filesystem’s for enforcement.
• V-230259
  • Title: RHEL 8 system commands must be group-owned by root or a system account.
  • NOTE: We do not currently have a mechanism for scanning the filesystem’s for enforcement.
• V-230292
  • Title: RHEL 8 must use a separate file system for /var.
  • NOTE: There is no way to safely change this on a running system.
• V-230294
  • Title: RHEL 8 must use a separate file system for the system audit data path.
  • NOTE: There is no way to safely change this on a running system.
• V-230301
  • Title: RHEL 8 must prevent special devices on non-root local partitions.
  • NOTE: There is no way to safely change this on a running system.
• V-230307
  • Title: RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS).
  • NOTE: There is no way to safely change this on a running system.
• V-230472
  • Title: RHEL 8 audit tools must have a mode of 0755 or less permissive.
  • NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
• V-230473
  • Title: RHEL 8 audit tools must be owned by root.
  • NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
• V-230474
  • Title: RHEL 8 audit tools must be group-owned by root.
  • NOTE: There is currently no way for the product to extrapolate which audit tools are installed on the system. Since there is no way to know which tools are in use, permissions for those tools won’t be controlled by the product.
• V-230514
  • Title: RHEL 8 must mount /var/log with the nodev option.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-230515
  • Title: RHEL 8 must mount /var/log with the nosuid option.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-230516
  • Title: RHEL 8 must mount /var/log with the noexec option.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-230517
  • Title: RHEL 8 must mount /var/log/audit with the nodev option.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-230518
  • Title: RHEL 8 must mount /var/log/audit with the nosuid option.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-230519
  • Title: RHEL 8 must mount /var/log/audit with the noexec option.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.

Mapped

The following controls are mapped:

OracleLinux 7 (149/158 [94%])

• V-221654
  • Title: The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
• V-221657
  • Title: The Oracle Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
• V-221658
  • Title: The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
• V-221660
  • Title: The Oracle Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
• V-221661
  • Title: The Oracle Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
• V-221664
  • Title: The Oracle Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
• V-221665
  • Title: The Oracle Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
• V-221666
  • Title: The Oracle Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
• V-221667
  • Title: The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.
• V-221668
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
• V-221669
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.
• V-221670
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.
• V-221671
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.
• V-221672
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.
• V-221673
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.
• V-221674
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.
• V-221675
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.
• V-221676
  • Title: The Oracle Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.
• V-221677
  • Title: The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
• V-221678
  • Title: The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.
• V-221680
  • Title: The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
• V-221681
  • Title: The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-221682
  • Title: The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-221683
  • Title: The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-221684
  • Title: The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-221685
  • Title: The Oracle Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.
• V-221686
  • Title: The Oracle Linux operating system must be configured so that passwords are a minimum of 15 characters in length.
• V-221687
  • Title: The Oracle Linux operating system must not allow accounts configured with blank or null passwords.
• V-221688
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
• V-221689
  • Title: The Oracle Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
• V-221693
  • Title: The Oracle Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.
• V-221694
  • Title: The Oracle Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
• V-221695
  • Title: The Oracle Linux operating system must not allow an unrestricted logon to the system.
• V-221696
  • Title: The Oracle Linux operating system must not allow users to override SSH environment variables.
• V-221697
  • Title: The Oracle Linux operating system must not allow a non-certificate trusted host SSH logon to the system.
• V-221699
  • Title: The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes.
• V-221704
  • Title: The Oracle Linux operating system must not have the rsh-server package installed.
• V-221705
  • Title: The Oracle Linux operating system must not have the ypserv package installed.
• V-221708
  • Title: The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.
• V-221710
  • Title: The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-221711
  • Title: The Oracle Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-221712
  • Title: The Oracle Linux operating system must be configured to disable USB mass storage.
• V-221713
  • Title: The Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.
• V-221714
  • Title: The Oracle Linux operating system must disable the file system automounter unless required.
• V-221715
  • Title: The Oracle Linux operating system must remove all software components after updated versions have been installed.
• V-221718
  • Title: The Oracle Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
• V-221722
  • Title: The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.
• V-221723
  • Title: The Oracle Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
• V-221727
  • Title: The Oracle Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
• V-221728
  • Title: The Oracle Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
• V-221743
  • Title: The Oracle Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
• V-221744
  • Title: The Oracle Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
• V-221751
  • Title: The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
• V-221752
  • Title: The Oracle Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
• V-221757
  • Title: The Oracle Linux operating system must use a separate file system for /tmp (or equivalent).
  • NOTE: There is no way to safely change this on a running system.
• V-221758
  • Title: The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-221763
  • Title: The Oracle Linux operating system must not have the telnet-server package installed.
• V-221764
  • Title: The Oracle Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.
• V-221765
  • Title: The Oracle Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.
• V-221767
  • Title: The Oracle Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.
  • NOTE: Audit logs will be offloaded via syslog by default rather than utilizing audisp
• V-221768
  • Title: The Oracle Linux operating system must take appropriate action when the remote logging buffer is full.
• V-221769
  • Title: The Oracle Linux operating system must label all off-loaded audit logs before sending them to the central log server.
• V-221770
  • Title: The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.
  • NOTE: TLS will be turned on in syslog, which will ensure log transmissions are encrypted
• V-221771
  • Title: The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
  • NOTE: TLS will be turned on in syslog, which will ensure log transmissions are encrypted
• V-221772
  • Title: The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.
  • NOTE: Audit logs will be offloaded via syslog by default rather than utilizing audisp
• V-221773
  • Title: The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.
  • NOTE: The system will be set up to go directly to syslog by default rather than falling back to it if auditd is enabled
• V-221775
  • Title: The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
• V-221776
  • Title: The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
• V-221777
  • Title: The Oracle Linux operating system must audit all executions of privileged functions.
• V-221778
  • Title: The Oracle Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls.
• V-221782
  • Title: The Oracle Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls.
• V-221785
  • Title: The Oracle Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.
• V-221792
  • Title: The Oracle Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
• V-221797
  • Title: The Oracle Linux operating system must audit all uses of the semanage command.
• V-221798
  • Title: The Oracle Linux operating system must audit all uses of the setsebool command.
• V-221799
  • Title: The Oracle Linux operating system must audit all uses of the chcon command.
• V-221800
  • Title: The Oracle Linux operating system must audit all uses of the setfiles command.
• V-221801
  • Title: The Oracle Linux operating system must generate audit records for all unsuccessful account access events.
• V-221802
  • Title: The Oracle Linux operating system must generate audit records for all successful account access events.
• V-221803
  • Title: The Oracle Linux operating system must audit all uses of the passwd command.
• V-221804
  • Title: The Oracle Linux operating system must audit all uses of the unix_chkpwd command.
• V-221805
  • Title: The Oracle Linux operating system must audit all uses of the gpasswd command.
• V-221806
  • Title: The Oracle Linux operating system must audit all uses of the chage command.
• V-221807
  • Title: The Oracle Linux operating system must audit all uses of the userhelper command.
• V-221808
  • Title: The Oracle Linux operating system must audit all uses of the su command.
• V-221809
  • Title: The Oracle Linux operating system must audit all uses of the sudo command.
• V-221810
  • Title: The Oracle Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
• V-221811
  • Title: The Oracle Linux operating system must audit all uses of the newgrp command.
• V-221812
  • Title: The Oracle Linux operating system must audit all uses of the chsh command.
• V-221813
  • Title: The Oracle Linux operating system must audit all uses of the mount command and syscall.
• V-221814
  • Title: The Oracle Linux operating system must audit all uses of the umount command.
• V-221815
  • Title: The Oracle Linux operating system must audit all uses of the postdrop command.
• V-221816
  • Title: The Oracle Linux operating system must audit all uses of the postqueue command.
• V-221817
  • Title: The Oracle Linux operating system must audit all uses of the ssh-keysign command.
• V-221818
  • Title: The Oracle Linux operating system must audit all uses of the crontab command.
• V-221819
  • Title: The Oracle Linux operating system must audit all uses of the pam_timestamp_check command.
• V-221820
  • Title: The Oracle Linux operating system must audit all uses of the create_module syscall.
• V-221821
  • Title: The Oracle Linux operating system must audit all uses of the init_module and finit_module syscalls.
• V-221823
  • Title: The Oracle Linux operating system must audit all uses of the delete_module syscall.
• V-221824
  • Title: The Oracle Linux operating system must audit all uses of the kmod command.
• V-221825
  • Title: The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
• V-221826
  • Title: The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
• V-221827
  • Title: The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
• V-221828
  • Title: The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
• V-221829
  • Title: The Oracle Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
• V-221833
  • Title: The Oracle Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.
• V-221838
  • Title: The Oracle Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
• V-221840
  • Title: The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
• V-221846
  • Title: The Oracle Linux operating system must implement virtual address space randomization.
• V-221847
  • Title: The Oracle Linux operating system must be configured so that all networked systems have SSH installed.
• V-221849
  • Title: The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
• V-221850
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
• V-221851
  • Title: The Oracle Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.
• V-221852
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
• V-221853
  • Title: The Oracle Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
• V-221854
  • Title: The Oracle Linux operating system must not permit direct logons to the root account using remote access via SSH.
• V-221855
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
• V-221856
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.
• V-221857
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
• V-221858
  • Title: The Oracle Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
• V-221859
  • Title: The Oracle Linux operating system must be configured so the SSH private host key files have mode 0600 or less permissive.
• V-221860
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
• V-221861
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.
• V-221862
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
• V-221863
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon uses privilege separation.
• V-221864
  • Title: The Oracle Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
• V-221869
  • Title: The Oracle Linux operating system must display the date and time of the last successful account logon upon logon.
  • *NOTE: This check will fail if there is a commented out line that looks like “#PrintLastLog = " even if the correct value of "PrintLastLog = true" exists in the /etc/ssh/sshd_config file.*
• V-221870
  • Title: The Oracle Linux operating system must not contain .shosts files.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-221871
  • Title: The Oracle Linux operating system must not contain shosts.equiv files.
• V-221872
  • Title: For Oracle Linux operating systems using DNS resolution, at least two name servers must be configured.
• V-221873
  • Title: The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
• V-221876
  • Title: The Oracle Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
• V-221877
  • Title: The Oracle Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
• V-221878
  • Title: The Oracle Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
• V-221879
  • Title: The Oracle Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
• V-221880
  • Title: The Oracle Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
• V-221881
  • Title: The Oracle Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
• V-221884
  • Title: The Oracle Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
• V-221885
  • Title: The Oracle Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
• V-221886
  • Title: The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements.
• V-221888
  • Title: The Oracle Linux operating system must not have a graphical display manager installed unless approved.
• V-221889
  • Title: The Oracle Linux operating system must not be performing packet forwarding unless the system is a router.
• V-221891
  • Title: SNMP community strings on the Oracle Linux operating system must be changed from the default.
• V-221894
  • Title: The Oracle Linux operating system must not forward IPv6 source-routed packets.
• V-221895
  • Title: The Oracle Linux operating system must have the required packages for multifactor authentication installed.
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-221896
  • Title: The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-221897
  • Title: The Oracle Linux operating system must implement certificate status checking for PKI authentication.
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-237628
  • Title: The Oracle Linux operating system must use the invoking user’s password for privilege escalation when using “sudo”.
• V-237629
  • Title: The Oracle Linux operating system must require re-authentication when using the “sudo” command.

    OracleLinux 8 (224/242 [92%])

• V-248519
  • Title: The OL 8 audit package must be installed.
• V-248520
  • Title: OL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events.
• V-248524
  • Title: OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
  • NOTE: Fips mode is enabled as requested by this rule, however, the scan still fails.
• V-248527
  • Title: OL 8 must display a banner before granting local or remote access to the system via a graphical user logon.
• V-248533
  • Title: OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
• V-248535
  • Title: The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
• V-248537
  • Title: OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
• V-248541
  • Title: OL 8 operating systems must require authentication upon booting into rescue mode.
• V-248542
  • Title: OL 8 operating systems must require authentication upon booting into emergency mode.
• V-248543
  • Title: The OL 8 “pam_unix.so” module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
• V-248544
  • Title: The OL 8 “pam_unix.so” module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
• V-248546
  • Title: The krb5-workstation package must not be installed on OL 8.
• V-248547
  • Title: The krb5-server package must not be installed on OL 8.
• V-248549
  • Title: OL 8 must have the “policycoreutils” package installed.
• V-248552
  • Title: OL 8 must be configured so that all network connections associated with SSH traffic are terminate after a period of inactivity.
• V-248554
  • Title: The OL 8 “/var/log/messages” file must have mode 0640 or less permissive.
• V-248555
  • Title: The OL 8 “/var/log/messages” file must be owned by root.
• V-248556
  • Title: The OL 8 “/var/log/messages” file must be group-owned by root.
• V-248557
  • Title: The OL 8 “/var/log” directory must have mode 0755 or less permissive.
• V-248558
  • Title: The OL 8 “/var/log” directory must be owned by root.
• V-248559
  • Title: The OL 8 “/var/log” directory must be group-owned by root.
• V-248563
  • Title: The OL 8 SSH server must be configured to use strong entropy.
• V-248574
  • Title: YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-248575
  • Title: OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-248576
  • Title: OL 8 must prevent the loading of a new kernel for later execution.
• V-248577
  • Title: OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks.
• V-248578
  • Title: OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on hardlinks.
• V-248579
  • Title: OL 8 must restrict access to the kernel message buffer.
• V-248580
  • Title: OL 8 must prevent kernel profiling by unprivileged users.
• V-248581
  • Title: OL 8 must require users to provide a password for privilege escalation.
  • NOTE: Users had to make a conscious decision to set “NOPASSWD” in sudoers on a running system. Automatically undoing these settings could negatively impact the system.
• V-248582
  • Title: OL 8 must require users to reauthenticate for privilege escalation and changing roles.
  • NOTE: Enforcing this rule will only remove !authenticate from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
• V-248583
  • Title: OL 8 must restrict privilege elevation to authorized personnel.
  • NOTE: There is currently no mechanisme in the product to remove all occurrences of ‘ALL’ from sudoers. A mechanism to report, but not change, the existence of this statement in sudoers will be implemented in a future release.
• V-248584
  • Title: OL 8 must use the invoking user’s password for privilege escalation when using “sudo”.
  • NOTE: Automatically remediating this could cause some automated processes that require root access to fail. Since this will be site-specific this will not be enforced.
• V-248585
  • Title: OL 8 must require re-authentication when using the “sudo” command.
• V-248586
  • Title: OL 8 must have the package required for multifactor authentication installed.
• V-248595
  • Title: YUM must remove all software components after updated versions have been installed on OL 8.
• V-248597
  • Title: There must be no “shosts.equiv” files on the OL 8 operating system.
• V-248601
  • Title: The OL 8 SSH public host key files must have mode “0644” or less permissive.
• V-248602
  • Title: The OL 8 SSH private host key files must have mode “0600” or less permissive.
  • NOTE: The product parses the output of ‘sshd -T’ for the key that the system uses for communication and ensures that key is appropriately protected. The other keys in that location may not have the correct permissions applied. https://github.com/simp/pupmod-simp-ssh/issues/150 has been created to address this issue.
• V-248603
  • Title: The OL 8 SSH daemon must perform strict mode checking of home directory configuration files.
• V-248604
  • Title: The OL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
• V-248605
  • Title: The OL 8 SSH daemon must not allow authentication using known host’s authentication.
• V-248606
  • Title: The OL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
• V-248607
  • Title: The OL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements.
• V-248608
  • Title: OL 8 must use a separate file system for “/var”.
  • NOTE: There is no way to safely change this on a running system.
• V-248609
  • Title: OL 8 must use a separate file system for “/var/log”.
  • NOTE: There is no way to safely change this on a running system.
• V-248610
  • Title: OL 8 must use a separate file system for the system audit data path.
  • NOTE: There is no way to safely change this on a running system.
• V-248611
  • Title: OL 8 must use a separate file system for “/tmp”.
  • NOTE: There is no way to safely change this on a running system.
• V-248613
  • Title: OL 8 must not permit direct logons to the root account using remote access via SSH.
• V-248615
  • Title: OL 8 must have the rsyslog service enabled and active.
• V-248617
  • Title: OL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-248624
  • Title: OL 8 file systems must not execute binary files that are imported via Network File System (NFS).
• V-248626
  • Title: OL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-248629
  • Title: OL 8 must disable the “kernel.core_pattern”.
  • NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
• V-248632
  • Title: OL 8 must disable storing core dumps.
• V-248633
  • Title: OL 8 must disable core dump backtraces.
• V-248644
  • Title: All OL 8 local interactive user accounts must be assigned a home directory upon creation.
• V-248649
  • Title: Unattended or automatic logon via the OL 8 graphical user interface must not be allowed.
• V-248650
  • Title: OL 8 must not allow users to override SSH environment variables.
• V-248652
  • Title: OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur.
• V-248653
  • Title: OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur.
• V-248654
  • Title: OL 8 systems below version 8.2 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
• V-248655
  • Title: OL 8 systems, versions 8.2 and above, must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
• V-248656
  • Title: OL 8 systems below version 8.2 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-248657
  • Title: OL 8 systems, versions 8.2 and above, must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-248660
  • Title: OL 8 systems below version 8.2 must prevent system messages from being presented when three unsuccessful logon attempts occur.
• V-248661
  • Title: OL 8 systems, versions 8.2 and above, must prevent system messages from being presented when three unsuccessful logon attempts occur.
• V-248662
  • Title: OL 8 systems below version 8.2 must log user name information when unsuccessful logon attempts occur.
• V-248663
  • Title: OL 8 systems, versions 8.2 and above, must log user name information when unsuccessful logon attempts occur.
• V-248664
  • Title: OL 8 systems below version 8.2 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-248665
  • Title: OL 8 systems, versions 8.2 and above, must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-248666
  • Title: OL 8 must limit the number of concurrent sessions to 10 for all accounts and/or account types.
• V-248674
  • Title: OL 8 must have the tmux package installed.
• V-248675
  • Title: OL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.
  • NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
• V-248676
  • Title: OL 8 must ensure session control is automatically started at shell initialization.
  • NOTE: tmux is configured to initialize when the shell is called in /etc/profile.d/tmux_shell.sh, however, the test for this will still fail because the shell initialization script is wrapped inside of an additional if statement that only initializes tmux if the package is installed.
• V-248677
  • Title: OL 8 must prevent users from disabling session control mechanisms.
  • NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
• V-248686
  • Title: OL 8 must ensure the password complexity module is enabled in the password-auth file.
• V-248687
  • Title: OL 8 must enforce password complexity by requiring that at least one uppercase character be used.
• V-248688
  • Title: OL 8 must enforce password complexity by requiring that at least one lowercase character be used.
• V-248689
  • Title: OL 8 must enforce password complexity by requiring that at least one numeric character be used.
• V-248690
  • Title: OL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
• V-248691
  • Title: OL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
• V-248692
  • Title: OL 8 must require the change of at least four character classes when passwords are changed.
• V-248693
  • Title: OL 8 must require the change of at least 8 characters when passwords are changed.
• V-248694
  • Title: OL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in “/etc/shadow”.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-248695
  • Title: OL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in “/etc/logins.def”.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-248696
  • Title: OL 8 user account passwords must have a 60-day maximum password lifetime restriction.
• V-248698
  • Title: OL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
• V-248699
  • Title: OL 8 passwords must have a minimum of 15 characters.
• V-248700
  • Title: OL 8 passwords for new users must have a minimum of 15 characters.
• V-248705
  • Title: The OL 8 lastlog command must have a mode of “0750” or less permissive.
• V-248706
  • Title: The OL 8 lastlog command must be owned by root.
• V-248707
  • Title: The OL 8 lastlog command must be group-owned by root.
• V-248709
  • Title: All OL 8 passwords must contain at least one special character.
• V-248711
  • Title: OL 8 must prevent the use of dictionary words for passwords.
• V-248712
  • Title: OL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
• V-248714
  • Title: OL 8 must not allow accounts configured with blank or null passwords.
• V-248715
  • Title: OL 8 must not allow blank or null passwords in the system-auth file.
• V-248716
  • Title: OL 8 must not allow blank or null passwords in the password-auth file.
• V-248718
  • Title: OL 8 must display the date and time of the last successful account logon upon an SSH logon.
• V-248719
  • Title: OL 8 default permissions must be defined in such a way that all authenticated users can read and modify only their own files.
• V-248722
  • Title: The OL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
• V-248724
  • Title: The OL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
• V-248726
  • Title: The OL 8 System must take appropriate action when an audit processing failure occurs.
• V-248728
  • Title: The OL 8 audit system must take appropriate action when the audit storage volume is full.
• V-248729
  • Title: The OL 8 audit system must audit local events.
• V-248730
  • Title: OL 8 must label all offloaded audit logs before sending them to the central log server.
• V-248731
  • Title: OL 8 must resolve audit information before writing to disk.
• V-248732
  • Title: OL 8 audit logs must have a mode of “0600” or less permissive to prevent unauthorized read access.
• V-248733
  • Title: OL 8 audit logs must be owned by root to prevent unauthorized read access.
• V-248734
  • Title: OL 8 audit logs must be group-owned by root to prevent unauthorized read access.
• V-248735
  • Title: The OL 8 audit log directory must be owned by root to prevent unauthorized read access.
• V-248736
  • Title: The OL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
• V-248737
  • Title: The OL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
• V-248738
  • Title: The OL 8 audit system must protect auditing rules from unauthorized change.
• V-248739
  • Title: The OL 8 audit system must protect logon UIDs from unauthorized change.
• V-248740
  • Title: OL 8 must generate audit records for all account creation events that affect “/etc/shadow”.
• V-248741
  • Title: OL 8 must generate audit records for all account creation events that affect “/etc/security/opasswd”.
• V-248742
  • Title: OL 8 must generate audit records for all account creation events that affect “/etc/passwd”.
• V-248743
  • Title: OL 8 must generate audit records for all account creation events that affect “/etc/gshadow”.
• V-248744
  • Title: OL 8 must generate audit records for all account creation events that affect “/etc/group”.
• V-248745
  • Title: OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect “/etc/sudoers”.
• V-248746
  • Title: OL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect “/etc/sudoers.d/”.
• V-248747
  • Title: OL 8 must generate audit records for any use of the “su” command.
• V-248748
  • Title: The OL 8 audit system must be configured to audit any use of the “setxattr”, “fsetxattr”, “lsetxattr”, “removexattr”, “fremovexattr”, and “lremovexattr” system calls.
• V-248753
  • Title: OL 8 must generate audit records for any use of the “chage” command.
• V-248754
  • Title: OL 8 must generate audit records for any uses of the “chcon” command.
• V-248756
  • Title: OL 8 must generate audit records for any use of the “ssh-agent” command.
• V-248757
  • Title: OL 8 must generate audit records for any use of the “passwd” command.
• V-248758
  • Title: OL 8 must generate audit records for any use of the “mount” command.
• V-248759
  • Title: OL 8 must generate audit records for any use of the “umount” command.
• V-248760
  • Title: OL 8 must generate audit records for any use of the “mount” syscall.
• V-248761
  • Title: OL 8 must generate audit records for any use of the “unix_update” command.
• V-248762
  • Title: OL 8 must generate audit records for any use of the “postdrop” command.
• V-248763
  • Title: OL 8 must generate audit records for any use of the “postqueue” command.
• V-248764
  • Title: OL 8 must generate audit records for any use of the “semanage” command.
• V-248765
  • Title: OL 8 must generate audit records for any use of the “setfiles” command.
• V-248766
  • Title: OL 8 must generate audit records for any use of the “userhelper” command.
• V-248767
  • Title: OL 8 must generate audit records for any use of the “setsebool” command.
• V-248768
  • Title: OL 8 must generate audit records for any use of the “unix_chkpwd” command.
• V-248769
  • Title: OL 8 must generate audit records for any use of the “ssh-keysign” command.
• V-248770
  • Title: OL 8 must generate audit records for any use of the “setfacl” command.
• V-248771
  • Title: OL 8 must generate audit records for any use of the “pam_timestamp_check” command.
• V-248772
  • Title: OL 8 must generate audit records for any use of the “newgrp” command.
• V-248773
  • Title: OL 8 must generate audit records for any use of the “init_module” and “finit_module” system calls.
• V-248774
  • Title: OL 8 must generate audit records for any use of the “rename”, “unlink”, “rmdir”, “renameat”, and “unlinkat” system calls.
• V-248779
  • Title: OL 8 must generate audit records for any use of the “gpasswd” command.
• V-248781
  • Title: OL 8 must generate audit records for any use of the delete_module syscall.
• V-248782
  • Title: OL 8 must generate audit records for any use of the “crontab” command.
• V-248783
  • Title: OL 8 must generate audit records for any use of the “chsh” command.
• V-248784
  • Title: OL 8 must generate audit records for any use of the “truncate”, “ftruncate”, “creat”, “open”, “openat”, and “open_by_handle_at” system calls.
• V-248790
  • Title: OL 8 must generate audit records for any use of the “chown”, “fchown”, “fchownat”, and “lchown” system calls.
• V-248791
  • Title: OL 8 must generate audit records for any use of the “chmod”, “fchmod”, and “fchmodat” system calls.
• V-248797
  • Title: OL 8 must generate audit records for any use of the “sudo” command.
• V-248798
  • Title: OL 8 must generate audit records for any use of the “usermod” command.
• V-248799
  • Title: OL 8 must generate audit records for any use of the “chacl” command.
• V-248800
  • Title: OL 8 must generate audit records for any use of the “kmod” command.
• V-248802
  • Title: OL 8 must generate audit records for any attempted modifications to the “lastlog” file.
• V-248806
  • Title: OL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
  • NOTE: The product will set the mode of the files referenced in this rule to “700” and “600” rather then “750” and “640”. This will lock down the files and keep them secure so only admins and ISSMs can access them.
• V-248812
  • Title: OL 8 must have the packages required for offloading audit logs installed.
• V-248813
  • Title: OL 8 must have the packages required for encrypting offloaded audit logs installed.
• V-248815
  • Title: OL 8 must take appropriate action when the internal event queue is full.
• V-248818
  • Title: OL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
• V-248821
  • Title: OL 8 must disable the chrony daemon from acting as a server.
• V-248822
  • Title: OL 8 must disable network management of the chrony daemon.
• V-248823
  • Title: OL 8 must not have the telnet-server package installed.
• V-248824
  • Title: OL 8 must not have any automated bug reporting tools installed.
• V-248825
  • Title: OL 8 must not have the sendmail package installed.
• V-248827
  • Title: OL 8 must not have the rsh-server package installed.
• V-248829
  • Title: OL 8 must not have the asynchronous transfer mode (ATM) kernel module installed if not required for operational support.
• V-248830
  • Title: OL 8 must not have the Controller Area Network (CAN) kernel module installed if not required for operational support.
• V-248831
  • Title: OL 8 must not have the stream control transmission protocol (SCTP) kernel module installed if not required for operational support.
• V-248832
  • Title: OL 8 must disable the transparent inter-process communication (TIPC) protocol.
• V-248833
  • Title: OL 8 must disable mounting of cramfs.
• V-248834
  • Title: OL 8 must disable IEEE 1394 (FireWire) Support.
• V-248837
  • Title: OL 8 must be configured to disable the ability to use USB mass storage devices.
• V-248840
  • Title: A firewall must be installed on OL 8.
• V-248841
  • Title: A firewall must be active on OL 8.
• V-248843
  • Title: OL 8 Bluetooth must be disabled.
• V-248844
  • Title: OL 8 must mount “/dev/shm” with the “nodev” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248845
  • Title: OL 8 must mount “/dev/shm” with the “nosuid” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248846
  • Title: OL 8 must mount “/dev/shm” with the “noexec” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248847
  • Title: OL 8 must mount “/tmp” with the “nodev” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248848
  • Title: OL 8 must mount “/tmp” with the “nosuid” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248849
  • Title: OL 8 must mount “/tmp” with the “noexec” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248856
  • Title: OL 8 must mount “/var/tmp” with the “nodev” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248857
  • Title: OL 8 must mount “/var/tmp” with the “nosuid” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248858
  • Title: OL 8 must mount “/var/tmp” with the “noexec” option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-248859
  • Title: The OL 8 “fapolicy” module must be installed.
• V-248862
  • Title: OL 8 must have the USBGuard installed.
• V-248867
  • Title: All OL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
• V-248868
  • Title: OL 8 must force a frequent session key renegotiation for SSH connections to the server.
• V-248870
  • Title: The x86 Ctrl-Alt-Delete key sequence in OL 8 must be disabled if a graphical user interface is installed.
• V-248871
  • Title: OL 8 must disable the systemd Ctrl-Alt-Delete burst key sequence.
• V-248873
  • Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for OL 8 operational support.
• V-248874
  • Title: The root account must be the only account having unrestricted access to the OL 8 system.
• V-248875
  • Title: OL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
• V-248876
  • Title: OL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
• V-248877
  • Title: OL 8 must not send Internet Control Message Protocol (ICMP) redirects.
• V-248878
  • Title: OL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
• V-248879
  • Title: OL 8 must not forward IPv4 source-routed packets.
• V-248880
  • Title: OL 8 must not forward IPv6 source-routed packets.
• V-248881
  • Title: OL 8 must not forward IPv4 source-routed packets by default.
• V-248882
  • Title: OL 8 must not forward IPv6 source-routed packets by default.
• V-248883
  • Title: OL 8 must not enable IPv6 packet forwarding unless the system is a router.
• V-248884
  • Title: OL 8 must not accept router advertisements on all IPv6 interfaces.
• V-248885
  • Title: OL 8 must not accept router advertisements on all IPv6 interfaces by default.
• V-248886
  • Title: OL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
• V-248887
  • Title: OL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages.
• V-248888
  • Title: OL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
• V-248889
  • Title: OL 8 must disable access to the network “bpf” syscall from unprivileged processes.
  • NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
• V-248890
  • Title: OL 8 must restrict the use of “ptrace” to descendant processes.
  • NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
• V-248891
  • Title: OL 8 must restrict exposed kernel pointer addresses access.
  • NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
• V-248892
  • Title: OL 8 must disable the use of user namespaces.
• V-248893
  • Title: OL 8 must use reverse path filtering on all IPv4 interfaces.
• V-248894
  • Title: OL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
• V-248895
  • Title: OL 8 must be configured to prevent unrestricted mail relaying.
• V-248900
  • Title: OL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
• V-248901
  • Title: The OL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
• V-248902
  • Title: If the Trivial File Transfer Protocol (TFTP) server is required, the OL 8 TFTP daemon must be configured to operate in secure mode.
• V-248903
  • Title: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on OL 8.
• V-248904
  • Title: OL 8 must not have the “gssproxy” package installed if not required for operational support.
• V-248905
  • Title: OL 8 must not have the “iprutils” package installed if not required for operational support.
• V-248906
  • Title: OL 8 must not have the “tuned” package installed if not required for operational support.

    RedHat 7 (151/160 [94%])

• V-204393
  • Title: The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
• V-204396
  • Title: The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures.
• V-204397
  • Title: The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
• V-204398
  • Title: The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces.
• V-204399
  • Title: The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface.
• V-204402
  • Title: The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces.
• V-204403
  • Title: The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface.
• V-204404
  • Title: The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated.
• V-204405
  • Title: The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.
• V-204406
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used.
• V-204407
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character.
• V-204408
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character.
• V-204409
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character.
• V-204410
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character.
• V-204411
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed.
• V-204412
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed.
• V-204413
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters.
• V-204414
  • Title: The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters.
• V-204415
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
• V-204416
  • Title: The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.
• V-204417
  • Title: The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
• V-204418
  • Title: The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-204419
  • Title: The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-204420
  • Title: The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-204421
  • Title: The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-204422
  • Title: The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations.
• V-204423
  • Title: The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length.
• V-204424
  • Title: The Red Hat Enterprise Linux operating system must not allow accounts configured with blank or null passwords.
• V-204425
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
• V-204426
  • Title: The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires.
• V-204430
  • Title: The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.
  • NOTE: Enforcing this rule will only remove !authenticate from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
• V-204431
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds.
• V-204432
  • Title: The Red Hat Enterprise Linux operating system must not allow an unattended or automatic logon to the system via a graphical user interface.
• V-204433
  • Title: The Red Hat Enterprise Linux operating system must not allow an unrestricted logon to the system.
• V-204434
  • Title: The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables.
• V-204435
  • Title: The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system.
• V-204437
  • Title: The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes.
• V-204442
  • Title: The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.
• V-204443
  • Title: The Red Hat Enterprise Linux operating system must not have the ypserv package installed.
• V-204445
  • Title: The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.
  • NOTE: This will be set in the root user crontab rather than /etc/cron.daily/aide
• V-204447
  • Title: The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-204448
  • Title: The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-204449
  • Title: The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.
• V-204450
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.
• V-204451
  • Title: The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.
• V-204452
  • Title: The Red Hat Enterprise Linux operating system must remove all software components after updated versions have been installed.
• V-204457
  • Title: The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
• V-204461
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.
• V-204462
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the root account must be the only account having unrestricted access to the system.
• V-204466
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory.
• V-204467
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all local interactive users have a home directory assigned and defined in the /etc/passwd file.
• V-204482
  • Title: The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS).
• V-204483
  • Title: The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS).
• V-204490
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
• V-204491
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
• V-204496
  • Title: The Red Hat Enterprise Linux operating system must use a separate file system for /tmp (or equivalent).
  • NOTE: There is no way to safely change this on a running system.
• V-204497
  • Title: The Red Hat Enterprise Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-204502
  • Title: The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.
• V-204503
  • Title: The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users.
• V-204504
  • Title: The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.
• V-204506
  • Title: The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited.
  • NOTE: Audit logs will be offloaded via syslog by default rather than utilizing audisp. This check will still fail due to expecting the audispd configuration.
• V-204507
  • Title: The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.
• V-204508
  • Title: The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server.
• V-204509
  • Title: The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited.
  • NOTE: Audit logs will be offloaded via syslog by default rather than utilizing audisp. This check will still fail due to expecting the audispd configuration.
• V-204510
  • Title: The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.
  • NOTE: TLS will be turned on in syslog, which will ensure log transmissions are encrypted
• V-204511
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.
  • NOTE: Audit logs will be offloaded via syslog by default rather than utilizing audisp.
• V-204512
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.
  • NOTE: The system will be set up to go directly to syslog by default rather than falling back to it if auditd is enabled.
• V-204514
  • Title: The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
• V-204515
  • Title: The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
• V-204516
  • Title: The Red Hat Enterprise Linux operating system must audit all executions of privileged functions.
• V-204517
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls.
• V-204521
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls.
• V-204524
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr syscalls.
• V-204531
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls.
• V-204536
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the semanage command.
• V-204537
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command.
• V-204538
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the chcon command.
• V-204539
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command.
• V-204540
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events.
• V-204541
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events.
• V-204542
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the passwd command.
• V-204543
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command.
• V-204544
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command.
• V-204545
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the chage command.
• V-204546
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command.
• V-204547
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the su command.
• V-204548
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the sudo command.
• V-204549
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the sudoers file and all files in the /etc/sudoers.d/ directory.
• V-204550
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command.
• V-204551
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the chsh command.
• V-204552
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall.
• V-204553
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the umount command.
• V-204554
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command.
• V-204555
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command.
• V-204556
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command.
• V-204557
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the crontab command.
• V-204558
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command.
• V-204559
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall.
• V-204560
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscalls.
• V-204562
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall.
• V-204563
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the kmod command.
• V-204564
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
• V-204565
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
• V-204566
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
• V-204567
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
• V-204568
  • Title: The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
• V-204572
  • Title: The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls.
• V-204576
  • Title: The Red Hat Enterprise Linux operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
• V-204578
  • Title: The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.
• V-204579
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements.

  • *NOTE: The TMOUT value will be set as [ $TMOUT ]

    export TMOUT=900 in /etc/profile.d/simp.sh. The test is only checking for a line starting with TMOUT=[some_value] so it will fail even though the system meets the requirements*

• V-204584
  • Title: The Red Hat Enterprise Linux operating system must implement virtual address space randomization.
• V-204585
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed.
• V-204587
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
• V-204588
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication.
• V-204589
  • Title: The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity.
• V-204590
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication.
• V-204591
  • Title: The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon.
• V-204592
  • Title: The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH.
• V-204593
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication.
• V-204594
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use the SSHv2 protocol.
• V-204595
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
• V-204596
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive.
• V-204597
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0600 or less permissive.
• V-204598
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
• V-204599
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.
• V-204600
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files.
• V-204601
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation.
• V-204602
  • Title: The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication.
• V-204605
  • Title: The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon logon.
  • *NOTE: This check will fail if there is a commented out line that looks like “#PrintLastLog = " even if the correct value of "PrintLastLog = true" exists in the /etc/ssh/sshd_config file.*
• V-204606
  • Title: The Red Hat Enterprise Linux operating system must not contain .shosts files.
  • NOTE: We do not currently have a mechanism for scanning the filesystem for enforcement.
• V-204607
  • Title: The Red Hat Enterprise Linux operating system must not contain shosts.equiv files.
• V-204609
  • Title: The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets.
• V-204612
  • Title: The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default.
• V-204613
  • Title: The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
• V-204614
  • Title: The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted.
• V-204615
  • Title: The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
• V-204616
  • Title: The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default.
• V-204617
  • Title: The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects.
• V-204620
  • Title: The Red Hat Enterprise Linux operating system must not have a File Transfer Protocol (FTP) server package installed unless needed.
• V-204621
  • Title: The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
• V-204622
  • Title: The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requirements.
• V-204624
  • Title: The Red Hat Enterprise Linux operating system must not have a graphical display manager installed unless approved.
• V-204625
  • Title: The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router.
• V-204627
  • Title: SNMP community strings on the Red Hat Enterprise Linux operating system must be changed from the default.
• V-204630
  • Title: The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets.
• V-204631
  • Title: The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-204632
  • Title: The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-204633
  • Title: The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.
  • NOTE: If the simp_options value for this is implemented in a standalone environment that does not use a full implementation of simp, the hieradata suggested to remediate this will not actually make any relevant changes to the system. This will be addressed in a later release.
• V-237633
  • Title: The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel.
• V-237634
  • Title: The Red Hat Enterprise Linux operating system must use the invoking user’s password for privilege escalation when using “sudo”.
  • NOTE: Automatically remediating this could cause some automated processes that require root access to fail. Since this will be site-specific this will not be enforced.
• V-237635
  • Title: The Red Hat Enterprise Linux operating system must require re-authentication when using the “sudo” command.

    RedHat 8 (210/231 [90%])

• V-230223
  • Title: RHEL 8 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
  • NOTE: Fips mode is enabled as requested by this rule, however, the scan still fails.
• V-230231
  • Title: RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
• V-230233
  • Title: The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
• V-230234
  • Title: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.
• V-230235
  • Title: RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
  • NOTE: The grub password is set via the password_pbkdf2 parameter, however, the rule explicitly checks for GRUB2_PASSWORD. The grub username and password are being set which meets the requirement of the rule, but the check for the rule is not checking for all possible methods of setting a password for a user.
• V-230236
  • Title: RHEL 8 operating systems must require authentication upon booting into rescue mode.
• V-230237
  • Title: The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication.
• V-230239
  • Title: The krb5-workstation package must not be installed on RHEL 8.
• V-230241
  • Title: RHEL 8 must have policycoreutils package installed.
• V-230244
  • Title: RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
• V-230245
  • Title: The RHEL 8 /var/log/messages file must have mode 0640 or less permissive.
• V-230246
  • Title: The RHEL 8 /var/log/messages file must be owned by root.
• V-230247
  • Title: The RHEL 8 /var/log/messages file must be group-owned by root.
• V-230248
  • Title: The RHEL 8 /var/log directory must have mode 0755 or less permissive.
• V-230249
  • Title: The RHEL 8 /var/log directory must be owned by root.
• V-230250
  • Title: The RHEL 8 /var/log directory must be group-owned by root.
• V-230253
  • Title: RHEL 8 must ensure the SSH server uses strong entropy.
• V-230264
  • Title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-230265
  • Title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization.
  • NOTE: Enabling gpgcheck globally is as close as we can get for this check, users may require access to private repos that might not have encryption set up appropriately.
• V-230266
  • Title: RHEL 8 must prevent the loading of a new kernel for later execution.
• V-230267
  • Title: RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks.
• V-230268
  • Title: RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks.
• V-230269
  • Title: RHEL 8 must restrict access to the kernel message buffer.
• V-230270
  • Title: RHEL 8 must prevent kernel profiling by unprivileged users.
• V-230272
  • Title: RHEL 8 must require users to reauthenticate for privilege escalation.
  • NOTE: Enforcing this rule will only remove !authenticate from the /etc/sudoers file. Any custom files within /etc/sudoers.d will not be modified.
• V-230273
  • Title: RHEL 8 must have the packages required for multifactor authentication installed.
• V-230280
  • Title: RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
• V-230281
  • Title: YUM must remove all software components after updated versions have been installed on RHEL 8.
• V-230282
  • Title: RHEL 8 must enable the SELinux targeted policy.
• V-230283
  • Title: There must be no shosts.equiv files on the RHEL 8 operating system.
• V-230284
  • Title: There must be no .shosts files on the RHEL 8 operating system.
• V-230286
  • Title: The RHEL 8 SSH public host key files must have mode 0644 or less permissive.
• V-230287
  • Title: The RHEL 8 SSH private host key files must have mode 0600 or less permissive.
  • NOTE: The product parses the output of ‘sshd -T’ for the key that the system uses for communication and ensures that key is appropriately protected. The other keys in that location may not have the correct permissions applied. https://github.com/simp/pupmod-simp-ssh/issues/150 has been created to address this issue.
• V-230288
  • Title: The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files.
• V-230289
  • Title: The RHEL 8 SSH daemon must not allow compression or must only allow compression after successful authentication.
• V-230290
  • Title: The RHEL 8 SSH daemon must not allow authentication using known host’s authentication.
• V-230291
  • Title: The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements.
• V-230293
  • Title: RHEL 8 must use a separate file system for /var/log.
  • NOTE: There is no way to safely change this on a running system.
• V-230295
  • Title: A separate RHEL 8 filesystem must be used for the /tmp directory.
• V-230296
  • Title: RHEL 8 must not permit direct logons to the root account using remote access via SSH.
• V-230298
  • Title: The rsyslog service must be running in RHEL 8.
• V-230300
  • Title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
  • NOTE: The product doesn’t configure mountpoints due various data access issues that could happen.
• V-230306
  • Title: RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS).
• V-230308
  • Title: RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
• V-230311
  • Title: RHEL 8 must disable the kernel.core_pattern.

  • *NOTE: The kernel.core_pattern sysctl setting is set to ‘

    /bin/false’ in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.*

• V-230313
  • Title: RHEL 8 must disable core dumps for all users.
• V-230314
  • Title: RHEL 8 must disable storing core dumps.
• V-230315
  • Title: RHEL 8 must disable core dump backtraces.
• V-230324
  • Title: All RHEL 8 local interactive user accounts must be assigned a home directory upon creation.
• V-230330
  • Title: RHEL 8 must not allow users to override SSH environment variables.
• V-230332
  • Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
  • NOTE: The product will set pam to lock a user’s account after 3 failed login attempts in a 15 minute period, however, there will also be some extra options in the pam sections this rule requests remediation for. Since the line won’t exactly match the ordering and content the rule proposes, the check for it will fail.
• V-230333
  • Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur.
• V-230334
  • Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
  • NOTE: The product will set pam to lock a user’s account after 3 failed login attempts in a 15 minute period, however, there will also be some extra options in the pam sections this rule requests remediation for. Since the line won’t exactly match the ordering and content the rule proposes, the check for it will fail.
• V-230335
  • Title: RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.
• V-230336
  • Title: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
  • NOTE: The product will set pam to lock a user’s account after 3 failed login attempts in a 15 minute period, however, there will also be some extra options in the pam sections this rule requests remediation for. Since the line won’t exactly match the ordering and content the rule proposes, the check for it will fail.
• V-230337
  • Title: RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-230340
  • Title: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
  • NOTE: The product will set pam to lock a user’s account after 3 failed login attempts in a 15 minute period, however, there will also be some extra options in the pam sections this rule requests remediation for. Since the line won’t exactly match the ordering and content the rule proposes, the check for it will fail.
• V-230341
  • Title: RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.
• V-230342
  • Title: RHEL 8 must log user name information when unsuccessful logon attempts occur.
• V-230343
  • Title: RHEL 8 must log user name information when unsuccessful logon attempts occur.
• V-230344
  • Title: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-230345
  • Title: RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.
• V-230346
  • Title: RHEL 8 must limit the number of concurrent sessions to ten for all accounts and/or account types.
• V-230348
  • Title: RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions.
  • NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
• V-230349
  • Title: RHEL 8 must ensure session control is automatically started at shell initialization.
  • NOTE: tmux is configured to initialize when the shell is called in /etc/profile.d/tmux_shell.sh, however, the test for this will still fail because the shell initialization script is wrapped inside of an additional if statement that only initializes tmux if the package is installed.
• V-230350
  • Title: RHEL 8 must prevent users from disabling session control mechanisms.
  • NOTE: While it won’t explicitly remove tmux from the list of shells, including the useradd class will remove any unapproved shells from /etc/shells, including tmux.
• V-230356
  • Title: RHEL 8 must ensure the password complexity module is enabled in the password-auth file.
• V-230357
  • Title: RHEL 8 must enforce password complexity by requiring that at least one uppercase character be used.
• V-230358
  • Title: RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used.
• V-230359
  • Title: RHEL 8 must enforce password complexity by requiring that at least one numeric character be used.
• V-230360
  • Title: RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed.
• V-230361
  • Title: RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed.
• V-230362
  • Title: RHEL 8 must require the change of at least four character classes when passwords are changed.
• V-230363
  • Title: RHEL 8 must require the change of at least 8 characters when passwords are changed.
• V-230364
  • Title: RHEL 8 passwords must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-230365
  • Title: RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-230366
  • Title: RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction.
• V-230367
  • Title: RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime.
  • NOTE: We do not currently have the ability to identify and remediate existing users who do not have this set appropriately, only new users.
• V-230368
  • Title: RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations.
• V-230369
  • Title: RHEL 8 passwords must have a minimum of 15 characters.
• V-230370
  • Title: RHEL 8 passwords for new users must have a minimum of 15 characters.
• V-230373
  • Title: RHEL 8 account identifiers (individuals, groups, roles, and devices) must be disabled after 35 days of inactivity.
• V-230375
  • Title: All RHEL 8 passwords must contain at least one special character.
• V-230377
  • Title: RHEL 8 must prevent the use of dictionary words for passwords.
• V-230378
  • Title: RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt.
• V-230380
  • Title: RHEL 8 must not allow accounts configured with blank or null passwords.
• V-230382
  • Title: RHEL 8 must display the date and time of the last successful account logon upon an SSH logon.
• V-230383
  • Title: RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
• V-230386
  • Title: The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software.
• V-230388
  • Title: The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event.
• V-230390
  • Title: The RHEL 8 System must take appropriate action when an audit processing failure occurs.
• V-230392
  • Title: The RHEL 8 audit system must take appropriate action when the audit storage volume is full.
• V-230393
  • Title: The RHEL 8 audit system must audit local events.
• V-230394
  • Title: RHEL 8 must label all off-loaded audit logs before sending them to the central log server.
• V-230395
  • Title: RHEL 8 must resolve audit information before writing to disk.
• V-230396
  • Title: RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access.
• V-230397
  • Title: RHEL 8 audit logs must be owned by root to prevent unauthorized read access.
• V-230398
  • Title: RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access.
• V-230399
  • Title: RHEL 8 audit log directory must be owned by root to prevent unauthorized read access.
• V-230400
  • Title: RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access.
• V-230401
  • Title: RHEL 8 audit log directory must have a mode of 0700 or less permissive to prevent unauthorized read access.
• V-230402
  • Title: RHEL 8 audit system must protect auditing rules from unauthorized change.
• V-230403
  • Title: RHEL 8 audit system must protect logon UIDs from unauthorized change.
• V-230404
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.
• V-230405
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd.
• V-230406
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd.
• V-230407
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow.
• V-230408
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group.
• V-230409
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.
• V-230410
  • Title: RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/.
• V-230411
  • Title: The RHEL 8 audit package must be installed.
• V-230412
  • Title: Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.
• V-230413
  • Title: The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.
• V-230418
  • Title: Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record.
• V-230419
  • Title: Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record.
• V-230421
  • Title: Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record.
• V-230422
  • Title: Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record.
• V-230423
  • Title: Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record.
• V-230424
  • Title: Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record.
• V-230425
  • Title: Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record.
• V-230426
  • Title: Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record.
• V-230427
  • Title: Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record.
• V-230428
  • Title: Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record.
• V-230429
  • Title: Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record.
• V-230430
  • Title: Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record.
• V-230431
  • Title: Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record.
• V-230432
  • Title: Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record.
• V-230433
  • Title: Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record.
• V-230434
  • Title: Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record.
• V-230435
  • Title: Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record.
• V-230436
  • Title: Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record.
• V-230437
  • Title: Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record.
• V-230438
  • Title: Successful/unsuccessful uses of the init_module and finit_module system calls in RHEL 8 must generate an audit record.
• V-230439
  • Title: Successful/unsuccessful uses of the rename, unlink, rmdir, renameat, and unlinkat system calls in RHEL 8 must generate an audit record.
• V-230444
  • Title: Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record.
• V-230446
  • Title: Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record.
• V-230447
  • Title: Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record.
• V-230448
  • Title: Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record.
• V-230449
  • Title: Successful/unsuccessful uses of the truncate, ftruncate, creat, open, openat, and open_by_handle_at system calls in RHEL 8 must generate an audit record.
• V-230455
  • Title: Successful/unsuccessful uses of the chown, fchown, fchownat, and lchown system calls in RHEL 8 must generate an audit record.
• V-230456
  • Title: Successful/unsuccessful uses of the chmod, fchmod, and fchmodat system calls in RHEL 8 must generate an audit record.
• V-230462
  • Title: Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record.
• V-230463
  • Title: Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record.
• V-230464
  • Title: Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record.
• V-230465
  • Title: Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record.
• V-230467
  • Title: Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record.
• V-230471
  • Title: RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
  • NOTE: The product will set the mode of the files referenced in this rule to “700” and “600” rather then “750” and “640”. This will lock down the files and keep them secure so only admins and ISSMs can access them.
• V-230477
  • Title: RHEL 8 must have the packages required for offloading audit logs installed.
• V-230478
  • Title: RHEL 8 must have the packages required for encrypting offloaded audit logs installed.
• V-230480
  • Title: RHEL 8 must take appropriate action when the internal event queue is full.
• V-230483
  • Title: RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
• V-230485
  • Title: RHEL 8 must disable the chrony daemon from acting as a server.
• V-230486
  • Title: RHEL 8 must disable network management of the chrony daemon.
• V-230487
  • Title: RHEL 8 must not have the telnet-server package installed.
• V-230488
  • Title: RHEL 8 must not have any automated bug reporting tools installed.
• V-230489
  • Title: RHEL 8 must not have the sendmail package installed.
• V-230492
  • Title: RHEL 8 must not have the rsh-server package installed.
• V-230494
  • Title: RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.
• V-230495
  • Title: RHEL 8 must disable the controller area network (CAN) protocol.
• V-230496
  • Title: RHEL 8 must disable the stream control transmission protocol (SCTP).
• V-230497
  • Title: RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.
• V-230498
  • Title: RHEL 8 must disable mounting of cramfs.
• V-230499
  • Title: RHEL 8 must disable IEEE 1394 (FireWire) Support.
• V-230503
  • Title: RHEL 8 must be configured to disable USB mass storage.
• V-230507
  • Title: RHEL 8 Bluetooth must be disabled.
• V-230508
  • Title: RHEL 8 must mount /dev/shm with the nodev option.
• V-230509
  • Title: RHEL 8 must mount /dev/shm with the nosuid option.
• V-230510
  • Title: RHEL 8 must mount /dev/shm with the noexec option.
• V-230511
  • Title: RHEL 8 must mount /tmp with the nodev option.
• V-230512
  • Title: RHEL 8 must mount /tmp with the nosuid option.
• V-230513
  • Title: RHEL 8 must mount /tmp with the noexec option.
  • NOTE: The product will control tmp via a bind mount. The scan will fail because it expects tmp to be configured in /etc/fstab.
• V-230520
  • Title: RHEL 8 must mount /var/tmp with the nodev option.
• V-230521
  • Title: RHEL 8 must mount /var/tmp with the nosuid option.
• V-230522
  • Title: RHEL 8 must mount /var/tmp with the noexec option.
• V-230526
  • Title: All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission.
• V-230527
  • Title: RHEL 8 must force a frequent session key renegotiation for SSH connections to the server.
• V-230531
  • Title: The systemd Ctrl-Alt-Delete burst key sequence in RHEL 8 must be disabled.
• V-230533
  • Title: The Trivial File Transfer Protocol (TFTP) server package must not be installed if not required for RHEL 8 operational support.
• V-230534
  • Title: The root account must be the only account having unrestricted access to the RHEL 8 system.
• V-230535
  • Title: RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
• V-230536
  • Title: RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects.
• V-230537
  • Title: RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
• V-230538
  • Title: RHEL 8 must not forward IPv6 source-routed packets.
• V-230539
  • Title: RHEL 8 must not forward IPv6 source-routed packets by default.
• V-230540
  • Title: RHEL 8 must not enable IPv6 packet forwarding unless the system is a router.
• V-230541
  • Title: RHEL 8 must not accept router advertisements on all IPv6 interfaces.
• V-230542
  • Title: RHEL 8 must not accept router advertisements on all IPv6 interfaces by default.
• V-230543
  • Title: RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
• V-230544
  • Title: RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
• V-230545
  • Title: RHEL 8 must disable access to network bpf syscall from unprivileged processes.
• V-230546
  • Title: RHEL 8 must restrict usage of ptrace to descendant processes.
  • NOTE: The kernel.yama.ptrace_scope sysctl setting is set to 1 in /etc/sysctl.conf and /etc/sysctl.d/99-sysctl.conf, however, the test is failing still.
• V-230547
  • Title: RHEL 8 must restrict exposed kernel pointer addresses access.
• V-230548
  • Title: RHEL 8 must disable the use of user namespaces.
• V-230549
  • Title: RHEL 8 must use reverse path filtering on all IPv4 interfaces.
• V-230550
  • Title: RHEL 8 must be configured to prevent unrestricted mail relaying.
• V-230555
  • Title: RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements.
• V-230556
  • Title: The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display.
• V-230557
  • Title: If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode.
• V-230558
  • Title: A File Transfer Protocol (FTP) server package must not be installed unless mission essential on RHEL 8.
• V-230559
  • Title: The gssproxy package must not be installed unless mission essential on RHEL 8.
• V-230560
  • Title: The iprutils package must not be installed unless mission essential on RHEL 8.
• V-230561
  • Title: The tuned package must not be installed unless mission essential on RHEL 8.
• V-237640
  • Title: The krb5-server package must not be installed on RHEL 8.
• V-237641
  • Title: RHEL 8 must restrict privilege elevation to authorized personnel.
• V-237642
  • Title: RHEL 8 must use the invoking user’s password for privilege escalation when using “sudo”.
  • NOTE: Automatically remediating this could cause some automated processes that require root access to fail. Since this will be site-specific this will not be enforced.
• V-237643
  • Title: RHEL 8 must require re-authentication when using the “sudo” command.
• V-244540
  • Title: RHEL 8 must not allow blank or null passwords in the system-auth file.
• V-244541
  • Title: RHEL 8 must not allow blank or null passwords in the password-auth file.
• V-244554
  • Title: RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler.
• V-251706
  • Title: The RHEL 8 operating system must not have accounts configured with blank or null passwords.