DISA STIG for Red Hat Enterprise Linux 8
This profile contains configuration checks that align to the DISA STIG for Red Hat Enterprise Linux 8 V1R7. In addition to being applicable to Red Hat Enterprise Linux 8, DISA recognizes this configuration baseline as applicable to the operating system tier of Red Hat technologies that are based on Red Hat Enterprise Linux 8, such as: - Red Hat Enterprise Linux Server - Red Hat Enterprise Linux Workstation and Desktop - Red Hat Enterprise Linux for HPC - Red Hat Storage - Red Hat Containers with a Red Hat Enterprise Linux 8 image


ID Severity Title Discussion (Rationale) Fix Text (Description) Check Text (OCIL Check) SRG Refs CCI Refs 800-53 Refs
account_disable_post_pw_expiration medium Set Account Expiration Following Inactivity Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system. Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials. Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. To specify the number of days after a password expires (which signifies inactivity) until an account is permanently disabled, add or correct the following line in /etc/default/useradd:
INACTIVE=
If a password is currently on the verge of expiration, then day(s) remain(s) until the account is automatically disabled. However, if the password will not expire for another 60 days, then 60 days plus day(s) could elapse until the account would be automatically disabled. See the useradd man page for more information.
SRG-OS-000118-GPOS-00060
CCI-000017
CCI-000795
account_emergency_expire_date medium Assign Expiration Date to Emergency Accounts If emergency user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all emergency accounts must be set upon account creation.
Emergency accounts are privileged accounts established in response to crisis situations where the need for rapid account activation is required. In the event emergency accounts are required, configure the system to terminate them after a documented time period. For every emergency account, run the following command to set an expiration date on it, substituting ACCOUNT_NAME and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD ACCOUNT_NAME
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
SRG-OS-000002-GPOS-00002
SRG-OS-000123-GPOS-00064
CCI-000016
CCI-001682
account_passwords_pam_faillock_audit medium Account lockouts must be logged Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. PAM faillock locks an account due to excessive password failures, this event must be logged. SRG-OS-000021-GPOS-00005
CCI-000044
account_temp_expire_date medium Assign Expiration Date to Temporary Accounts If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To mitigate this risk, automated termination of all temporary accounts must be set upon account creation.
Temporary accounts are established as part of normal account activation procedures when there is a need for short-term accounts. In the event temporary or emergency accounts are required, configure the system to terminate them after a documented time period. For every temporary and emergency account, run the following command to set an expiration date on it, substituting USER and YYYY-MM-DD appropriately:
$ sudo chage -E YYYY-MM-DD USER
YYYY-MM-DD indicates the documented expiration date for the account. For U.S. Government systems, the operating system must be configured to automatically terminate these types of accounts after a period of 72 hours.
SRG-OS-000002-GPOS-00002
SRG-OS-000123-GPOS-00064
CCI-000016
CCI-001682
account_unique_id medium Ensure All Accounts on the System Have Unique User IDs To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. Change user IDs (UIDs), or delete accounts, so each has a unique name. SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000104-GPOS-00051
SRG-OS-000121-GPOS-00062
CCI-000135
CCI-000764
CCI-000804
accounts_authorized_local_users medium Only Authorized Local User Accounts Exist on Operating System Accounts providing no operational purpose provide additional opportunities for system compromise. Unnecessary accounts include user accounts for individuals not requiring access to the system and application accounts for applications not installed on the system. Enterprise Application tends to use the server or virtual machine exclusively. Besides the default operating system user, there should be only authorized local users required by the installed software groups and applications that exist on the operating system. The authorized user list can be customized in the refine value variable var_accounts_authorized_local_users_regex. OVAL regular expression is used for the user list. Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow for a normal user to perform administrative-level actions. To remove unauthorized system accounts, use the following command:
$ sudo userdel unauthorized_user
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_have_homedir_login_defs medium Ensure Home Directories are Created for New Users If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. All local interactive user accounts, upon creation, should be assigned a home directory.

Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME parameter in /etc/login.defs to yes as follows:

CREATE_HOME yes
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_logon_fail_delay medium Ensure the Logon Failure Delay is Set Correctly in login.defs Increasing the time between a failed authentication attempt and re-prompting to enter credentials helps to slow a single-threaded brute force attack. To ensure the logon failure delay controlled by /etc/login.defs is set properly, add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_max_concurrent_login_sessions low Limit the Number of Concurrent Login Sessions Allowed Per User Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or maliciously may result in an exceptional number of simultaneous login sessions. Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address concurrent sessions by a single user via multiple accounts. To set the number of concurrent sessions per user add the following line in /etc/security/limits.conf or a file under /etc/security/limits.d/:
* hard maxlogins 
SRG-OS-000027-GPOS-00008
CCI-000054
accounts_maximum_age_login_defs medium Set Password Maximum Age Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.

Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise.
To specify password maximum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MAX_DAYS 
A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is .
SRG-OS-000076-GPOS-00044
CCI-000199
accounts_minimum_age_login_defs medium Set Password Minimum Age Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement.
To specify password minimum age for new accounts, edit the file /etc/login.defs and add or correct the following line:
PASS_MIN_DAYS 
A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is .
SRG-OS-000075-GPOS-00043
CCI-000198
accounts_no_uid_except_zero high Verify Only Root Has UID 0 An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner. If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_password_all_shadowed_sha512 medium Verify All Account Password Hashes are Shadowed with SHA512 The system must use a strong hashing algorithm to store the password. The system must use a sufficient number of hashing rounds to ensure the required level of entropy. Verify the operating system requires the shadow password suite configuration be set to encrypt interactive user passwords using a strong cryptographic hash. Check that the interactive user account passwords are using a strong password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow
$6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/
Password hashes ! or * indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with $6, this is a finding.
SRG-OS-000073-GPOS-00041
SRG-OS-000120-GPOS-00061
CCI-000196
CCI-000803
accounts_password_pam_dcredit medium Ensure PAM Enforces Password Requirements - Minimum Digit Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional length credit for each digit. Modify the dcredit setting in /etc/security/pwquality.conf to require the use of a digit in passwords. SRG-OS-000071-GPOS-00039
CCI-000194
accounts_password_pam_dictcheck medium Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with dictionary words may be more vulnerable to password-guessing attacks.
The pam_pwquality module's dictcheck check if passwords contains dictionary words. When dictcheck is set to 1 passwords will be checked for dictionary words. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_password_pam_difok medium Ensure PAM Enforces Password Requirements - Minimum Different Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute–force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however.
The pam_pwquality module's difok parameter sets the number of characters in a password that must not be present in and old password during a password change.

Modify the difok setting in /etc/security/pwquality.conf to equal to require differing characters when changing passwords.
SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_lcredit medium Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's lcredit parameter controls requirements for usage of lowercase letters in a password. When set to a negative number, any password will be required to contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each lowercase character. Modify the lcredit setting in /etc/security/pwquality.conf to require the use of a lowercase character in passwords. SRG-OS-000070-GPOS-00038
CCI-000193
accounts_password_pam_maxclassrepeat medium Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's maxclassrepeat parameter controls requirements for consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters from the same character class. Modify the maxclassrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_maxrepeat medium Set Password Maximum Consecutive Repeating Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks.
The pam_pwquality module's maxrepeat parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords which contain more than that number of consecutive characters. Modify the maxrepeat setting in /etc/security/pwquality.conf to equal to prevent a run of ( + 1) or more identical characters. SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_minclass medium Ensure PAM Enforces Password Requirements - Minimum Different Categories Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require differing categories of characters when changing passwords.
SRG-OS-000072-GPOS-00040
CCI-000195
accounts_password_pam_minlen medium Ensure PAM Enforces Password Requirements - Minimum Length The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen= after pam_pwquality to set minimum password length requirements. SRG-OS-000078-GPOS-00046
CCI-000205
accounts_password_pam_ocredit medium Ensure PAM Enforces Password Requirements - Minimum Special Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space.
The pam_pwquality module's ocredit= parameter controls requirements for usage of special (or "other") characters in a password. When set to a negative number, any password will be required to contain that many special characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each special character. Modify the ocredit setting in /etc/security/pwquality.conf to equal to require use of a special character in passwords. SRG-OS-000266-GPOS-00101
CCI-001619
accounts_password_pam_pwhistory_remember_password_auth medium Limit Password Reuse: password-auth Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module. SRG-OS-000077-GPOS-00045
CCI-000200
accounts_password_pam_pwhistory_remember_system_auth medium Limit Password Reuse: system-auth Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module. SRG-OS-000077-GPOS-00045
CCI-000200
accounts_password_pam_pwquality_password_auth medium Ensure PAM password complexity module is enabled in password-auth Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks. To enable PAM password complexity in password-auth file: Edit the password section in /etc/pam.d/password-auth to show password requisite pam_pwquality.so. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_password_pam_pwquality_system_auth medium Ensure PAM password complexity module is enabled in system-auth Enabling PAM password complexity permits to enforce strong passwords and consequently makes the system less prone to dictionary attacks. To enable PAM password complexity in system-auth file: Edit the password section in /etc/pam.d/system-auth to show password requisite pam_pwquality.so. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_password_pam_retry medium Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. To configure the number of retry prompts that are permitted per-session: Edit the /etc/security/pwquality.conf to include retry=, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session. SRG-OS-000069-GPOS-00037
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000192
CCI-000366
accounts_password_pam_ucredit medium Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.
The pam_pwquality module's ucredit= parameter controls requirements for usage of uppercase letters in a password. When set to a negative number, any password will be required to contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional length credit for each uppercase character. Modify the ucredit setting in /etc/security/pwquality.conf to require the use of an uppercase character in passwords. SRG-OS-000069-GPOS-00037
SRG-OS-000070-GPOS-00038
CCI-000192
CCI-000193
accounts_password_set_max_life_existing medium Set Existing Passwords Maximum Age Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised. Configure non-compliant accounts to enforce a -day maximum password lifetime restriction by running the following command:
$ sudo chage -M  USER
SRG-OS-000076-GPOS-00044
CCI-000199
accounts_password_set_min_life_existing medium Set Existing Passwords Minimum Age Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse. Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
SRG-OS-000075-GPOS-00043
CCI-000198
accounts_passwords_pam_faillock_deny medium Lock Accounts After Failed Password Attempts Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. In combination with the silent option, user enumeration attacks are also mitigated. This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. SRG-OS-000021-GPOS-00005
SRG-OS-000329-GPOS-00128
CCI-000044
CCI-002236
CCI-002237
CCI-002238
accounts_passwords_pam_faillock_deny_root medium Configure the root Account for Failed Password Attempts By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. This rule configures the system to lock out the root account after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. SRG-OS-000329-GPOS-00128
SRG-OS-000021-GPOS-00005
CCI-002238
CCI-000044
accounts_passwords_pam_faillock_interval medium Set Interval For Counting Failed Password Attempts By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Utilizing pam_faillock.so, the fail_interval directive configures the system to lock out an account after a number of incorrect login attempts within a specified time period. SRG-OS-000021-GPOS-00005
SRG-OS-000329-GPOS-00128
CCI-000044
CCI-002236
CCI-002237
CCI-002238
accounts_passwords_pam_faillock_unlock_time medium Set Lockout Time for Failed Password Attempts Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. SRG-OS-000021-GPOS-00005
SRG-OS-000329-GPOS-00128
CCI-000044
CCI-002236
CCI-002237
CCI-002238
accounts_umask_etc_bashrc medium Ensure the Default Bash Umask is Set Correctly The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_umask_etc_csh_cshrc medium Ensure the Default C Shell Umask is Set Correctly The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_umask_etc_login_defs medium Ensure the Default Umask is Set Correctly in login.defs The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users. To ensure the default umask controlled by /etc/login.defs is set properly, add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_umask_etc_profile medium Ensure the Default Umask is Set Correctly in /etc/profile The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users. To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:
umask 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_umask_interactive_users medium Ensure the Default Umask is Set Correctly For Interactive Users The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system. Remove the UMASK environment variable from all interactive users initialization files. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000365-GPOS-00152
CCI-000366
CCI-001814
accounts_user_dot_no_world_writable_programs medium User Initialization Files Must Not Run World-Writable Programs If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level. Set the mode on files being executed by the user initialization files with the following command:
$ sudo chmod o-w FILE
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_user_home_paths_only medium Ensure that Users Path Contains Only Local Directories The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory (other than the users home directory), executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. If deviations from the default system search path for the local interactive user are required, they must be documented with the Information System Security Officer (ISSO). Ensure that all interactive user initialization files executable search path statements do not contain statements that will reference a working directory other than the users home directory. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_user_interactive_home_directory_defined medium All Interactive Users Must Have A Home Directory Defined If local interactive users are not assigned a valid home directory, there is no place for the storage and control of files they should own. Assign home directories to all interactive users that currently do not have a home directory assigned. This rule checks if the home directory is properly defined in a folder which has at least one parent folder, like "user" in "/home/user" or "/remote/users/user". Therefore, this rule will report a finding for home directories like /users, /tmp or /. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_user_interactive_home_directory_exists medium All Interactive Users Home Directories Must Exist If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access. Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_users_home_files_groupownership medium All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary User If a local interactive users files are group-owned by a group of which the user is not a member, unintended users may be able to access them. Change the group of a local interactive users files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIR
This rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
accounts_users_home_files_permissions medium All User Files and Directories In The Home Directory Must Have Mode 0750 Or Less Permissive If a local interactive user files have excessive permissions, unintended users may be able to access or modify them. Set the mode on files and directories in the local interactive user home directory with the following command:
$ sudo chmod 0750 /home/USER/FILE_DIR
Files that begin with a "." are excluded from this requirement.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
agent_mfetpd_running medium Ensure McAfee Endpoint Security for Linux (ENSL) is running Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. SRG-OS-000191-GPOS-00080
CCI-001233
aide_check_audit_tools medium Configure AIDE to Verify the Audit Tools Protecting the integrity of the tools used for auditing purposes is a critical step toward ensuring the integrity of audit information. Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. Audit tools include but are not limited to vendor-provided and open-source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. It is not uncommon for attackers to replace the audit tools or inject code into the existing tools to provide the capability to hide or erase system activity from the audit logs. To address this risk, audit tools must be cryptographically signed to provide the capability to identify when the audit tools have been modified, manipulated, or replaced. An example is a checksum hash of the file or files. The operating system file integrity tool must be configured to protect the integrity of the audit tools. SRG-OS-000278-GPOS-00108
CCI-001496
aide_scan_notification medium Configure Notification of Post-AIDE Scan Details Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.
AIDE should notify appropriate personnel of the details of a scan after the scan has been run. If AIDE has already been configured for periodic execution in /etc/crontab, append the following line to the existing AIDE line:
 | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
Otherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
AIDE can be executed periodically through other means; this is merely one example.
SRG-OS-000363-GPOS-00150
SRG-OS-000446-GPOS-00200
SRG-OS-000447-GPOS-00201
CCI-001744
CCI-002699
CCI-002702
aide_verify_acls low Configure AIDE to Verify Access Control Lists (ACLs) ACLs can provide permissions beyond those permitted through the file mode and must be verified by the file integrity tools. By default, the acl option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the acl option is missing, add acl to the appropriate ruleset. For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in /etc/aide.conf
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
aide_verify_ext_attributes low Configure AIDE to Verify Extended Attributes Extended attributes in file systems are used to contain arbitrary data and file metadata with security implications. By default, the xattrs option is added to the FIPSR ruleset in AIDE. If using a custom ruleset or the xattrs option is missing, add xattrs to the appropriate ruleset. For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in /etc/aide.conf
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
audit_immutable_login_uids medium Configure immutable Audit login UIDs If modification of login UIDs is not prevented, they can be changed by unprivileged users and make auditing complicated or impossible. Configure kernel to prevent modification of login UIDs once they are set. Changing login UIDs while this configuration is enforced requires special capabilities which are not available to unprivileged users. The following rules configure audit as described above:
## Make the loginuid immutable. This prevents tampering with the auid.
--loginuid-immutable    
Load new Audit rules into kernel by running:
augenrules --load
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
CCI-000162
CCI-000163
CCI-000164
audit_rules_dac_modification_chmod medium Record Events that Modify the System's Discretionary Access Controls - chmod The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_chown medium Record Events that Modify the System's Discretionary Access Controls - chown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchmod medium Record Events that Modify the System's Discretionary Access Controls - fchmod The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchmodat medium Record Events that Modify the System's Discretionary Access Controls - fchmodat The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchown medium Record Events that Modify the System's Discretionary Access Controls - fchown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fchownat medium Record Events that Modify the System's Discretionary Access Controls - fchownat The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fremovexattr medium Record Events that Modify the System's Discretionary Access Controls - fremovexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_fsetxattr medium Record Events that Modify the System's Discretionary Access Controls - fsetxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_lchown medium Record Events that Modify the System's Discretionary Access Controls - lchown The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_lremovexattr medium Record Events that Modify the System's Discretionary Access Controls - lremovexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_lsetxattr medium Record Events that Modify the System's Discretionary Access Controls - lsetxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_removexattr medium Record Events that Modify the System's Discretionary Access Controls - removexattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_dac_modification_setxattr medium Record Events that Modify the System's Discretionary Access Controls - setxattr The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users. At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_chacl medium Record Any Attempts to Run chacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the chacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_chcon medium Record Any Attempts to Run chcon Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the chcon command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_semanage medium Record Any Attempts to Run semanage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the semanage command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_setfacl medium Record Any Attempts to Run setfacl Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the setfacl command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_setfiles medium Record Any Attempts to Run setfiles Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the setfiles command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000169
CCI-000172
CCI-002884
audit_rules_execution_setsebool medium Record Any Attempts to Run setsebool Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect any execution attempt of the setsebool command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_file_deletion_events_rename medium Ensure auditd Collects File Deletion Events by User - rename Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-000366
CCI-002884
audit_rules_file_deletion_events_renameat medium Ensure auditd Collects File Deletion Events by User - renameat Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-000366
CCI-002884
audit_rules_file_deletion_events_rmdir medium Ensure auditd Collects File Deletion Events by User - rmdir Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-000366
CCI-002884
audit_rules_file_deletion_events_unlink medium Ensure auditd Collects File Deletion Events by User - unlink Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-000366
CCI-002884
audit_rules_file_deletion_events_unlinkat medium Ensure auditd Collects File Deletion Events by User - unlinkat Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence. At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-000366
CCI-002884
audit_rules_immutable medium Make the auditd Configuration Immutable Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
CCI-000162
CCI-000163
CCI-000164
audit_rules_kernel_module_loading_delete medium Ensure auditd Collects Information on Kernel Module Unloading - delete_module The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_kernel_module_loading_finit medium Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module The addition/removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to capture kernel module loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_kernel_module_loading_init medium Ensure auditd Collects Information on Kernel Module Loading - init_module The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel. To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_login_events_lastlog medium Record Attempts to Alter Logon and Logout Events - lastlog Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000126
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_media_export medium Ensure auditd Collects Information on Exporting to Media (successful) The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss. At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_chage medium Ensure auditd Collects Information on the Use of Privileged Commands - chage Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_chsh medium Ensure auditd Collects Information on the Use of Privileged Commands - chsh Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_crontab medium Ensure auditd Collects Information on the Use of Privileged Commands - crontab Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_gpasswd medium Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_kmod medium Ensure auditd Collects Information on the Use of Privileged Commands - kmod Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_mount medium Ensure auditd Collects Information on the Use of Privileged Commands - mount Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_newgrp medium Ensure auditd Collects Information on the Use of Privileged Commands - newgrp Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000135
CCI-000172
CCI-002884
audit_rules_privileged_commands_pam_timestamp_check medium Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/pam_timestamp_check
-F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_passwd medium Ensure auditd Collects Information on the Use of Privileged Commands - passwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_postdrop medium Ensure auditd Collects Information on the Use of Privileged Commands - postdrop Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_postqueue medium Ensure auditd Collects Information on the Use of Privileged Commands - postqueue Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_ssh_agent medium Record Any Attempts to Run ssh-agent Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). At a minimum, the audit system should collect any execution attempt of the ssh-agent command for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_ssh_keysign medium Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_su medium Ensure auditd Collects Information on the Use of Privileged Commands - su Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_sudo medium Ensure auditd Collects Information on the Use of Privileged Commands - sudo Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_umount medium Ensure auditd Collects Information on the Use of Privileged Commands - umount Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000062-GPOS-00031
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000169
CCI-000135
CCI-000172
CCI-002884
audit_rules_privileged_commands_unix_chkpwd medium Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_unix_update medium Ensure auditd Collects Information on the Use of Privileged Commands - unix_update Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_userhelper medium Ensure auditd Collects Information on the Use of Privileged Commands - userhelper Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_privileged_commands_usermod medium Ensure auditd Collects Information on the Use of Privileged Commands - usermod Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threats.

Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_sudoers medium Ensure auditd Collects System Administrator Actions - /etc/sudoers The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-002130
CCI-002132
CCI-002884
audit_rules_sudoers_d medium Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/ The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes. Editing the sudoers file may be sign of an attacker trying to establish persistent methods to a system, auditing the editing of the sudoers files mitigates this risk. At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers.d/ -p wa -k actions
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-002130
CCI-002132
CCI-002884
audit_rules_suid_privilege_function medium Record Events When Privileged Executables Are Run Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Verify the system generates an audit record when privileged functions are executed. If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rules
If audit is using the "augenrules" tool to load the rules, run the following command:
$ sudo grep -r execve /etc/audit/rules.d
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid
If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.
SRG-OS-000365-GPOS-00152
SRG-OS-000354-GPOS-00142
SRG-OS-000358-GPOS-00145
SRG-OS-000352-GPOS-00140
SRG-OS-000353-GPOS-00141
SRG-OS-000350-GPOS-00138
SRG-OS-000351-GPOS-00139
SRG-OS-000348-GPOS-00136
SRG-OS-000349-GPOS-00137
SRG-OS-000337-GPOS-00129
SRG-OS-000326-GPOS-00126
SRG-OS-000327-GPOS-00127
CCI-001814
CCI-001882
CCI-001889
CCI-001880
CCI-001881
CCI-001878
CCI-001879
CCI-001875
CCI-001877
CCI-001914
CCI-002233
CCI-002234
audit_rules_unsuccessful_file_modification_creat medium Record Unsuccessful Access Attempts to Files - creat Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_ftruncate medium Record Unsuccessful Access Attempts to Files - ftruncate Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_open medium Record Unsuccessful Access Attempts to Files - open Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_open_by_handle_at medium Record Unsuccessful Access Attempts to Files - open_by_handle_at Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_openat medium Record Unsuccessful Access Attempts to Files - openat Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_unsuccessful_file_modification_truncate medium Record Unsuccessful Access Attempts to Files - truncate Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise. At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
audit_rules_usergroup_modification_group medium Record Events that Modify User/Group Information - /etc/group In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
CCI-002884
audit_rules_usergroup_modification_gshadow medium Record Events that Modify User/Group Information - /etc/gshadow In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
CCI-002884
audit_rules_usergroup_modification_opasswd medium Record Events that Modify User/Group Information - /etc/security/opasswd In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
CCI-002884
audit_rules_usergroup_modification_passwd medium Record Events that Modify User/Group Information - /etc/passwd In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
CCI-002884
audit_rules_usergroup_modification_shadow medium Record Events that Modify User/Group Information - /etc/shadow In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
CCI-000018
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001403
CCI-001404
CCI-001405
CCI-001683
CCI-001684
CCI-001685
CCI-001686
CCI-002130
CCI-002132
CCI-002884
auditd_audispd_configure_sufficiently_large_partition medium Configure a Sufficiently Large Partition for Audit Logs Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. The Red Hat Enterprise Linux 8 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command:
$ sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Check the size of the partition that audit records are written to with the following command:
$ sudo df -h /var/log/audit/
/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
SRG-OS-000341-GPOS-00132
CCI-001849
auditd_data_disk_error_action medium Configure auditd Disk Error Action on Disk Error Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. The auditd service can be configured to take an action when there is a disk error. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
disk_error_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
SRG-OS-000047-GPOS-00023
CCI-000140
auditd_data_disk_full_action medium Configure auditd Disk Full Action when Disk Space Is Full Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
disk_full_action = ACTION
Set this value to single to cause the system to switch to single-user mode for corrective action. Acceptable values also include syslog, exec, single, and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
SRG-OS-000047-GPOS-00023
CCI-000140
auditd_data_retention_action_mail_acct medium Configure auditd mail_acct Action on Low Disk Space Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action. The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = 
SRG-OS-000046-GPOS-00022
SRG-OS-000343-GPOS-00134
CCI-000139
CCI-001855
auditd_data_retention_space_left_action medium Configure auditd space_left Action on Low Disk Space Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
SRG-OS-000343-GPOS-00134
CCI-001855
auditd_data_retention_space_left_percentage medium Configure auditd space_left on Low Disk Space Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption. The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%
Set this value to at least 25 to cause the system to notify the user of an issue.
SRG-OS-000343-GPOS-00134
CCI-001855
auditd_local_events medium Include Local Events in Audit Logs If option local_events isn't set to yes only events from network will be aggregated. To configure Audit daemon to include local events in Audit logs, set local_events to yes in /etc/audit/auditd.conf. This is the default setting. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
auditd_log_format medium Resolve information before writing to audit logs If option log_format isn't set to ENRICHED, the audit records will be stored in a format exactly as the kernel sends them. To configure Audit daemon to resolve all uid, gid, syscall, architecture, and socket address information before writing the events to disk, set log_format to ENRICHED in /etc/audit/auditd.conf. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
auditd_name_format medium Set hostname as computer node name in audit logs If option name_format is left at its default value of none, audit events from different computers may be hard to distinguish. To configure Audit daemon to use value returned by gethostname syscall as computer node name in the audit events, set name_format to hostname in /etc/audit/auditd.conf. SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-001851
auditd_overflow_action medium Appropriate Action Must be Setup When the Internal Audit Event Queue is Full The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt. SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-001851
banner_etc_issue medium Modify the System Login Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
bios_enable_execution_restrictions medium Enable NX or XD Support in the BIOS Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will allow users to turn the feature on or off at will. Reboot the system and enter the BIOS or Setup configuration menu. Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX) on AMD-based systems. SRG-OS-000433-GPOS-00192
SRG-OS-000433-GPOS-00193
CCI-002824
chronyd_client_only low Disable chrony daemon from acting as server Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. The port option in /etc/chrony.conf can be set to 0 to make chrony daemon to never open any listening port for server operation and to operate strictly in a client-only mode. SRG-OS-000095-GPOS-00049
CCI-000381
chronyd_no_chronyc_network low Disable network management of chrony daemon Not exposing the management interface of the chrony daemon on the network diminishes the attack space. The cmdport option in /etc/chrony.conf can be set to 0 to stop chrony daemon from listening on the UDP port 323 for management connections made by chronyc. SRG-OS-000095-GPOS-00049
CCI-000381
chronyd_or_ntpd_set_maxpoll medium Configure Time Service Maxpoll Interval Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. The maxpoll should be configured to in /etc/ntp.conf or /etc/chrony.conf to continuously poll time servers. To configure maxpoll in /etc/ntp.conf or /etc/chrony.conf add the following after each `server`, `pool` or `peer` entry:
maxpoll 
to
server
directives. If using chrony any
pool
directives should be configured too. If no server or pool directives are configured, the rule evaluates to pass.
SRG-OS-000355-GPOS-00143
SRG-OS-000356-GPOS-00144
CCI-001891
CCI-002046
chronyd_server_directive medium Ensure Chrony is only configured with the server directive Depending on the infrastruture being used the pool directive may not be supported. Check that Chrony only has time sources configured with the server directive. SRG-OS-000355-GPOS-00143
CCI-001891
clean_components_post_updating low Ensure yum Removes Previous Package Versions Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries. yum should be configured to remove previous software components after new versions have been installed. To configure yum to remove the previous software components after updating, set the clean_requirements_on_remove to 1 in /etc/yum.conf. SRG-OS-000437-GPOS-00194
CCI-002617
configure_bashrc_exec_tmux medium Support session locking with tmux Unlike bash itself, the tmux terminal multiplexer provides a mechanism to lock sessions after period of inactivity. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The tmux terminal multiplexer is used to implement automatic session locking. It should be started from /etc/bashrc or drop-in files within /etc/profile.d/. SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
CCI-000056
CCI-000058
configure_bind_crypto_policy high Configure BIND to use System Crypto Policy Overriding the system crypto policy makes the behavior of the BIND service violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. BIND is supported by crypto policy, but the BIND configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf includes the appropriate configuration: In the options section of /etc/named.conf, make sure that the following line is not commented out or superseded by later includes: include "/etc/crypto-policies/back-ends/bind.config";
configure_crypto_policy high Configure System Cryptography Policy Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. To configure the system cryptography policy to use ciphers only from the policy, run the following command:
$ sudo update-crypto-policies --set 
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
configure_firewalld_ports medium Configure the Firewalld Ports In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.

Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component.

To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business.
Configure the firewalld ports to allow approved services to have access to the system. To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcp
To configure firewalld to allow access for pre-defined services, run the following command:
firewall-cmd --permanent --add-service=service_name
SRG-OS-000096-GPOS-00050
SRG-OS-000297-GPOS-00115
CCI-000382
CCI-002314
configure_gnutls_tls_crypto_policy medium Configure GnuTLS library to use DoD-approved TLS Encryption Overriding the system crypto policy makes the behavior of the GnuTLS library violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/gnutls.config contains the following line and is not commented out: +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 SRG-OS-000250-GPOS-00093
CCI-001453
configure_kerberos_crypto_policy high Configure Kerberos to use System Crypto Policy Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.
configure_libreswan_crypto_policy high Configure Libreswan to use System Crypto Policy Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Libreswan is supported by system crypto policy, but the Libreswan configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf includes the appropriate configuration file. In /etc/ipsec.conf, make sure that the following line is not commented out or superseded by later includes: include /etc/crypto-policies/back-ends/libreswan.config
configure_openssl_crypto_policy medium Configure OpenSSL library to use System Crypto Policy Overriding the system crypto policy makes the behavior of the Java runtime violates expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSL is supported by crypto policy, but the OpenSSL configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file available under /etc/pki/tls/openssl.cnf. This file has the ini format, and it enables crypto policy support if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. SRG-OS-000250-GPOS-00093
CCI-001453
configure_openssl_tls_crypto_policy medium Configure OpenSSL library to use TLS Encryption Without cryptographic integrity protections, information can be altered by unauthorized users without detection. Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSL. OpenSSL is by default configured to modify its configuration based on currently configured Crypto Policy. Editing the Crypto Policy back-end is not recommended. Check the crypto-policies(7) man page and choose a policy that configures TLS protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy. Or create and apply a custom policy that restricts minimum TLS version to 1.2. For example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch this is expected:
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

MinProtocol = TLSv1.2
Or for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is expected:
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config

TLS.MinProtocol = TLSv1.2
DTLS.MinProtocol = DTLSv1.2
SRG-OS-000250-GPOS-00093
CCI-001453
configure_ssh_crypto_policy medium Configure SSH to use System Crypto Policy Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd. SRG-OS-000250-GPOS-00093
CCI-001453
configure_tmux_lock_after_time medium Configure tmux to lock session after inactivity Locking the session after a period of inactivity limits the potential exposure if the session is left unattended. To enable console screen locking in tmux terminal multiplexer after a period of inactivity, the lock-after-time option has to be set to a value greater than 0 and less than or equal to 900 in /etc/tmux.conf. SRG-OS-000029-GPOS-00010
SRG-OS-000031-GPOS-00012
CCI-000057
CCI-000060
configure_tmux_lock_command medium Configure the tmux Lock Command The tmux package allows for a session lock to be implemented and configured. However, the session lock is implemented by an external command. The tmux default configuration does not contain an effective session lock. To enable console screen locking in tmux terminal multiplexer, the vlock command must be configured to be used as a locking mechanism. Add the following line to /etc/tmux.conf:
set -g lock-command vlock
. The console can now be locked with the following key combination:
ctrl+b :lock-session
SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
CCI-000056
CCI-000058
configure_usbguard_auditbackend medium Log USBGuard daemon audit events using Linux Audit Using the Linux Audit logging allows for centralized trace of events. To configure USBGuard daemon to log via Linux Audit (as opposed directly to a file), AuditBackend option in /etc/usbguard/usbguard-daemon.conf needs to be set to LinuxAudit. SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
CCI-000169
CCI-000172
coredump_disable_backtraces medium Disable core dump backtraces A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
coredump_disable_storage medium Disable storing core dump A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy. The Storage option in [Coredump] section of /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
dconf_gnome_banner_enabled medium Enable GNOME3 Login Warning Banner Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
dconf_gnome_disable_ctrlaltdel_reboot high Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3 A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, GNOME will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the Graphical User Interface (GUI) instead of rebooting the system, add or set logout to '' in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys]
logout=''
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logout
After the settings have been set, run dconf update.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
dconf_gnome_disable_user_list medium Disable the GNOME3 Login User List Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in. In the default graphical environment, users logging directly into the system are greeted with a login screen that displays all known users. This functionality should be disabled by setting disable-user-list to true.

To disable, add or edit disable-user-list to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
disable-user-list=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/disable-user-list
After the settings have been set, run dconf update.
dconf_gnome_lock_screen_on_smartcard_removal medium Enable the GNOME3 Screen Locking On Smartcard Removal Locking the screen automatically when removing the smartcard can prevent undesired access to system. In the default graphical environment, screen locking on smartcard removal can be enabled by setting removal-action to 'lock-screen'.

To enable, add or edit removal-action to /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-action
After the settings have been set, run dconf update.
SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
CCI-000056
CCI-000058
dconf_gnome_login_banner_text medium Set the GNOME3 Login Warning Banner Text An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. In the default graphical environment, configuring the login warning banner text in the GNOME Display Manager's login screen can be configured on the login screen by setting banner-message-text to 'APPROVED_BANNER' where APPROVED_BANNER is the approved banner for your environment.

To enable, add or edit banner-message-text to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-text='APPROVED_BANNER'
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-text
After the settings have been set, run dconf update. When entering a warning banner that spans several lines, remember to begin and end the string with ' and use \n for new lines.
SRG-OS-000023-GPOS-00006
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
dconf_gnome_screensaver_idle_delay medium Set GNOME3 Screensaver Inactivity Timeout A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME3 can be configured to identify when a user's session has idled and take action to initiate a session lock. The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.

For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session]
idle-delay=uint32 900
SRG-OS-000029-GPOS-00010
SRG-OS-000031-GPOS-00012
CCI-000057
CCI-000060
dconf_gnome_screensaver_lock_delay medium Set GNOME3 Screensaver Lock Delay After Activation Period A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To activate the locking delay of the screensaver in the GNOME3 desktop when the screensaver is activated, add or set lock-delay to uint32 in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-delay=uint32 
After the settings have been set, run dconf update.
SRG-OS-000028-GPOS-00009
SRG-OS-000029-GPOS-00010
SRG-OS-000031-GPOS-00012
CCI-000056
CCI-000057
CCI-000060
dconf_gnome_screensaver_lock_enabled medium Enable GNOME3 Screensaver Lock After Idle Period A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to logout because of the temporary nature of the absense. To activate locking of the screensaver in the GNOME3 desktop when it is activated, add or set lock-enabled to true in /etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver]
lock-enabled=true
Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-enabled
After the settings have been set, run dconf update.
SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
SRG-OS-000031-GPOS-00012
CCI-000056
CCI-000058
CCI-000060
dconf_gnome_screensaver_user_locks medium Ensure Users Cannot Change GNOME3 Screensaver Settings A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. If not already configured, ensure that users cannot change GNOME3 screensaver lock settings by adding /org/gnome/desktop/screensaver/lock-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/screensaver/lock-delay
After the settings have been set, run dconf update.
SRG-OS-000029-GPOS-00010
SRG-OS-000031-GPOS-00012
CCI-000057
CCI-000060
dconf_gnome_session_idle_user_locks medium Ensure Users Cannot Change GNOME3 Session Idle Settings A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity, GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the session lock. As such, users should not be allowed to change session settings. If not already configured, ensure that users cannot change GNOME3 session idle settings by adding /org/gnome/desktop/session/idle-delay to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/desktop/session/idle-delay
After the settings have been set, run dconf update.
SRG-OS-000029-GPOS-00010
SRG-OS-000031-GPOS-00012
CCI-000057
CCI-000060
dir_group_ownership_library_dirs medium Verify that Shared Library Directories Have Root Group Ownership Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be group-owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chgrp root DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_ownership_library_dirs medium Verify that Shared Library Directories Have Root Ownership Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership of library directories is necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_permissions_library_dirs medium Verify that Shared Library Directories Have Restrictive Permissions If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System-wide shared library directories, which contain are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All sub-directories in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w DIR
SRG-OS-000259-GPOS-00100
CCI-001499
dir_perms_world_writable_root_owned medium Ensure All World-Writable Directories Are Owned by root user Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. All directories in local partitions which are world-writable should be owned by root. If any world-writable directories are not owned by root, this should be investigated. Following this, the files should be deleted or assigned to root user. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
dir_perms_world_writable_sticky_bits medium Verify that All World-Writable Directories Have Sticky Bits Set Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
SRG-OS-000138-GPOS-00069
CCI-001090
dir_perms_world_writable_system_owned_group medium Ensure All World-Writable Directories Are Group Owned by a System Account Allowing a user account to group own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users. All directories in local partitions which are world-writable should be group owned by root or another system account. If any world-writable directories are not group owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
directory_group_ownership_var_log_audit medium System Audit Directories Must Be Group Owned By Root Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. All audit directories must be group owned by root user. By default, the path for audit log is
/var/log/audit/
. To properly set the group owner of /var/log/audit, run the command:
$ sudo chgrp root /var/log/audit
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit directories to this specific group.
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
SRG-OS-000206-GPOS-00084
CCI-000162
CCI-000163
CCI-000164
CCI-001314
directory_ownership_var_log_audit medium System Audit Directories Must Be Owned By Root Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. All audit directories must be owned by root user. By default, the path for audit log is
/var/log/audit/
. To properly set the owner of /var/log/audit, run the command:
$ sudo chown root /var/log/audit 
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
SRG-OS-000206-GPOS-00084
CCI-000162
CCI-000163
CCI-000164
CCI-001314
directory_permissions_var_log_audit medium System Audit Logs Must Have Mode 0750 or Less Permissive If users can write to audit logs, audit trails can be modified or destroyed. Verify the audit log directories have a mode of "0700" or less permissive by first determining where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf

log_file = /var/log/audit/audit.log
Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode with the following command:
$ sudo chmod 0700 audit_log_directory
By default, audit_log_directory is "/var/log/audit".
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
CCI-000162
CCI-000163
CCI-000164
disable_ctrlaltdel_burstaction high Disable Ctrl-Alt-Del Burst Action A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.

To configure the system to ignore the CtrlAltDelBurstAction setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
disable_ctrlaltdel_reboot high Disable Ctrl-Alt-Del Reboot Activation A locally logged-in user who presses Ctrl-Alt-Del, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. By default, SystemD will reboot the system if the Ctrl-Alt-Del key sequence is pressed.

To configure the system to ignore the Ctrl-Alt-Del key sequence from the command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
or
systemctl mask ctrl-alt-del.target


Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file, as this file may be restored during future system updates.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
disable_users_coredumps medium Disable Core Dumps for All Users A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:
*     hard   core    0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
display_login_attempts low Ensure PAM Displays Last Logon/Access Notification Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. To configure the system to notify users of last logon/access using pam_lastlog, add or correct the pam_lastlog settings in /etc/pam.d/postlogin to read as follows:
session     required pam_lastlog.so showfailed
And make sure that the silent option is not set for pam_lastlog module.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
enable_authselect medium Enable authselect Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator build the PAM stack with a tool. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported and that each solve a use-case. Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the profile. SRG-OS-000080-GPOS-00048
CCI-000213
enable_dracut_fips_module high Enable Dracut FIPS Module Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To enable FIPS mode, run the following command:
fips-mode-setup --enable
To enable FIPS, the system requires that the fips module is added in dracut configuration. Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips "
SRG-OS-000033-GPOS-00014
SRG-OS-000120-GPOS-00061
SRG-OS-000396-GPOS-00176
SRG-OS-000478-GPOS-00223
CCI-000068
CCI-000803
CCI-002450
enable_fips_mode high Enable FIPS Mode Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. To enable FIPS mode, run the following command:
fips-mode-setup --enable

The fips-mode-setup command will configure the system in FIPS mode by automatically configuring the following:
  • Setting the kernel FIPS mode flag (/proc/sys/crypto/fips_enabled) to 1
  • Creating /etc/system-fips
  • Setting the system crypto policy in /etc/crypto-policies/config to
  • Loading the Dracut fips module
SRG-OS-000033-GPOS-00014
SRG-OS-000120-GPOS-00061
SRG-OS-000396-GPOS-00176
SRG-OS-000478-GPOS-00223
CCI-000068
CCI-000803
CCI-002450
encrypt_partitions high Encrypt Partitions The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost. Red Hat Enterprise Linux 8 natively supports partition encryption through the Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to encrypt a partition is during installation time.

For manual installations, select the Encrypt checkbox during partition creation to encrypt the partition. When this option is selected the system will prompt for a passphrase to use in decrypting the partition. The passphrase will subsequently need to be entered manually every time the system boots.

For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASE
Any PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the installer to pause and interactively ask for the passphrase during installation.

By default, the Anaconda installer uses aes-xts-plain64 cipher with a minimum 512 bit key size which should be compatible with FIPS enabled.

Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Red Hat Enterprise Linux 8 Documentation web site:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening .
SRG-OS-000185-GPOS-00079
SRG-OS-000404-GPOS-00183
SRG-OS-000405-GPOS-00184
CCI-001199
CCI-002475
CCI-002476
ensure_gpgcheck_globally_activated high Ensure gpgcheck Enabled In Main yum Configuration Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_local_packages high Ensure gpgcheck Enabled for Local Packages Changes to any software components can have significant effects to the overall security of the operating system. This requirement ensures the software has not been tampered and has been provided by a trusted vendor.

Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
yum should be configured to verify the signature(s) of local packages prior to installation. To configure yum to verify signatures of local packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. SRG-OS-000366-GPOS-00153
CCI-001749
ensure_gpgcheck_never_disabled high Ensure gpgcheck Enabled for All yum Package Repositories Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA)." To ensure signature checking is not disabled for any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0
SRG-OS-000366-GPOS-00153
CCI-001749
ensure_redhat_gpgkey_installed high Ensure Red Hat GPG Key Installed Changes to software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. The Red Hat GPG key is necessary to cryptographically verify packages are from Red Hat. To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them), the Red Hat GPG key must properly be installed. To install the Red Hat GPG key, run:
$ sudo subscription-manager register
If the system is not connected to the Internet or an RHN Satellite, then install the Red Hat GPG key from trusted media such as the Red Hat installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY
Alternatively, the key may be pre-loaded during the RHEL installation. In such cases, the key can be installed by running the following command:
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
SRG-OS-000366-GPOS-00153
CCI-001749
file_audit_tools_group_ownership medium Audit Tools Must Be Group-owned by Root Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct group owner. SRG-OS-000256-GPOS-00097
SRG-OS-000257-GPOS-00098
SRG-OS-000258-GPOS-00099
CCI-001493
CCI-001494
CCI-001495
file_audit_tools_ownership medium Audit Tools Must Be Owned by Root Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have the correct owner. SRG-OS-000256-GPOS-00097
SRG-OS-000257-GPOS-00098
SRG-OS-000258-GPOS-00099
CCI-001493
CCI-001494
CCI-001495
file_audit_tools_permissions medium Audit Tools Must Have a Mode of 0755 or Less Permissive Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. Red Hat Enterprise Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. Audit tools must have a mode of 0755 or less permissive. SRG-OS-000256-GPOS-00097
CCI-001493
file_group_ownership_var_log_audit medium System Audit Logs Must Be Group Owned By Root Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. All audit logs must be group owned by root user. The path for audit log can be configured via log_file parameter in
/etc/audit/auditd.conf
or, by default, the path for audit log is
/var/log/audit/
. To properly set the group owner of /var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/*
If log_group in /etc/audit/auditd.conf is set to a group other than the root group account, change the group ownership of the audit logs to this specific group.
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
SRG-OS-000206-GPOS-00084
CCI-000162
CCI-000163
CCI-000164
CCI-001314
file_groupowner_var_log medium Verify Group Who Owns /var/log Directory The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel. To properly set the group owner of /var/log, run the command:
$ sudo chgrp root /var/log
SRG-OS-000206-GPOS-00084
CCI-001314
file_groupowner_var_log_messages medium Verify Group Who Owns /var/log/messages File The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. To properly set the group owner of /var/log/messages, run the command:
$ sudo chgrp root /var/log/messages
SRG-OS-000206-GPOS-00084
CCI-001314
file_groupownership_home_directories medium All Interactive User Home Directories Must Be Group-Owned By The Primary User If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should. Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
file_groupownership_system_commands_dirs medium Verify that system commands files are group owned by root or a system account If the operating system allows any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System commands files are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/sbin
/usr/local/bin
/usr/local/sbin
All files in these directories should be owned by the root group, or a system account. If the directory, or any file in these directories, is found to be owned by a group other than root or a a system account correct its ownership with the following command:
$ sudo chgrp root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_owner_var_log medium Verify User Who Owns /var/log Directory The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel. To properly set the owner of /var/log, run the command:
$ sudo chown root /var/log 
SRG-OS-000206-GPOS-00084
CCI-001314
file_owner_var_log_messages medium Verify User Who Owns /var/log/messages File The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. To properly set the owner of /var/log/messages, run the command:
$ sudo chown root /var/log/messages 
SRG-OS-000206-GPOS-00084
CCI-001314
file_ownership_binary_dirs medium Verify that System Executables Have Root Ownership System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should be owned by the root user. If any file FILE in these directories is found to be owned by a user other than root, correct its ownership with the following command:
$ sudo chown root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_ownership_library_dirs medium Verify that Shared Library Files Have Root Ownership Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:
$ sudo chown root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_ownership_var_log_audit_stig medium System Audit Logs Must Be Owned By Root Unauthorized disclosure of audit records can reveal system and configuration data to attackers, thus compromising its confidentiality. All audit logs must be owned by root user. The path for audit log can be configured via log_file parameter in
/etc/audit/auditd.conf
or by default, the path for audit log is
/var/log/audit/
. To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* 
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
SRG-OS-000206-GPOS-00084
CCI-000162
CCI-000163
CCI-000164
CCI-001314
file_permission_user_init_files medium Ensure All User Initialization Files Have Mode 0740 Or Less Permissive Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon. Set the mode of the user initialization files to 0740 with the following command:
$ sudo chmod 0740 /home/USER/.INIT_FILE
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
file_permissions_binary_dirs medium Verify that System Executables Have Restrictive Permissions System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. System executables are stored in the following directories by default:
/bin
/sbin
/usr/bin
/usr/libexec
/usr/local/bin
/usr/local/sbin
/usr/sbin
All files in these directories should not be group-writable or world-writable. If any file FILE in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_permissions_etc_audit_auditd medium Verify Permissions on /etc/audit/auditd.conf Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To properly set the permissions of /etc/audit/auditd.conf, run the command:
$ sudo chmod 0640 /etc/audit/auditd.conf
SRG-OS-000063-GPOS-00032
CCI-000171
file_permissions_etc_audit_rulesd medium Verify Permissions on /etc/audit/rules.d/*.rules Without the capability to restrict the roles and individuals that can select which events are audited, unauthorized personnel may be able to prevent the auditing of critical events. Misconfigured audits may degrade the system's performance by overwhelming the audit log. Misconfigured audits may also make it more difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To properly set the permissions of /etc/audit/rules.d/*.rules, run the command:
$ sudo chmod 0640 /etc/audit/rules.d/*.rules
SRG-OS-000063-GPOS-00032
CCI-000171
file_permissions_home_directories medium All Interactive User Home Directories Must Have mode 0750 Or Less Permissive Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users. Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:
$ sudo chmod 0750 /home/USER
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
file_permissions_library_dirs medium Verify that Shared Library Files Have Restrictive Permissions Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
Kernel modules, which can be added to the kernel during runtime, are stored in /lib/modules. All files in these directories should not be group-writable or world-writable. If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
$ sudo chmod go-w FILE
SRG-OS-000259-GPOS-00100
CCI-001499
file_permissions_sshd_private_key medium Verify Permissions on SSH Server Private *_key Key Files If an unauthorized user obtains the private SSH host key file, the host could be impersonated. SSH server private keys - files that match the /etc/ssh/*_key glob, have to have restricted permissions. If those files are owned by the root user and the root group, they have to have the 0600 permission or stricter. If they are owned by the root user, but by a dedicated group ssh_keys, they can have the 0640 permission or stricter. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
file_permissions_sshd_pub_key medium Verify Permissions on SSH Server Public *.pub Key Files If a public host key file is modified by an unauthorized user, the SSH service may be compromised. To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
file_permissions_ungroupowned medium Ensure All Files Are Owned by a Group Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nogroup
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-000366
CCI-002165
file_permissions_var_log medium Verify Permissions on /var/log Directory The /var/log directory contains files with logs of error messages in the system and should only be accessed by authorized personnel. To properly set the permissions of /var/log, run the command:
$ sudo chmod 0755 /var/log
SRG-OS-000206-GPOS-00084
CCI-001314
file_permissions_var_log_audit medium System Audit Logs Must Have Mode 0640 or Less Permissive If users can write to audit logs, audit trails can be modified or destroyed. Determine where the audit logs are stored with the following command:
$ sudo grep -iw log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command:
$ sudo chmod 0600 audit_log_file
By default, audit_log_file is "/var/log/audit/audit.log".
SRG-OS-000057-GPOS-00027
SRG-OS-000058-GPOS-00028
SRG-OS-000059-GPOS-00029
SRG-OS-000206-GPOS-00084
CCI-000162
CCI-000163
CCI-000164
CCI-001314
file_permissions_var_log_messages medium Verify Permissions on /var/log/messages File The /var/log/messages file contains logs of error messages in the system and should only be accessed by authorized personnel. To properly set the permissions of /var/log/messages, run the command:
$ sudo chmod 0640 /var/log/messages
SRG-OS-000206-GPOS-00084
CCI-001314
gnome_gdm_disable_automatic_login high Disable GDM Automatic Login Failure to restrict system access to authenticated users negatively impacts operating system security. The GNOME Display Manager (GDM) can allow users to automatically login without user interaction or credentials. User should always be required to authenticate themselves to the system that they are authorized to use. To disable user ability to automatically login to the system, set the AutomaticLoginEnable to false in the [daemon] section in /etc/gdm/custom.conf. For example:
[daemon]
AutomaticLoginEnable=false
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
grub2_admin_username medium Set the Boot Loader Admin Username to a Non-Default Value Having a non-default grub superuser username makes password-guessing attacks less effective. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superuser=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
SRG-OS-000080-GPOS-00048
CCI-000213
grub2_audit_argument medium Enable Auditing for Processes Which Start Prior to the Audit Daemon Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot. To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
SRG-OS-000254-GPOS-00095
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000392-GPOS-00172
CCI-001464
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-002884
grub2_audit_backlog_limit_argument low Extend Audit Backlog Limit for the Audit Daemon audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken. To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. To ensure that audit_backlog_limit=8192 is added as a kernel command line argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000062-GPOS-00031
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000341-GPOS-00132
SRG-OS-000392-GPOS-00172
CCI-000130
CCI-000135
CCI-000169
CCI-000172
CCI-001849
CCI-002884
grub2_page_poison_argument medium Enable page allocator poisoning Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. To enable poisoning of free pages, add the argument page_poison=1 to the default GRUB 2 command line for the Linux operating system. To ensure that page_poison=1 is added as a kernel command line argument to newly installed kernels, add page_poison=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="page_poison=1"
SRG-OS-000134-GPOS-00068
CCI-001084
grub2_password high Set Boot Loader Password in grub2 Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.

SRG-OS-000080-GPOS-00048
CCI-000213
grub2_pti_argument low Enable Kernel Page-Table Isolation (KPTI) Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). To enable Kernel page-table isolation, add the argument pti=on to the default GRUB 2 command line for the Linux operating system. To ensure that pti=on is added as a kernel command line argument to newly installed kernels, add pti=on to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="pti=on"
SRG-OS-000095-GPOS-00049
CCI-000381
grub2_slub_debug_argument medium Enable SLUB/SLAB allocator poisoning Poisoning writes an arbitrary value to freed objects, so any modification or reference to that object after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. To enable poisoning of SLUB/SLAB objects, add the argument slub_debug=P to the default GRUB 2 command line for the Linux operating system. To ensure that slub_debug=P is added as a kernel command line argument to newly installed kernels, add slub_debug=P to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... slub_debug=P ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="slub_debug=P"
SRG-OS-000134-GPOS-00068
CCI-001084
grub2_uefi_admin_username medium Set the UEFI Boot Loader Admin Username to a Non-Default Value Having a non-default grub superuser username makes password-guessing attacks less effective. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.

It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account.

Change the superuser to a different username (The default is 'root').
$ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users


Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv
SRG-OS-000080-GPOS-00048
CCI-000213
grub2_uefi_password high Set the UEFI Boot Loader Password Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode. The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.

SRG-OS-000080-GPOS-00048
CCI-000213
grub2_vsyscall_argument medium Disable vsyscalls Virtual Syscalls provide an opportunity of attack for a user who has control of the return instruction pointer. To disable use of virtual syscalls, add the argument vsyscall=none to the default GRUB 2 command line for the Linux operating system. To ensure that vsyscall=none is added as a kernel command line argument to newly installed kernels, add vsyscall=none to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... vsyscall=none ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="vsyscall=none"
SRG-OS-000134-GPOS-00068
CCI-001084
harden_sshd_ciphers_openssh_conf_crypto_policy high Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out:
Ciphers 
SRG-OS-000033-GPOS-00014
SRG-OS-000125-GPOS-00065
SRG-OS-000250-GPOS-00093
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-00481
SRG-OS-000393-GPOS-00173
SRG-OS-000394-GPOS-00174
CCI-000068
CCI-000877
CCI-001453
CCI-002418
CCI-002890
CCI-003123
harden_sshd_ciphers_opensshserver_conf_crypto_policy medium Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. By specifying a cipher list with the order of ciphers being in a “strongest to weakest” orientation, the system will automatically attempt to use the strongest cipher for securing SSH connections. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings for ciphers are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out:
-oCiphers=
SRG-OS-000125-GPOS-00065
SRG-OS-000250-GPOS-00093
CCI-000877
CCI-001453
harden_sshd_macs_openssh_conf_crypto_policy medium Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config Overriding the system crypto policy makes the behavior of the OpenSSH client violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/openssh.config contains the following line and is not commented out: MACs hmac-sha2-512,hmac-sha2-256 SRG-OS-000125-GPOS-00065
SRG-OS-000250-GPOS-00093
CCI-000877
CCI-001453
harden_sshd_macs_opensshserver_conf_crypto_policy medium Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config Overriding the system crypto policy makes the behavior of the OpenSSH server violate expectations, and makes system configuration more fragmented. Crypto Policies provide a centralized control over crypto algorithms usage of many packages. OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be set up incorrectly. To check that Crypto Policies settings are configured correctly, ensure that /etc/crypto-policies/back-ends/opensshserver.config contains the following text and is not commented out: -oMACS=hmac-sha2-512,hmac-sha2-256 SRG-OS-000125-GPOS-00065
SRG-OS-000250-GPOS-00093
CCI-000877
CCI-001453
install_smartcard_packages medium Install Smart Card Packages For Multifactor Authentication Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
Configure the operating system to implement multifactor authentication by installing the required package with the following command: The openssl-pkcs11 package can be installed with the following command:
$ sudo yum install openssl-pkcs11
SRG-OS-000105-GPOS-00052
SRG-OS-000375-GPOS-00160
SRG-OS-000376-GPOS-00161
SRG-OS-000377-GPOS-00162
CCI-000765
CCI-001948
CCI-001953
CCI-001954
installed_OS_is_vendor_supported high The Installed Operating System Is Vendor Supported An operating system is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve any security issue discovered in the system software. The installed operating system must be maintained by a vendor. Red Hat Enterprise Linux is supported by Red Hat, Inc. As the Red Hat Enterprise Linux vendor, Red Hat, Inc. is responsible for providing security patches. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
kerberos_disable_no_keytab medium Disable Kerberos by removing host keytab The key derivation function (KDF) in Kerberos is not FIPS compatible. Kerberos is not an approved key distribution method for Common Criteria. To prevent using Kerberos by system daemons, remove the Kerberos keytab files, especially /etc/krb5.keytab. SRG-OS-000120-GPOS-00061
CCI-000803
kernel_module_atm_disabled medium Disable ATM Support Disabling ATM protects the system against exploitation of any flaws in its implementation. The Asynchronous Transfer Mode (ATM) is a protocol operating on network, data link, and physical layers, based on virtual circuits and virtual paths. To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
install atm /bin/true
To configure the system to prevent the atm from being used, add the following line to file /etc/modprobe.d/atm.conf:
blacklist atm
SRG-OS-000095-GPOS-00049
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000381
CCI-000366
kernel_module_bluetooth_disabled medium Disable Bluetooth Kernel Module If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation. The kernel's module loading system can be configured to prevent loading of the Bluetooth module. Add the following to the appropriate /etc/modprobe.d configuration file to prevent the loading of the Bluetooth module:
install bluetooth /bin/true
SRG-OS-000300-GPOS-00118
SRG-OS-000299-GPOS-00117
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-00481
CCI-000085
CCI-001443
CCI-001444
CCI-001551
CCI-002418
kernel_module_can_disabled medium Disable CAN Support Disabling CAN protects the system against exploitation of any flaws in its implementation. The Controller Area Network (CAN) is a serial communications protocol which was initially developed for automotive and is now also used in marine, industrial, and medical applications. To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
install can /bin/true
To configure the system to prevent the can from being used, add the following line to file /etc/modprobe.d/can.conf:
blacklist can
SRG-OS-000095-GPOS-00049
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000381
CCI-000366
kernel_module_cramfs_disabled low Disable Mounting of cramfs Removing support for unneeded filesystem types reduces the local attack surface of the server. To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/true
To configure the system to prevent the cramfs from being used, add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfs
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
SRG-OS-000095-GPOS-00049
CCI-000381
kernel_module_firewire-core_disabled low Disable IEEE 1394 (FireWire) Support Disabling FireWire protects the system against exploitation of any flaws in its implementation. The IEEE 1394 (FireWire) is a serial bus standard for high-speed real-time communication. To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
install firewire-core /bin/true
To configure the system to prevent the firewire-core from being used, add the following line to file /etc/modprobe.d/firewire-core.conf:
blacklist firewire-core
SRG-OS-000095-GPOS-00049
CCI-000381
kernel_module_sctp_disabled medium Disable SCTP Support Disabling SCTP protects the system against exploitation of any flaws in its implementation. The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/true
To configure the system to prevent the sctp from being used, add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp
SRG-OS-000095-GPOS-00049
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000381
CCI-000366
kernel_module_tipc_disabled low Disable TIPC Support Disabling TIPC protects the system against exploitation of any flaws in its implementation. The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between nodes in a cluster. To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
install tipc /bin/true
To configure the system to prevent the tipc from being used, add the following line to file /etc/modprobe.d/tipc.conf:
blacklist tipc
SRG-OS-000095-GPOS-00049
CCI-000381
kernel_module_usb-storage_disabled medium Disable Modprobe Loading of USB Storage Driver USB storage devices such as thumb drives can be used to introduce malicious software. To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/true
To configure the system to prevent the usb-storage from being used, add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storage
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000114-GPOS-00059
SRG-OS-000378-GPOS-00163
CCI-000366
CCI-000778
CCI-001958
mount_option_boot_nosuid medium Add nosuid Option to /boot The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from boot partitions. The nosuid mount option can be used to prevent execution of setuid programs in /boot. The SUID and SGID permissions should not be required on the boot partition. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /boot. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_dev_shm_nodev medium Add nodev Option to /dev/shm The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_dev_shm_noexec medium Add noexec Option to /dev/shm Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_dev_shm_nosuid medium Add nosuid Option to /dev/shm The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_home_noexec medium Add noexec Option to /home The /home directory contains data of individual users. Binaries in this directory should not be considered as trusted and users should not be able to execute them. The noexec mount option can be used to prevent binaries from being executed out of /home. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /home. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_home_nosuid medium Add nosuid Option to /home The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions. The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_nodev_nonroot_local_partitions medium Add nodev Option to Non-Root Local Partitions The nodev mount option prevents files from being interpreted as character or block devices. The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails, for which it is not advised to set nodev on these filesystems. The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any non-root local partitions. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_nodev_remote_filesystems medium Mount Remote Filesystems with nodev Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_nodev_removable_partitions medium Add nodev Option to Removable Media Partitions The only legitimate location for device files is the /dev directory located on the root partition. An exception to this is chroot jails, and it is not advised to set nodev on partitions which contain their root filesystems. The nodev mount option prevents files from being interpreted as character or block devices. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_noexec_remote_filesystems medium Mount Remote Filesystems with noexec The noexec mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files as they may be incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_noexec_removable_partitions medium Add noexec Option to Removable Media Partitions Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise. The noexec mount option prevents the direct execution of binaries on the mounted filesystem. Preventing the direct execution of binaries from removable media (such as a USB key) provides a defense against malicious software that may be present on such untrusted media. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000087
CCI-000366
mount_option_nosuid_remote_filesystems medium Mount Remote Filesystems with nosuid NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_nosuid_removable_partitions medium Add nosuid Option to Removable Media Partitions The presence of SUID and SGID executables should be tightly controlled. Allowing users to introduce SUID or SGID binaries from partitions mounted off of removable media would allow them to introduce their own highly-privileged programs. The nosuid mount option prevents set-user-identifier (SUID) and set-group-identifier (SGID) permissions from taking effect. These permissions allow users to execute binaries with the same permissions as the owner and group of the file respectively. Users should not be allowed to introduce SUID and SGID files into the system via partitions mounted from removeable media. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of any removable media partitions. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
mount_option_tmp_nodev medium Add nodev Option to /tmp The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_tmp_noexec medium Add noexec Option to /tmp Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_tmp_nosuid medium Add nosuid Option to /tmp The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_log_audit_nodev medium Add nodev Option to /var/log/audit The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_log_audit_noexec medium Add noexec Option to /var/log/audit Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_log_audit_nosuid medium Add nosuid Option to /var/log/audit The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files. The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_log_nodev medium Add nodev Option to /var/log The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_log_noexec medium Add noexec Option to /var/log Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_log_nosuid medium Add nosuid Option to /var/log The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files. The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_tmp_nodev medium Add nodev Option to /var/tmp The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails. The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_tmp_noexec medium Add noexec Option to /var/tmp Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise. The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. SRG-OS-000368-GPOS-00154
CCI-001764
mount_option_var_tmp_nosuid medium Add nosuid Option to /var/tmp The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions. The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp. SRG-OS-000368-GPOS-00154
CCI-001764
network_configure_name_resolution medium Configure Multiple DNS Servers in /etc/resolv.conf To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging. Determine whether the system is using local or DNS name resolution with the following command:
$ sudo grep hosts /etc/nsswitch.conf
hosts: files dns
If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command:
$ sudo ls -al /etc/resolv.conf
-rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf
If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following:
Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services in the event that a domain server crashes. To configure the system to contain as least 2 DNS servers, add a corresponding nameserver ip_address entry in /etc/resolv.conf for each DNS server where ip_address is the IP address of a valid DNS server. For example:
search example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
network_sniffer_disabled medium Ensure System is Not Acting as a Network Sniffer Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems.

If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel.
The system should not be acting as a network sniffer, which can capture all traffic on the network to which it is connected. Run the following to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISC
Promiscuous mode of an interface can be disabled with the following command:
$ sudo ip link set dev device_name multicast off promisc off
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
no_empty_passwords high Prevent Login to Accounts With Empty Password If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments. If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. Remove any instances of the nullok in /etc/pam.d/system-auth to prevent logins with empty passwords. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
no_files_unowned_by_user medium Ensure All Files Are Owned by a User Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed. If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-000366
CCI-002165
no_host_based_files high Remove Host-Based Authentication Files The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. The shosts.equiv file list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
no_tmux_in_shells low Prevent user from disabling the screen lock Not listing tmux among permitted shells prevents malicious program running as user from lowering security by disabling the screen lock. The tmux terminal multiplexer is used to implement automatic session locking. It should not be listed in /etc/shells. SRG-OS-000028-GPOS-00009
SRG-OS-000030-GPOS-00011
CCI-000056
CCI-000058
no_user_host_based_files high Remove User Host-Based Authentication Files The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication. The ~/.shosts (in each user's home directory) files list remote hosts and users that are trusted by the local system. To remove these files, run the following command to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
package_abrt-addon-ccpp_removed low Uninstall abrt-addon-ccpp Package abrt-addon-ccpp contains hooks for C/C++ crashed programs and abrt's C/C++ analyzer plugin. The abrt-addon-ccpp package can be removed with the following command:
$ sudo yum erase abrt-addon-ccpp
SRG-OS-000095-GPOS-00049
CCI-000381
package_abrt-addon-kerneloops_removed low Uninstall abrt-addon-kerneloops Package abrt-addon-kerneloops contains plugins for collecting kernel crash information and reporter plugin which sends this information to a specified server, usually to kerneloops.org. The abrt-addon-kerneloops package can be removed with the following command:
$ sudo yum erase abrt-addon-kerneloops
SRG-OS-000095-GPOS-00049
CCI-000381
package_abrt-cli_removed low Uninstall abrt-cli Package abrt-cli contains a command line client for controlling abrt daemon over sockets. The abrt-cli package can be removed with the following command:
$ sudo yum erase abrt-cli
SRG-OS-000095-GPOS-00049
CCI-000381
package_abrt-plugin-sosreport_removed low Uninstall abrt-plugin-sosreport Package abrt-plugin-sosreport provides a plugin to include an sosreport in an ABRT report. The abrt-plugin-sosreport package can be removed with the following command:
$ sudo yum erase abrt-plugin-sosreport
SRG-OS-000095-GPOS-00049
CCI-000381
package_abrt_removed medium Uninstall Automatic Bug Reporting Tool (abrt) Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process's address space or registers. The Automatic Bug Reporting Tool (abrt) collects and reports crash data when an application crash is detected. Using a variety of plugins, abrt can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport. The abrt package can be removed with the following command:
$ sudo yum erase abrt
SRG-OS-000095-GPOS-00049
CCI-000381
package_aide_installed medium Install AIDE The AIDE package must be installed if it is to be available for integrity checking. The aide package can be installed with the following command:
$ sudo yum install aide
SRG-OS-000445-GPOS-00199
SRG-OS-000446-GPOS-00200
SRG-OS-000363-GPOS-00150
CCI-002696
CCI-002699
CCI-001744
package_audit_installed medium Ensure the audit Subsystem is Installed The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy. The audit package should be installed. SRG-OS-000037-GPOS-00015
SRG-OS-000038-GPOS-00016
SRG-OS-000039-GPOS-00017
SRG-OS-000040-GPOS-00018
SRG-OS-000041-GPOS-00019
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000051-GPOS-00024
SRG-OS-000054-GPOS-00025
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000254-GPOS-00095
SRG-OS-000255-GPOS-00096
SRG-OS-000365-GPOS-00152
SRG-OS-000348-GPOS-00136
SRG-OS-000122-GPOS-00063
SRG-OS-000349-GPOS-00137
SRG-OS-000350-GPOS-00138
SRG-OS-000351-GPOS-00139
SRG-OS-000352-GPOS-00140
SRG-OS-000353-GPOS-00141
SRG-OS-000354-GPOS-00142
SRG-OS-000358-GPOS-00145
SRG-OS-000337-GPOS-00129
SRG-OS-000392-GPOS-00172
SRG-OS-000062-GPOS-00031
CCI-000130
CCI-000131
CCI-000132
CCI-000133
CCI-000134
CCI-000135
CCI-000154
CCI-000158
CCI-000172
CCI-001464
CCI-001487
CCI-001814
CCI-001875
CCI-001876
CCI-001877
CCI-001878
CCI-001879
CCI-001880
CCI-001881
CCI-001882
CCI-001889
CCI-001914
CCI-002884
CCI-000169
package_fapolicyd_installed medium Install fapolicyd Package fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. The fapolicyd package can be installed with the following command:
$ sudo yum install fapolicyd
SRG-OS-000368-GPOS-00154
SRG-OS-000370-GPOS-00155
CCI-001764
CCI-001774
package_firewalld_installed medium Install firewalld Package "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." The firewalld package can be installed with the following command:
$ sudo yum install firewalld
SRG-OS-000297-GPOS-00115
CCI-002314
package_gssproxy_removed medium Uninstall gssproxy Package gssproxy is a proxy for GSS API credential handling. The gssproxy package can be removed with the following command:
$ sudo yum erase gssproxy
SRG-OS-000095-GPOS-00049
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000381
CCI-000366
package_iprutils_removed medium Uninstall iprutils Package iprutils provides a suite of utlilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. The iprutils package can be removed with the following command:
$ sudo yum erase iprutils
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
package_krb5-server_removed medium Remove the Kerberos Server Package Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems. The krb5-server package should be removed if not in use. Is this system the Kerberos server? If not, remove the package. The krb5-server package can be removed with the following command:
$ sudo yum erase krb5-server
The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed.
SRG-OS-000120-GPOS-00061
CCI-000803
package_krb5-workstation_removed medium Uninstall krb5-workstation Package Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd). The krb5-workstation package can be removed with the following command:
$ sudo yum erase krb5-workstation
SRG-OS-000120-GPOS-00061
CCI-000803
package_libreport-plugin-logger_removed low Uninstall libreport-plugin-logger Package libreport-plugin-logger is a ABRT plugin to report bugs into the Red Hat Support system. The libreport-plugin-logger package can be removed with the following command:
$ sudo yum erase libreport-plugin-logger
SRG-OS-000095-GPOS-00049
CCI-000381
package_libreport-plugin-rhtsupport_removed low Uninstall libreport-plugin-rhtsupport Package libreport-plugin-rhtsupport is a ABRT plugin to report bugs into the Red Hat Support system. The libreport-plugin-rhtsupport package can be removed with the following command:
$ sudo yum erase libreport-plugin-rhtsupport
SRG-OS-000095-GPOS-00049
CCI-000381
package_mcafeetp_installed medium Install McAfee Endpoint Security for Linux (ENSL) Virus scanning software can be used to detect if a system has been compromised by computer viruses, as well as to limit their spread to other systems. Install McAfee Endpoint Security for Linux antivirus software which is provided for DoD systems and uses signatures to search for the presence of viruses on the filesystem. The McAfeeTP package can be installed with the following command:
$ sudo yum install McAfeeTP
SRG-OS-000191-GPOS-00080
CCI-001233
package_opensc_installed medium Install the opensc Package For Multifactor Authentication Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
The opensc package can be installed with the following command:
$ sudo yum install opensc
SRG-OS-000377-GPOS-00162
SRG-OS-000376-GPOS-00161
CCI-001954
CCI-001953
package_openssh-server_installed medium Install the OpenSSH Server Package Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered. The openssh-server package should be installed. The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-00481
SRG-OS-000425-GPOS-00189
SRG-OS-000424-GPOS-00188
SRG-OS-000426-GPOS-00190
CCI-002418
CCI-002420
CCI-002421
CCI-002422
package_policycoreutils_installed low Install policycoreutils Package Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. policycoreutils contains the policy core utilities that are required for basic operation of an SELinux-enabled system. These utilities include load_policy to load SELinux policies, setfiles to label filesystems, newrole to switch roles, and so on. The policycoreutils package can be installed with the following command:
$ sudo yum install policycoreutils
SRG-OS-000134-GPOS-00068
CCI-001084
package_postfix_installed medium The Postfix package is installed Emails can be used to notify designated personnel about important system events such as failures or warnings. A mail server is required for sending emails. The postfix package can be installed with the following command:
$ sudo yum install postfix
package_python3-abrt-addon_removed low Uninstall python3-abrt-addon Package python3-abrt-addon contains python hook and python analyzer plugin for handling uncaught exceptions in python programs. The python3-abrt-addon package can be removed with the following command:
$ sudo yum erase python3-abrt-addon
SRG-OS-000095-GPOS-00049
CCI-000381
package_rng-tools_installed low Install rng-tools Package rng-tools provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates. The rng-tools package can be installed with the following command:
$ sudo yum install rng-tools
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
package_rsh-server_removed high Uninstall rsh-server Package The rsh-server service provides unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The rsh-server package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation. The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server
SRG-OS-000095-GPOS-00049
CCI-000381
package_rsyslog-gnutls_installed medium Ensure rsyslog-gnutls is installed The rsyslog-gnutls package provides Transport Layer Security (TLS) support for the rsyslog daemon, which enables secure remote logging. TLS protocol support for rsyslog is installed. The rsyslog-gnutls package can be installed with the following command:
$ sudo yum install rsyslog-gnutls
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
package_rsyslog_installed medium Ensure rsyslog is Installed The rsyslog package provides the rsyslog daemon, which provides system logging services. Rsyslog is installed by default. The rsyslog package can be installed with the following command:
 $ sudo yum install rsyslog
SRG-OS-000205-GPOS-00083
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-001311
CCI-001312
CCI-000366
package_sendmail_removed medium Uninstall Sendmail Package The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead. Sendmail is not the default mail transfer agent and is not installed by default. The sendmail package can be removed with the following command:
$ sudo yum erase sendmail
SRG-OS-000095-GPOS-00049
CCI-000381
package_telnet-server_removed high Uninstall telnet-server Package It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server
SRG-OS-000095-GPOS-00049
CCI-000381
package_tftp-server_removed high Uninstall tftp-server Package Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
The tftp-server package can be removed with the following command:
 $ sudo yum erase tftp-server
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
CCI-000318
CCI-000366
CCI-000368
CCI-001812
CCI-001813
CCI-001814
package_tmux_installed medium Install the tmux Package A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not logout because of the temporary nature of the absence. Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity, operating systems need to be able to identify when a user's session has idled and take action to initiate the session lock.

The tmux package allows for a session lock to be implemented and configured.
To enable console screen locking, install the tmux package. A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence. The session lock is implemented at the point where session activity can be determined. Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity. Instruct users to begin new terminal sessions with the following command:
$ tmux
The console can now be locked with the following key combination:
ctrl+b :lock-session
SRG-OS-000030-GPOS-00011
SRG-OS-000028-GPOS-00009
CCI-000058
CCI-000056
package_tuned_removed medium Uninstall tuned Package tuned contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package can be removed with the following command:
$ sudo yum erase tuned
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
package_usbguard_installed medium Install usbguard Package usbguard is a software framework that helps to protect against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on USB device attributes. The usbguard package can be installed with the following command:
$ sudo yum install usbguard
SRG-OS-000378-GPOS-00163
CCI-001958
package_vsftpd_removed high Uninstall vsftpd Package Removing the vsftpd package decreases the risk of its accidental activation. The vsftpd package can be removed with the following command:
 $ sudo yum erase vsftpd
SRG-OS-000074-GPOS-00042
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000095-GPOS-00049
CCI-000197
CCI-000366
CCI-000381
partition_for_home low Ensure /home Located On Separate Partition Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage. If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001208
partition_for_tmp low Ensure /tmp Located On Separate Partition The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
partition_for_var low Ensure /var Located On Separate Partition Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages. The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
partition_for_var_log low Ensure /var/log Located On Separate Partition Placing /var/log in its own partition enables better separation between log files and other files in /var/. System logs are stored in the /var/log directory. Ensure that /var/log has its own partition or logical volume at installation time, or migrate it using LVM. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
partition_for_var_log_audit low Ensure /var/log/audit Located On Separate Partition Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space. Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000341-GPOS-00132
CCI-000366
CCI-001849
partition_for_var_tmp medium Ensure /var/tmp Located On Separate Partition The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it. The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
postfix_client_configure_mail_alias_postmaster medium Configure System to Forward All Mail From Postmaster to The Root Account It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. Verify the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root".
$ sudo grep "postmaster:\s*root$" /etc/aliases

postmaster: root
SRG-OS-000046-GPOS-00022
CCI-000139
postfix_prevent_unrestricted_relay medium Prevent Unrestricted Mail Relaying If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity. Modify the
/etc/postfix/main.cf
file to restrict client connections to the local network with the following command:
$ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
require_emergency_target_auth medium Require Authentication for Emergency Systemd Target This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.
SRG-OS-000080-GPOS-00048
CCI-000213
require_singleuser_auth medium Require Authentication for Single User Mode This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password. Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup. By default, no authentication is performed if single-user mode is selected.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
SRG-OS-000080-GPOS-00048
CCI-000213
root_permissions_syslibrary_files medium Verify the system-wide library files in directories "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root. If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to operating systems with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs which execute with escalated privileges. Only qualified and authorized individuals must be allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. System-wide library files are stored in the following directories by default:
/lib
/lib64
/usr/lib
/usr/lib64
All system-wide shared library files should be protected from unauthorised access. If any of these files is not group-owned by root, correct its group-owner with the following command:
$ sudo chgrp root FILE
SRG-OS-000259-GPOS-00100
CCI-001499
rsyslog_cron_logging medium Ensure cron Is Logging To Rsyslog Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users. Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:
cron.*                                                  /var/log/cron
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
rsyslog_encrypt_offload_actionsendstreamdriverauthmode medium Ensure Rsyslog Authenticates Off-Loaded Audit Records The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs the remote system must be authenticated. SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-001851
rsyslog_encrypt_offload_actionsendstreamdrivermode medium Ensure Rsyslog Encrypts Off-Loaded Audit Records The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off a encrpytion system must be used. SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-001851
rsyslog_encrypt_offload_defaultnetstreamdriver medium Ensure Rsyslog Encrypts Off-Loaded Audit Records The audit records generated by Rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Audit records should be protected from unauthorized access. Rsyslogd is a system utility providing support for message logging. Support for both internet and UNIX domain sockets enables this utility to support both local and remote logging. Couple this utility with gnutls (which is a secure communications library implementing the SSL, TLS and DTLS protocols), and you have a method to securely encrypt and off-load auditing. When using rsyslogd to off-load logs off an encryption system must be used. SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-001851
rsyslog_remote_access_monitoring medium Ensure remote access methods are monitored in Rsyslog Logging remote access methods can be used to trace the decrease the risks associated with remote user access management. It can also be used to spot cyber attacks and ensure ongoing compliance with organizational policies surrounding the use of remote access methods. Logging of remote access methods must be implemented to help identify cyber attacks and ensure ongoing compliance with remote access policies are being audited and upheld. An examples of a remote access method is the use of the Remote Desktop Protocol (RDP) from an external, non-organization controlled network. The /etc/rsyslog.conf or /etc/rsyslog.d/*.conf file should contain a match for the following selectors: auth.*, authpriv.*, and daemon.*. If not, use the following as an example configuration:
auth.*;authpriv.*;daemon.*                              /var/log/secure
SRG-OS-000032-GPOS-00013
CCI-000067
rsyslog_remote_loghost medium Ensure Logs Sent To Remote Host A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise. To configure rsyslog to send logs to a remote log server, open /etc/rsyslog.conf and read and understand the last section of the file, which describes the multiple directives necessary to activate remote logging. Along with these other directives, the system can be configured to forward its logs to a particular log server by adding or correcting one of the following lines, substituting appropriately. The choice of protocol depends on the environment of the system; although TCP and RELP provide more reliable message delivery, they may not be supported in all environments.
To use UDP for log message delivery:
*.* @

To use TCP for log message delivery:
*.* @@

To use RELP for log message delivery:
*.* :omrelp:

There must be a resolvable DNS CNAME or Alias record set to "" for logs to be sent correctly to the centralized logging utility.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
CCI-000366
CCI-001348
CCI-000136
CCI-001851
security_patches_up_to_date medium Ensure Software Patches Installed Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm.

NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001227
selinux_policytype medium Configure SELinux Policy Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to .
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000445-GPOS-00199
CCI-002165
CCI-002696
selinux_state medium Ensure SELinux State is Enforcing Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. The SELinux state should be set to at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=
SRG-OS-000134-GPOS-00068
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
SRG-OS-000445-GPOS-00199
CCI-001084
CCI-002165
CCI-002696
service_auditd_enabled medium Enable auditd Service Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
SRG-OS-000037-GPOS-00015
SRG-OS-000038-GPOS-00016
SRG-OS-000039-GPOS-00017
SRG-OS-000040-GPOS-00018
SRG-OS-000041-GPOS-00019
SRG-OS-000042-GPOS-00020
SRG-OS-000042-GPOS-00021
SRG-OS-000051-GPOS-00024
SRG-OS-000054-GPOS-00025
SRG-OS-000064-GPOS-00033
SRG-OS-000458-GPOS-00203
SRG-OS-000461-GPOS-00205
SRG-OS-000462-GPOS-00206
SRG-OS-000463-GPOS-00207
SRG-OS-000465-GPOS-00209
SRG-OS-000466-GPOS-00210
SRG-OS-000467-GPOS-00211
SRG-OS-000468-GPOS-00212
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000471-GPOS-00216
SRG-OS-000472-GPOS-00217
SRG-OS-000473-GPOS-00218
SRG-OS-000474-GPOS-00219
SRG-OS-000475-GPOS-00220
SRG-OS-000476-GPOS-00221
SRG-OS-000477-GPOS-00222
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000254-GPOS-00095
SRG-OS-000255-GPOS-00096
SRG-OS-000365-GPOS-00152
SRG-OS-000348-GPOS-00136
SRG-OS-000122-GPOS-00063
SRG-OS-000349-GPOS-00137
SRG-OS-000392-GPOS-00172
SRG-OS-000350-GPOS-00138
SRG-OS-000351-GPOS-00139
SRG-OS-000352-GPOS-00140
SRG-OS-000353-GPOS-00141
SRG-OS-000354-GPOS-00142
SRG-OS-000358-GPOS-00145
SRG-OS-000337-GPOS-00129
SRG-OS-000062-GPOS-00031
CCI-000126
CCI-000130
CCI-000131
CCI-000132
CCI-000133
CCI-000134
CCI-000135
CCI-000154
CCI-000158
CCI-000172
CCI-000366
CCI-001464
CCI-001487
CCI-001814
CCI-001875
CCI-001876
CCI-001877
CCI-002884
CCI-001878
CCI-001879
CCI-001880
CCI-001881
CCI-001882
CCI-001889
CCI-001914
CCI-000169
service_autofs_disabled medium Disable the Automounter Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000114-GPOS-00059
SRG-OS-000378-GPOS-00163
CCI-000366
CCI-000778
CCI-001958
service_debug-shell_disabled medium Disable debug-shell SystemD Service This prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. SystemD's debug-shell service is intended to diagnose SystemD related boot issues with various systemctl commands. Once enabled and following a system reboot, the root shell will be available on tty9 which is access by pressing CTRL-ALT-F9. The debug-shell service should only be used for SystemD related issues and should otherwise be disabled.

By default, the debug-shell SystemD service is already disabled. The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
service_fapolicyd_enabled medium Enable the File Access Policy Service The fapolicyd service (File Access Policy Daemon) implements application whitelisting to decide file access rights. The File Access Policy service should be enabled. The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service
SRG-OS-000368-GPOS-00154
SRG-OS-000370-GPOS-00155
CCI-001764
CCI-001774
service_firewalld_enabled medium Verify firewalld Enabled Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols. The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000096-GPOS-00050
SRG-OS-000297-GPOS-00115
CCI-000366
CCI-000382
CCI-002314
service_kdump_disabled medium Disable KDump Kernel Crash Analyzer (kdump) Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service. The kdump service provides a kernel crash dump analyzer. It uses the kexec system call to boot a secondary kernel ("capture" kernel) following a system crash, which can load information from the crashed kernel for analysis. The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000269-GPOS-00103
CCI-000366
CCI-001665
service_rngd_enabled low Enable the Hardware RNG Entropy Gatherer Service The rngd service feeds random data from hardware device to kernel random device. The Hardware RNG Entropy Gatherer service should be enabled. The rngd service can be enabled with the following command:
$ sudo systemctl enable rngd.service
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
service_rsyslog_enabled medium Enable rsyslog Service The rsyslog service must be running in order to provide logging services, which are essential to system administration. The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
SRG-OS-000205-GPOS-00083
SRG-OS-000342-GPOS-00133
SRG-OS-000479-GPOS-00224
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-001311
CCI-001312
CCI-001557
CCI-001851
CCI-000366
service_sshd_enabled medium Enable the OpenSSH Service Without protection of the transmitted information, confidentiality, and integrity may be compromised because unprotected communications can be intercepted and either read or altered.

This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification.
The SSH server service, sshd, is commonly needed. The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-00481
SRG-OS-000425-GPOS-00189
SRG-OS-000424-GPOS-00188
SRG-OS-000426-GPOS-00190
CCI-002418
CCI-002420
CCI-002421
CCI-002422
service_systemd-coredump_disabled medium Disable acquiring, saving, and processing core dumps A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
service_usbguard_enabled medium Enable the USBGuard Service The usbguard service must be running in order to enforce the USB device authorization policy for all USB devices. The USBGuard service should be enabled. The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service
SRG-OS-000378-GPOS-00163
CCI-000416
CCI-001958
set_password_hashing_algorithm_logindefs medium Set Password Hashing Algorithm in /etc/login.defs Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.
In /etc/login.defs, add or correct the following line to ensure the system will use SHA-512 as the hashing algorithm:
ENCRYPT_METHOD SHA512
SRG-OS-000073-GPOS-00041
CCI-000196
set_password_hashing_algorithm_passwordauth medium Set PAM''s Password Hashing Algorithm - password-auth Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/password-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
SRG-OS-000073-GPOS-00041
SRG-OS-000120-GPOS-00061
CCI-000196
CCI-000803
set_password_hashing_algorithm_systemauth medium Set PAM''s Password Hashing Algorithm Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
SRG-OS-000073-GPOS-00041
SRG-OS-000120-GPOS-00061
CCI-000196
CCI-000803
set_password_hashing_min_rounds_logindefs medium Set Password Hashing Rounds in /etc/login.defs Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using more hashing rounds makes password cracking attacks more difficult.
In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000. For example:
SHA_CRYPT_MIN_ROUNDS 5000
SHA_CRYPT_MAX_ROUNDS 5000
Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000.
SRG-OS-000073-GPOS-00041
SRG-OS-000120-GPOS-00061
CCI-000196
CCI-000803
sshd_disable_compression medium Disable Compression Or Set Compression to delayed If compression is allowed in an SSH connection prior to authentication, vulnerabilities in the compression software could result in compromise of the system from an unauthenticated connection, potentially with root privileges. Compression is useful for slow network connections over long distances but can cause performance issues on local LANs. If use of compression is required, it should be enabled only after a user has authenticated; otherwise, it should be disabled. To disable compression or delay compression until after a user has successfully authenticated, add or correct the following line in the /etc/ssh/sshd_config file:
Compression 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_disable_empty_passwords high Disable SSH Access via Empty Passwords Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000106-GPOS-00053
CCI-000366
CCI-000766
sshd_disable_gssapi_auth medium Disable GSSAPI Authentication GSSAPI authentication is used to provide additional authentication mechanisms to applications. Allowing GSSAPI authentication through SSH exposes the system's GSSAPI to remote hosts, increasing the attack surface of the system. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config:
GSSAPIAuthentication no
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000318
CCI-000368
CCI-001812
CCI-001813
CCI-001814
CCI-000366
sshd_disable_kerb_auth medium Disable Kerberos Authentication Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos is enabled through SSH, the SSH daemon provides a means of access to the system's Kerberos implementation. Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. Unless needed, SSH should not permit extraneous or unnecessary authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config:
KerberosAuthentication no
SRG-OS-000362-GPOS-00149
SRG-OS-000364-GPOS-00151
SRG-OS-000365-GPOS-00152
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000318
CCI-000368
CCI-001812
CCI-001813
CCI-001814
CCI-000366
sshd_disable_root_login medium Disable SSH Root Login Even though the communications channel may be encrypted, an additional layer of security is gained by extending the policy of not logging directly on as root. In addition, logging in with a user-specific account provides individual accountability of actions performed on the system and also helps to minimize direct attack attempts on root's password. The root user should never be allowed to login to a system directly over a network. To disable root login via SSH, add or correct the following line in /etc/ssh/sshd_config:
PermitRootLogin no
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000109-GPOS-00056
CCI-000366
CCI-000770
sshd_disable_user_known_hosts medium Disable SSH Support for User Known Hosts Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere. SSH can allow system users to connect to systems if a cache of the remote systems public keys is available. This should be disabled.

To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_disable_x11_forwarding medium Disable X11 Forwarding Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders. The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_do_not_permit_user_env medium Do Not Allow SSH Environment Options SSH environment options potentially allow users to bypass access restriction in some configurations. Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:
PermitUserEnvironment no
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_enable_strictmodes medium Enable Use of Strict Mode Checking If other users have access to modify user-specific SSH configuration files, they may be able to log into the system as another user. SSHs StrictModes option checks file and ownership permissions in the user's home directory .ssh folder before accepting login. If world- writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in /etc/ssh/sshd_config:
StrictModes yes
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_enable_warning_banner medium Enable SSH Warning Banner The warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers. Alternatively, systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution. To enable the warning banner and ensure it is consistent across the system, add or correct the following line in /etc/ssh/sshd_config:
Banner /etc/issue
Another section contains information on how to create an appropriate system-wide warning banner.
SRG-OS-000023-GPOS-00006
SRG-OS-000024-GPOS-00007
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
SRG-OS-000228-GPOS-00088
CCI-000048
CCI-000050
CCI-001384
CCI-001385
CCI-001386
CCI-001387
CCI-001388
sshd_print_last_log medium Enable SSH Print Last Log Providing users feedback on when account accesses last occurred facilitates user recognition and reporting of unauthorized account use. Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config:
PrintLastLog yes
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_rekey_limit medium Force frequent session key renegotiation By decreasing the limit based on the amount of data and enabling time-based limit, effects of potential attacks against encryption keys are limited. The RekeyLimit parameter specifies how often the session key of the is renegotiated, both in terms of amount of data that may be transmitted and the time elapsed.
To decrease the default limits, add or correct the following line in /etc/ssh/sshd_config:
RekeyLimit  
SRG-OS-000033-GPOS-00014
CCI-000068
sshd_set_idle_timeout medium Set SSH Idle Timeout Interval Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended. SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
SRG-OS-000126-GPOS-00066
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000879
CCI-001133
CCI-002361
sshd_set_keepalive_0 medium Set SSH Client Alive Count Max to zero This ensures a user login will be terminated as soon as the ClientAliveInterval is reached. The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. To ensure the SSH idle timeout occurs precisely when the ClientAliveInterval is set, set the ClientAliveCountMax to value of 0 in /etc/ssh/sshd_config: SRG-OS-000126-GPOS-00066
SRG-OS-000163-GPOS-00072
SRG-OS-000279-GPOS-00109
CCI-000879
CCI-001133
CCI-002361
sshd_use_strong_rng low SSH server uses strong entropy to seed SSH implementation in Red Hat Enterprise Linux 8 uses the openssl library, which doesn't use high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as plaintext padding and initialization vectors in encryption algorithms, and high-quality entropy elliminates the possibility that the output of the random number generator used by SSH would be known to potential attackers. To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file. The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so make sure that the file contains line
SSH_USE_STRONG_RNG=32
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sshd_x11_use_localhost medium Prevent remote hosts from connecting to the proxy display When X11 forwarding is enabled, there may be additional exposure to the server and client displays if the sshd proxy display is configured to listen on the wildcard address. By default, sshd binds the forwarding server to the loopback address and sets the hostname part of the DISPLAY environment variable to localhost. This prevents remote hosts from connecting to the proxy display. The SSH daemon should prevent remote hosts from connecting to the proxy display.
The default SSH configuration for X11UseLocalhost is yes, which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config: X11UseLocalhost yes
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sssd_certificate_verification medium Certificate status checking in SSSD Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards. Configuring certificate_verification to ocsp_dgst= ensures that certificates for multifactor solutions are checked via Online Certificate Status Protocol (OCSP). SRG-OS-000375-GPOS-00160
SRG-OS-000377-GPOS-00162
CCI-001948
CCI-001954
sssd_enable_certmap medium Enable Certmap in SSSD Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like certmap/testing.test/rule_name is setup in /etc/sssd/sssd.conf. For example
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
SRG-OS-000068-GPOS-00036
CCI-000187
sssd_enable_smartcards medium Enable Smartcards in SSSD Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multi-Factor Authentication (MFA) solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.
SSSD should be configured to authenticate access to the system using smart cards. To enable smart cards in SSSD, set pam_cert_auth to True under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
pam_cert_auth = True
Add or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include "try_cert_auth" or "require_cert_auth" option, like in the following example:
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
Also add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to include the "allow_missing_name" option, like in the following example:
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name
SRG-OS-000377-GPOS-00162
SRG-OS-000105-GPOS-00052
SRG-OS-000106-GPOS-00053
SRG-OS-000107-GPOS-00054
SRG-OS-000108-GPOS-00055
CCI-001954
CCI-000765
CCI-000766
CCI-000767
CCI-000768
sssd_offline_cred_expiration medium Configure SSSD to Expire Offline Credentials If cached authentication information is out-of-date, the validity of the authentication information may be questionable. SSSD should be configured to expire offline credentials after 1 day. Check if SSSD allows cached authentications with the following command:
$ sudo grep cache_credentials /etc/sssd/sssd.conf
cache_credentials = true
If "cache_credentials" is set to "false" or is missing no further checks are required.
To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam] section in /etc/sssd/sssd.conf. For example:
[pam]
offline_credentials_expiration = 1
SRG-OS-000383-GPOS-00166
CCI-002007
sudo_remove_no_authenticate medium Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SRG-OS-000373-GPOS-00156
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00158
CCI-002038
sudo_remove_nopasswd medium Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. SRG-OS-000373-GPOS-00156
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00158
CCI-002038
sudo_require_reauthentication medium The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated. SRG-OS-000373-GPOS-00156
SRG-OS-000373-GPOS-00157
SRG-OS-000373-GPOS-00158
CCI-002038
sudo_restrict_privilege_elevation_to_authorized medium The operating system must restrict privilege elevation to authorized personnel If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system. The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sudoers_default_includedir medium Ensure sudo only includes the default configuration directory Some sudo configurtion options allow users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised accound to be used to compromise other accounts. Administrators can configure authorized sudo users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, or that no drop-in file is included. Either the /etc/sudoers should contain only one #includedir directive pointing to /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; Or the /etc/sudoers should not contain any #include or #includedir directives. Note that the '#' character doesn't denote a comment in the configuration file. SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sudoers_validate_passwd medium Ensure invoking users password for privilege escalation when using sudo If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for:
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-002227
sysctl_crypto_fips_enabled high Set kernel parameter 'crypto.fips_enabled' to 1 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The operating system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated. System running in FIPS mode is indicated by kernel parameter 'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode. To enable FIPS mode, run the following command:
fips-mode-setup --enable
SRG-OS-000033-GPOS-00014
SRG-OS-000120-GPOS-00061
SRG-OS-000125-GPOS-00065
SRG-OS-000250-GPOS-00093
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-00481
SRG-OS-000396-GPOS-00176
SRG-OS-000478-GPOS-00223
SRG-OS-000393-GPOS-00173
SRG-OS-000394-GPOS-00174
CCI-000068
CCI-000803
CCI-000877
CCI-001453
CCI-002418
CCI-002450
CCI-002890
CCI-003123
sysctl_fs_protected_hardlinks medium Enable Kernel Parameter to Enforce DAC on Hardlinks By enabling this kernel parameter, users can no longer create soft or hard links to files which they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_hardlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_hardlinks = 1
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-002165
sysctl_fs_protected_symlinks medium Enable Kernel Parameter to Enforce DAC on Symlinks By enabling this kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the UID of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_symlinks=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_symlinks = 1
SRG-OS-000312-GPOS-00122
SRG-OS-000312-GPOS-00123
SRG-OS-000312-GPOS-00124
CCI-002165
sysctl_kernel_core_pattern medium Disable storing core dumps A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems. To set the runtime status of the kernel.core_pattern kernel parameter, run the following command:
$ sudo sysctl -w kernel.core_pattern=|/bin/false
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.core_pattern = |/bin/false
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_kernel_dmesg_restrict low Restrict Access to Kernel Message Buffer Unprivileged access to the kernel syslog can expose sensitive kernel address information. To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.dmesg_restrict = 1
SRG-OS-000138-GPOS-00069
SRG-OS-000206-GPOS-00084
CCI-001090
CCI-001314
sysctl_kernel_kexec_load_disabled medium Disable Kernel Image Loading Disabling kexec_load allows greater control of the kernel memory. It makes it impossible to load another kernel image after it has been disabled. To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.kexec_load_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kexec_load_disabled = 1
SRG-OS-000366-GPOS-00153
CCI-001749
sysctl_kernel_kptr_restrict medium Restrict Exposed Kernel Pointer Addresses Access Exposing kernel pointers (through procfs or seq_printf()) exposes kernel writeable structures which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallow any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with 0. To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.kptr_restrict = 
SRG-OS-000433-GPOS-00192
SRG-OS-000433-GPOS-00193
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-002824
CCI-000366
sysctl_kernel_perf_event_paranoid low Disallow kernel profiling by unprivileged users Kernel profiling can reveal sensitive information about kernel behaviour. To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command:
$ sudo sysctl -w kernel.perf_event_paranoid=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_event_paranoid = 2
SRG-OS-000138-GPOS-00069
CCI-001090
sysctl_kernel_randomize_va_space medium Enable Randomized Layout of Virtual Address Space Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques. To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
SRG-OS-000433-GPOS-00192
SRG-OS-000433-GPOS-00193
CCI-000366
CCI-002824
sysctl_kernel_unprivileged_bpf_disabled medium Disable Access to Network bpf() Syscall From Unprivileged Processes Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state. To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.unprivileged_bpf_disabled = 1
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_kernel_yama_ptrace_scope medium Restrict usage of ptrace to descendant processes Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g. SSH sessions, web browser, ...) without any additional assistance from the user (i.e. without resorting to phishing). To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command:
$ sudo sysctl -w kernel.yama.ptrace_scope=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.yama.ptrace_scope = 1
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_core_bpf_jit_harden medium Harden the operation of the BPF just-in-time compiler When hardened, the extended Berkeley Packet Filter just-in-time compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in /proc/kallsyms. To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command:
$ sudo sysctl -w net.core.bpf_jit_harden=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.core.bpf_jit_harden = 2
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv4_conf_all_accept_redirects medium Disable Accepting ICMP Redirects for All IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001503
CCI-001551
sysctl_net_ipv4_conf_all_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv4_conf_all_forwarding medium Disable Kernel Parameter for IPv4 Forwarding on all IPv4 Interfaces IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. To set the runtime status of the net.ipv4.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.forwarding = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv4_conf_all_rp_filter medium Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks. To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_all_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv4_conf_default_accept_redirects medium Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_default_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001551
sysctl_net_ipv4_conf_default_send_redirects medium Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv4_icmp_echo_ignore_broadcasts medium Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv6_conf_all_accept_ra medium Configure Accepting Router Advertisements on All IPv6 Interfaces An illicit router advertisement message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv6_conf_all_accept_redirects medium Disable Accepting ICMP Redirects for All IPv6 Interfaces An illicit ICMP redirect message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001551
sysctl_net_ipv6_conf_all_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv6_conf_all_forwarding medium Disable Kernel Parameter for IPv6 Forwarding IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.forwarding = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv6_conf_default_accept_ra medium Disable Accepting Router Advertisements on all IPv6 Interfaces by Default An illicit router advertisement message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_net_ipv6_conf_default_accept_redirects medium Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces An illicit ICMP redirect message could result in a man-in-the-middle attack. To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
CCI-001551
sysctl_net_ipv6_conf_default_accept_source_route medium Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
sysctl_user_max_user_namespaces medium Disable the use of user namespaces It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. User namespaces are used primarily for Linux containers. The value 0 disallows the use of user namespaces. To set the runtime status of the user.max_user_namespaces kernel parameter, run the following command:
$ sudo sysctl -w user.max_user_namespaces=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0
When containers are deployed on the machine, the value should be set to large non-zero value.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
tftpd_uses_secure_mode high Ensure tftp Daemon Uses Secure Mode Using the -s option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally-specified directory reduces the risk of sharing files which should remain private. If running the tftp service is necessary, it should be configured to change its root directory at startup. To do so, ensure /etc/xinetd.d/tftp includes -s as a command line argument, as shown in the following example:
server_args = -s 
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
usbguard_generate_policy medium Generate USBGuard Policy The usbguard must be configured to allow connected USB devices to work properly, avoiding the system to become inaccessible. By default USBGuard when enabled prevents access to all USB devices and this lead to inaccessible system if they use USB mouse/keyboard. To prevent this scenario, the initial policy configuration must be generated based on current connected USB devices. SRG-OS-000378-GPOS-00163
CCI-000416
CCI-001958
wireless_disable_interfaces medium Deactivate Wireless Network Interfaces The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources. Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
SRG-OS-000423-GPOS-00187
SRG-OS-000481-GPOS-00481
SRG-OS-000424-GPOS-00188
SRG-OS-000300-GPOS-00118
SRG-OS-000299-GPOS-00117
CCI-000085
CCI-002418
CCI-002421
CCI-001443
CCI-001444
xwindows_remove_packages medium Disable graphical user interface Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented. By removing the following packages, the system no longer has X Windows installed. xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366
xwindows_runlevel_target medium Disable X Windows Startup By Setting Default Target Services that are not required for system and application processes must not be active to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be used unless approved and documented. Systems that do not require a graphical user interface should only boot by default into multi-user.target mode. This prevents accidental booting of the system into a graphical.target mode. Setting the system's default target to multi-user.target will prevent automatic startup of the X server. To do so, run:
$ systemctl set-default multi-user.target
You should see the following output:
Removed symlink /etc/systemd/system/default.target.
Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target.
SRG-OS-000360-GPOS-00147
SRG-OS-000480-GPOS-00225
SRG-OS-000480-GPOS-00226
SRG-OS-000480-GPOS-00227
SRG-OS-000480-GPOS-00228
SRG-OS-000480-GPOS-00229
SRG-OS-000480-GPOS-00230
SRG-OS-000480-GPOS-00232
CCI-000366