Oracle Linux 8 STIG SCAP Benchmark

Fix: F-51907r779122_fix

Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: $ sudo yum install audit

Fix: F-51908r779125_fix

Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred with the following commands: $ sudo systemctl enable auditd.service $ sudo systemctl start auditd.service

Fix: F-51915r779146_fix

Configure the operating system to display a banner before granting access to the system. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: $ sudo touch /etc/dconf/db/local.d/01-banner-message Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": [org/gnome/login-screen] banner-message-enable=true Run the following command to update the database: $ sudo dconf update

Fix: F-51918r779155_fix

Configure OL 8 to monitor all remote access methods by installing rsyslog with the following command: $ sudo yum install rsyslog Add or update the following lines to the "/etc/rsyslog.conf" file: auth.*;authpriv.*;daemon.* /var/log/secure The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: $ sudo systemctl restart rsyslog.service

Fix: F-51921r986325_fix

Configure OL 8 to encrypt all stored passwords. Edit/modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_METHOD]" to SHA512: ENCRYPT_METHOD SHA512

Fix: F-51922r779167_fix

Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.

Fix: F-51923r1044785_fix

Configure OL 8 to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "100000": SHA_CRYPT_MIN_ROUNDS 100000

Fix: F-51929r779188_fix

Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Fix: F-51930r779191_fix

Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file: ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Fix: F-51931r818607_fix

Configure OL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the "/etc/pam.d/system-auth" file to include the sha512 option for pam_unix.so: password sufficient pam_unix.so sha512

Fix: F-51932r818610_fix

Configure OL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so: password sufficient pam_unix.so sha512

Fix: F-51933r779200_fix

Configure OL 8 to prevent system daemons from using Kerberos for authentication. Remove any files with the .keytab extension from the operating system.

Fix: F-51934r779203_fix

Document the krb5-workstation package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove krb5-workstation

Fix: F-51935r779206_fix

Document the krb5-server package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove krb5-server

Fix: F-51936r779209_fix

Configure OL 8 to verify correct operation of all security functions. Set "SELinux" to "Enforcing" mode by modifying the "/etc/selinux/config" file with the following line: SELINUX=enforcing A reboot is required for the changes to take effect.

Fix: F-51940r917895_fix

Note: This setting must be applied in conjunction with OL08-00-010201 to function correctly. Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. Modify or append the following line in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service

Fix: F-51941r917898_fix

Note: This setting must be applied in conjunction with OL08-00-010200 to function correctly. Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Modify or append the following lines in the "/etc/ssh/sshd_config" file to have a product value of "600" or less: ClientAliveInterval 600 The SSH daemon must be restarted for changes to take effect. $ sudo systemctl restart sshd.service

Fix: F-51942r779227_fix

Change the permissions of the file "/var/log/messages" to "0640" by running the following command: $ sudo chmod 0640 /var/log/messages

Fix: F-51943r779230_fix

Change the owner of the file /var/log/messages to root by running the following command: $ sudo chown root /var/log/messages

Fix: F-51944r779233_fix

Change the group of the file "/var/log/messages" to "root" by running the following command: $ sudo chgrp root /var/log/messages

Fix: F-51945r779236_fix

Change the permissions of the directory "/var/log" to "0755" by running the following command: $ sudo chmod 0755 /var/log

Fix: F-51946r779239_fix

Change the owner of the directory /var/log to root by running the following command: $ sudo chown root /var/log

Fix: F-51947r779242_fix

Change the group of the directory "/var/log" to "root" by running the following command: $ sudo chgrp root /var/log

Fix: F-51953r818616_fix

Configure the OL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: MinProtocol = TLSv1.2 For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 A reboot is required for the changes to take effect.

Fix: F-51955r818621_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command with a mode more permissive than "755". $ sudo chmod 755 [FILE]

Fix: F-51956r779269_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root". $ sudo chown root [FILE]

Fix: F-51957r818624_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. $ sudo chgrp root [FILE]

Fix: F-51958r818627_fix

Configure the library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file with a mode more permissive than 755. $ sudo chmod 755 [FILE]

Fix: F-51959r779278_fix

Configure the system-wide shared library files (/lib, /lib64, /usr/lib, and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not owned by "root". $ sudo chown root [FILE]

Fix: F-51960r779281_fix

Configure the system-wide shared library files (/lib, /lib64, /usr/lib, and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not group-owned by "root". $ sudo chgrp root [FILE]

Fix: F-51965r858611_fix

Configure OL 8 to enable DAC on symlinks. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_symlinks = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system

Fix: F-51966r858614_fix

Configure OL 8 to enable DAC on hardlinks. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_hardlinks = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system

Fix: F-51969r860914_fix

Configure the operating system to require users to supply a password for privilege escalation. Check the configuration of the "/etc/sudoers" file with the following command: $ sudo visudo Remove any occurrences of "NOPASSWD" tags in the file. Check the configuration of the /etc/sudoers.d/* files with the following command: $ sudo grep -ir nopasswd /etc/sudoers.d Remove any occurrences of "NOPASSWD" tags in the file.

Fix: F-51970r779311_fix

Remove any occurrence of "!authenticate" found in the "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.

Fix: F-51971r779314_fix

Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

Fix: F-51972r880553_fix

Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/

Fix: F-51973r880556_fix

Configure the "sudo" command to require re-authentication. Edit the /etc/sudoers file: $ sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0". Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.

Fix: F-51978r779335_fix

Configure OL 8 to enable page poisoning with the following commands: $ sudo grubby --update-kernel=ALL --args="page_poison=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="page_poison=1"

Fix: F-51979r779338_fix

Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command: $ sudo grubby --update-kernel=ALL --args="vsyscall=none" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="vsyscall=none"

Fix: F-51980r779341_fix

Configure OL 8 to enable poisoning of SLUB/SLAB objects with the following commands: $ sudo grubby --update-kernel=ALL --args="slub_debug=P" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="slub_debug=P"

Fix: F-51982r858626_fix

Configure OL 8 to implement virtual address space randomization. Set the system to the required kernel parameter by adding the following line to "/etc/sysctl.d/*.conf" (or modify the line to have the required value): kernel.randomize_va_space=2 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Issue the following command to make the changes take effect: $ sudo sysctl --system

Fix: F-51984r779353_fix

Configure OL 8 to verify correct operation of all security functions. Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: SELINUXTYPE=targeted A reboot is required for the changes to take effect.

Fix: F-51989r779368_fix

Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: $ sudo chmod 0644 /etc/ssh/*key.pub The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-51990r880540_fix

Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: $ sudo chmod 0640 /etc/ssh/ssh_host*key The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-51991r779374_fix

Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": StrictModes yes The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-51993r779380_fix

Configure the SSH daemon to not allow authentication using known host’s authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": IgnoreUserKnownHosts yes The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-51994r779383_fix

Configure the SSH daemon to not allow Kerberos authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": KerberosAuthentication no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-51995r779386_fix

Configure the SSH daemon to not allow GSSAPI authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": GSSAPIAuthentication no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-51999r779398_fix

Migrate the "/tmp" directory onto a separate file system/partition.

Fix: F-52000r779401_fix

Migrate the "/var/tmp" path onto a separate file system.

Fix: F-52001r779404_fix

Configure OL 8 to stop users from logging on remotely as the "root" user via SSH. Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no": PermitRootLogin no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service

Fix: F-52003r779410_fix

Start and enable the rsyslog service with the following commands: $ sudo systemctl start rsyslog.service $ sudo systemctl enable rsyslog.service

Fix: F-52004r779413_fix

Configure "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.

Fix: F-52005r779416_fix

Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.

Fix: F-52006r779419_fix

Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.

Fix: F-52007r779422_fix

Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.

Fix: F-52012r779437_fix

Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.

Fix: F-52013r779440_fix

Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.

Fix: F-52014r779443_fix

Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.

Fix: F-52017r858628_fix

Configure OL 8 to disable storing core dumps by adding the following line to a file in the "/etc/sysctl.d" directory: kernel.core_pattern = |/bin/false Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

Fix: F-52018r779455_fix

Configure the system to disable the "systemd-coredump.socket" with the following commands: $ sudo systemctl disable --now systemd-coredump.socket $ sudo systemctl mask systemd-coredump.socket Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null

Fix: F-52019r779458_fix

Configure OL 8 to disable core dumps for all users. Add the following line to the top of "/etc/security/limits.conf" or in a ".conf" file defined in "/etc/security/limits.d/": * hard core 0

Fix: F-52020r779461_fix

Configure OL 8 to disable storing core dumps for all users. Add or modify the following line in "/etc/systemd/coredump.conf": Storage=none

Fix: F-52021r779464_fix

Configure OL 8 to disable core dump backtraces. Add or modify the following line in "/etc/systemd/coredump.conf": ProcessSizeMax=0

Fix: F-52022r779467_fix

Configure OL 8 to use two or more name servers for DNS resolution. By default, "NetworkManager" on OL 8 dynamically updates the "/etc/resolv.conf" file with the DNS settings from active "NetworkManager" connection profiles. However, this feature can be disabled to allow manual configurations. If manually configuring DNS, edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: $ sudo echo -n > /etc/resolv.conf

Fix: F-52026r779479_fix

Assign home directories to all local interactive users on OL 8 that currently do not have a home directory assigned.

Fix: F-52027r779482_fix

Change the mode of interactive users' home directories to "0750" using the following command. Note: The example will be for the user "smithj". $ sudo chmod 0750 /home/smithj

Fix: F-52032r779497_fix

Configure OL 8 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes

Fix: F-52033r779500_fix

Set the mode of the local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". $ sudo chmod 0740 /home/smithj/.<INIT_FILE>

Fix: F-52036r902799_fix

Migrate the "/home" directory onto a separate file system.

Fix: F-52040r779521_fix

Add/modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

Fix: F-52041r779524_fix

Configure OL 8 to lock an account when three unsuccessful logon attempts occur. Add/modify the "/etc/security/faillock.conf" file to match the following line: deny = 3

Fix: F-52042r779527_fix

Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes. Add/modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

Fix: F-52043r779530_fix

Configure OL 8 to lock an account when three unsuccessful logon attempts occur. Add/modify the "/etc/security/faillock.conf" file to match the following line: fail_interval = 900

Fix: F-52044r779533_fix

Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. Add/modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

Fix: F-52045r779536_fix

Configure OL 8 to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. Add/modify the "/etc/security/faillock.conf" file to match the following line: unlock_time = 0

Fix: F-52048r779545_fix

Configure the operating system to prevent informative messages from being presented at logon attempts. Add/modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

Fix: F-52049r779548_fix

Configure the operating system to prevent informative messages from being presented at logon attempts. Add/modify the "/etc/security/faillock.conf" file to match the following line: silent

Fix: F-52050r779551_fix

Configure the operating system to log user name information when unsuccessful logon attempts occur. Add/modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

Fix: F-52051r779554_fix

Configure the operating system to log user name information when unsuccessful logon attempts occur. Add/modify the "/etc/security/faillock.conf" file to match the following line: audit

Fix: F-52052r779557_fix

Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. Add/modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service

Fix: F-52053r779560_fix

Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. Add/modify the "/etc/security/faillock.conf" file to match the following line: even_deny_root

Fix: F-52059r779578_fix

Configure OL 8 to enable a user's session lock until that user reestablishes access using established identification and authentication procedures. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: $ sudo vi /etc/dconf/db/local.d/00-screensaver Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: # Set this to true to lock the screen when the screensaver activates lock-enabled=true Update the system databases: $ sudo dconf update

Fix: F-52061r779584_fix

Configure the operating system to disable the user list at logon for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/02-login-screen [org/gnome/login-screen] disable-user-list=true Update the system databases: $ sudo dconf update

Fix: F-52062r779587_fix

Configure the operating system to enable a user to initiate a session lock via tmux. Install the "tmux" package, if it is not already installed, by running the following command: $ sudo yum install tmux

Fix: F-52063r880563_fix

Configure the operating system to enable a user to manually initiate a session lock via tmux. This configuration binds the uppercase letter "X" to manually initiate a session lock after the prefix key "Ctrl + b" has been sent. The complete key sequence is thus "Ctrl + b" then "Shift + x" to lock tmux. Create a global configuration file "/etc/tmux.conf" and add the following lines: set -g lock-command vlock bind X lock-session Reload tmux configuration to take effect. This can be performed in tmux while it is running: $ tmux source-file /etc/tmux.conf

Fix: F-52067r779602_fix

Configure OL 8 to enable a user's session lock until that user reestablishes access using established identification and authentication procedures. Select/create an "authselect" profile and incorporate the "with-smartcard-lock-on-removal" feature as in the following example: $ sudo authselect select sssd with-smartcard with-smartcard-lock-on-removal Alternatively, the "dconf" settings can be edited in the "/etc/dconf/db/*" location. Edit or add the "[org/gnome/settings-daemon/peripherals/smartcard]" section of the database file and add or update the following line: removal-action='lock-screen' Update the system databases: $ sudo dconf update

Fix: F-52070r779611_fix

Configure OL 8 to prevent a user from overriding settings for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command. Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: /org/gnome/desktop/screensaver/lock-delay

Fix: F-52072r779617_fix

Configure OL 8 to prevent a user from overriding settings for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command. Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: /org/gnome/desktop/screensaver/lock-enabled

Fix: F-52074r902808_fix

Configure the operating system to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password requisite pam_pwquality.so

Fix: F-52078r858636_fix

Configure OL 8 to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory: maxclassrepeat = 4 Remove any configurations that conflict with the above value.

Fix: F-52079r858638_fix

Configure OL 8 to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory: maxrepeat = 3 Remove any configurations that conflict with the above value.

Fix: F-52080r858640_fix

Configure OL 8 to require the change of at least four character classes when passwords are changed by setting the "minclass" option. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory: minclass = 4 Remove any configurations that conflict with the above value.

Fix: F-52082r986358_fix

Configure non-compliant accounts to enforce a 24 hours/one day minimum password lifetime: $ sudo chage -m 1 [user]

Fix: F-52083r986361_fix

Configure OL 8 to enforce 24 hours/one day as the minimum password lifetime. Add the following line in "/etc/login.defs" (or modify the line to have the required value): PASS_MIN_DAYS 1

Fix: F-52084r779653_fix

Configure OL 8 to enforce a 60-day maximum password lifetime. Add or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60

Fix: F-52085r779656_fix

Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. $ sudo chage -M 60 [user]

Fix: F-52087r858644_fix

Configure OL 8 to enforce a minimum 15-character password length. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory: minlen = 15 Remove any configurations that conflict with the above value.

Fix: F-52088r779665_fix

Configure operating system to enforce a minimum 15-character password length for new user accounts. Add or modify the following line in the "/etc/login.defs" file: PASS_MIN_LEN 15

Fix: F-52089r779668_fix

Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate UID with a unique UID.

Fix: F-52093r779680_fix

Configure the mode of the "lastlog" command for OL 8 to "0750" with the following command: $ sudo chmod 0750 /usr/bin/lastlog

Fix: F-52094r779683_fix

Configure the "lastlog" command for OL 8 to be owned by root with the following command: $ sudo chown root /usr/bin/lastlog

Fix: F-52095r779686_fix

Configure the "lastlog" command for OL 8 to be group-owned by root with the following command: $ sudo chgrp root /usr/bin/lastlog

Fix: F-52098r943100_fix

Configure the SSSD to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]". offline_credentials_expiration = 1

Fix: F-52099r858648_fix

Configure OL 8 to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory: dictcheck=1 Remove any configurations that conflict with the above value.

Fix: F-52100r779701_fix

Configure OL 8 to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: FAIL_DELAY 4

Fix: F-52106r779719_fix

Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example). Note that this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor. Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect.

Fix: F-52107r779722_fix

Configure OL 8 to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files. Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below: UMASK 077

Fix: F-52110r779731_fix

Configure OL 8 to audit the execution of the "execve" system call. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F key=execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52112r779737_fix

Configure the "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root

Fix: F-52113r779740_fix

Configure OL 8 to notify administrators in the event of an audit processing failure. Add/update the following line in "/etc/aliases": postmaster: root

Fix: F-52114r779743_fix

Configure OL 8 to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line ("disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in the "/etc/audit/auditd.conf" file: disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure OL 8 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".

Fix: F-52116r779749_fix

Configure OL 8 to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line ("disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in the "/etc/audit/auditd.conf" file: disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure OL 8 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".

Fix: F-52117r779752_fix

Configure OL 8 to audit local events on the system. Add or update the following line in "/etc/audit/auditd.conf" file: local_events = yes

Fix: F-52118r779755_fix

Edit the "/etc/audit/auditd.conf" file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect.

Fix: F-52119r779758_fix

Configure OL 8 to resolve audit information before writing to disk by adding the following line to the "/etc/audit/auditd.conf" file and add or update the "log_format" option: log_format = ENRICHED The audit daemon must be restarted for changes to take effect.

Fix: F-52120r779761_fix

Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: $ sudo chmod 0600 [audit_log_file] Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".

Fix: F-52121r779764_fix

Configure the audit log to be protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".

Fix: F-52122r779767_fix

Configure the audit log to be protected from unauthorized read access by setting the correct group-owner as "root" with the following command: $ sudo chgrp root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path. By default, this location is "/var/log/audit/audit.log".

Fix: F-52123r779770_fix

Configure the audit log to be protected from unauthorized read access by setting the correct owner as "root" with the following command: $ sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path. By default, this location is usually "/var/log/audit".

Fix: F-52124r779773_fix

Configure the audit log to be protected from unauthorized read access by setting the correct group-owner as "root" with the following command: $ sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path. By default, this location is usually "/var/log/audit".

Fix: F-52125r779776_fix

Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode with the following command: $ sudo chmod 0700 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path. By default, this location is "/var/log/audit".

Fix: F-52126r779779_fix

Configure the audit system to set the audit rules to be immutable by adding the following line to "/etc/audit/rules.d/audit.rules": -e 2 Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.

Fix: F-52127r779782_fix

Configure the audit system to set the logon UIDs to be immutable by adding the following line to "/etc/audit/rules.d/audit.rules": --loginuid-immutable

Fix: F-52128r779785_fix

Configure OL 8 to generate audit records for all account creations events that affect "/etc/shadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52129r779788_fix

Configure OL 8 to generate audit records for all account creations events that affect "/etc/security/opasswd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52130r779791_fix

Configure OL 8 to generate audit records for all account creations events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52131r779794_fix

Configure OL 8 to generate audit records for all account creations events that affect "/etc/gshadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52132r779797_fix

Configure OL 8 to generate audit records for all account creations events that affect "/etc/group". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k identity The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52133r779800_fix

Configure OL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k identity The audit daemon must be restarted for the changes to take effect. $ sudo service auditd restart

Fix: F-52134r779803_fix

Configure OL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k identity The audit daemon must be restarted for the changes to take effect. $ sudo service auditd restart

Fix: F-52135r779806_fix

Configure OL 8 to generate audit records for any use of the "su" command by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52136r818668_fix

Configure OL 8 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52141r779824_fix

Configure the audit system to generate an audit event for any use of the "chage" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52142r779827_fix

Configure the audit system to generate an audit event for any use of the "chcon" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52144r779833_fix

Configure the audit system to generate an audit event for any use of the "ssh-agent" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52145r779836_fix

Configure the audit system to generate an audit event for any use of the "passwd" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52146r779839_fix

Configure the audit system to generate an audit event for any use of the "mount" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52147r779842_fix

Configure the audit system to generate an audit event for any use of the "umount" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52148r779845_fix

Configure the audit system to generate an audit event for any use of the "mount" syscall by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52149r779848_fix

Configure the audit system to generate an audit event for any use of the "unix_update" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52150r779851_fix

Configure the audit system to generate an audit event for any use of the "postdrop" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52151r779854_fix

Configure the audit system to generate an audit event for any use of the "postqueue" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52152r779857_fix

Configure OL 8 to audit the execution of the "semanage" command by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52153r779860_fix

Configure OL 8 to audit the execution of the "setfiles" command by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52154r779863_fix

Configure OL 8 to audit the execution of the "userhelper" command by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52155r779866_fix

Configure OL 8 to audit the execution of the "setsebool" command by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52156r779869_fix

Configure OL 8 to audit the execution of the "unix_chkpwd" command by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52157r779872_fix

Configure the audit system to generate an audit event for any use of "ssh-keysign" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52158r779875_fix

Configure the audit system to generate an audit event for any use of the "setfacl" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52159r779878_fix

Configure the audit system to generate an audit event for any use of the "pam_timestamp_check" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52160r779881_fix

Configure the audit system to generate an audit event for any use of the "newgrp" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52161r818671_fix

Configure the audit system to generate an audit event for any use of the "init_module" and "finit_module" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52162r818674_fix

Configure OL 8 to generate audit records for any use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F success=1 -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F success=1 -F auid>=1000 -F auid!=unset -k delete The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52167r779902_fix

Configure the audit system to generate an audit event for any use of the "gpasswd" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52169r779908_fix

Configure the audit system to generate an audit event for any use of the "delete_module" syscall by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52170r779911_fix

Configure the audit system to generate an audit event for any use of the "crontab" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52171r779914_fix

Configure the audit system to generate an audit event for any use of the "chsh" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52172r818677_fix

Configure the audit system to generate an audit event for any use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52178r818680_fix

Configure the audit system to generate an audit event for any use of the "chown", "fchown", "fchownat", and "lchown" system calls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52179r818683_fix

Configure the audit system to generate an audit event for any use of the "chmod", "fchmod", and "fchmodat" syscalls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52185r779956_fix

Configure the audit system to generate an audit event for any use of the "sudo" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52186r779959_fix

Configure the audit system to generate an audit event for any use of the "usermod" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52187r779962_fix

Configure the audit system to generate an audit event for any use of the "chacl" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52188r779965_fix

Configure OL 8 to audit the execution of the module management program "kmod" by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -w /usr/bin/kmod -p x -k modules The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52190r779971_fix

Configure the audit system to generate an audit event for any attempted modifications to the "lastlog" file by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/lastlog -p wa -k logins The audit daemon must be restarted for the changes to take effect. To restart the audit daemon, run the following command: $ sudo service auditd restart

Fix: F-52191r779974_fix

Configure OL 8 to audit processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args="audit=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="audit=1"

Fix: F-52194r951580_fix

Configure the "/etc/audit/rules.d/*.rules" and "/etc/audit/auditd.conf" files to have a mode of "0640" with the following commands: $ sudo chmod 0640 /etc/audit/rules.d/*.rules $ sudo chmod 0640 /etc/audit/auditd.conf

Fix: F-52195r779986_fix

Configure the audit tools to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.

Fix: F-52196r779989_fix

Configure the audit tools to be owned by "root" by running the following command: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root".

Fix: F-52197r779992_fix

Configure the audit tools to be group-owned by "root" by running the following command: $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root".

Fix: F-52200r780001_fix

Configure the operating system to offload audit logs by installing the required packages with the following command: $ sudo yum install rsyslog

Fix: F-52201r780004_fix

Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command: $ sudo yum install rsyslog-gnutls

Fix: F-52203r780010_fix

Edit the "/etc/audit/auditd.conf" file and add or update the "overflow_action" option: overflow_action = syslog The audit daemon must be restarted for changes to take effect.

Fix: F-52205r780016_fix

Configure the operating system to authenticate the remote logging server for offloading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverAuthMode x509/name

Fix: F-52206r780019_fix

Configure OL 8 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the "/etc/audit/auditd.conf" file. space_left = 25%

Fix: F-52207r780022_fix

Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. space_left_action = email Note: Option names and values in the auditd.conf file are case insensitive.

Fix: F-52212r780037_fix

Configure the operating system to disable non-essential capabilities by removing automated bug reporting packages from the system with the following command: $ sudo yum remove abrt*

Fix: F-52213r780040_fix

Configure the operating system to disable non-essential capabilities by removing the sendmail package from the system with the following command: $ sudo yum remove sendmail

Fix: F-52217r943070_fix

Configure OL 8 to disable the ability to use the "atm" kernel module. Create a file under "/etc/modprobe.d" with the following command: $ sudo touch /etc/modprobe.d/atm.conf Add the following line to the created file: install atm /bin/false Configure OL 8 to disable the ability to use the atm kernel module. $ sudo vi /etc/modprobe.d/blacklist.conf Add or update the line: blacklist atm

Fix: F-52218r943073_fix

Configure OL 8 to disable the ability to use the "can" kernel module. Create a file under "/etc/modprobe.d" with the following command: $ sudo touch /etc/modprobe.d/can.conf Add the following line to the created file: install can /bin/false Configure OL 8 to disable the ability to use the can kernel module. $ sudo vi /etc/modprobe.d/blacklist.conf Add or update the line: blacklist can

Fix: F-52219r943076_fix

Configure OL 8 to disable the ability to use the "sctp" kernel module. Create a file under "/etc/modprobe.d" with the following command: $ sudo touch /etc/modprobe.d/sctp.conf Add the following line to the created file: install sctp /bin/false Configure OL 8 to disable the ability to use the sctp kernel module. $ sudo vi /etc/modprobe.d/blacklist.conf Add or update the line: blacklist sctp

Fix: F-52224r780073_fix

Configure OL 8 to disable the ability to automount devices. Turn off the automount service with the following commands: $ sudo systemctl stop autofs $ sudo systemctl disable autofs If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.

Fix: F-52225r943088_fix

Configure OL 8 to disable the ability to use the USB Storage kernel module and to use USB mass storage devices. $ sudo vi /etc/modprobe.d/blacklist.conf Add or update the lines: install usb-storage /bin/false blacklist usb-storage Reboot the system for the settings to take effect.

Fix: F-52228r780085_fix

Install "firewalld" with the following commands: $ sudo yum install firewalld.noarch

Fix: F-52229r780088_fix

Configure "firewalld" to protect the operating system with the following commands: $ sudo systemctl enable firewalld $ sudo systemctl start firewalld

Fix: F-52231r943091_fix

Configure the operating system to disable the Bluetooth adapter when not in use. Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: install bluetooth /bin/false Disable the ability to use the Bluetooth kernel module. $ sudo vi /etc/modprobe.d/blacklist.conf Add or update the line: blacklist bluetooth Reboot the system for the settings to take effect.

Fix: F-52232r780097_fix

Configure OL 8 so that "/dev/shm" is mounted with the "nodev" option by adding/modifying "/etc/fstab" with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52233r780100_fix

Configure OL 8 so that "/dev/shm" is mounted with the "nosuid" option by adding/modifying "/etc/fstab" with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52234r780103_fix

Configure OL 8 so that "/dev/shm" is mounted with the "noexec" option by adding/modifying "/etc/fstab" with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52235r780106_fix

Configure the system so that /tmp is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52236r780109_fix

Configure the system so that /tmp is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52237r780112_fix

Configure the system so that /tmp is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52238r780115_fix

Configure the system so that /var/log is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52239r780118_fix

Configure the system so that /var/log is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52240r780121_fix

Configure the system so that /var/log is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_log /var/log xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52241r780124_fix

Configure the system so that /var/log/audit is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52242r780127_fix

Configure the system so that /var/log/audit is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52243r780130_fix

Configure the system so that /var/log/audit is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_log_audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52244r780133_fix

Configure the system so that /var/tmp is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52245r780136_fix

Configure the system so that /var/tmp is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52246r780139_fix

Configure the system so that /var/tmp is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/ol-var_tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0

Fix: F-52247r780142_fix

Install "fapolicyd" with the following command: $ sudo yum install fapolicyd.x86_64

Fix: F-52248r780145_fix

Enable "fapolicyd" using the following command: $ sudo systemctl enable --now fapolicyd

Fix: F-52250r780151_fix

Install the USBGuard package with the following command: $ sudo yum install usbguard.x86_64

Fix: F-52252r780157_fix

Configure the operating system to enable the blocking of unauthorized peripherals with the following commands: $ sudo systemctl enable usbguard.service $ sudo systemctl start usbguard.service Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse.

Fix: F-52253r902787_fix

Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf": FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.

Fix: F-52254r780163_fix

Install SSH packages onto the host with the following command: $ sudo yum install openssh-server.x86_64

Fix: F-52255r780166_fix

Configure the SSH service to automatically start after reboot with the following command: $ sudo systemctl enable sshd.service

Fix: F-52256r780169_fix

Configure the system to force a frequent session key renegotiation for SSH connections to the server by adding or modifying the following line in the "/etc/ssh/sshd_config" file: RekeyLimit 1G 1h The SSH daemon must be restarted for the settings to take effect. $ sudo systemctl restart sshd.service

Fix: F-52259r780178_fix

Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect: $ sudo systemctl daemon-reload

Fix: F-52263r858650_fix