Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Verify the version of the operating system is vendor supported. Note: The lifecycle time spans and dates are subject to adjustment. Check the version of the operating system with the following command: $ sudo cat /etc/redhat-release Red Hat Enterprise Linux Server release 8.6 (Ootpa) Current End of Extended Update Support for RHEL 8.1 is 30 November 2021. Current End of Extended Update Support for RHEL 8.2 is 30 April 2022. Current End of Extended Update Support for RHEL 8.4 is 31 May 2023. Current End of Maintenance Support for RHEL 8.5 is 31 May 2022. Current End of Extended Update Support for RHEL 8.6 is 31 May 2024. Current End of Maintenance Support for RHEL 8.7 is 31 May 2023. Current End of Extended Update Support for RHEL 8.8 is 31 May 2025. Current End of Maintenance Support for RHEL 8.9 is 31 May 2024. Current End of Maintenance Support for RHEL 8.10 is 31 May 2029. If the release is not supported by the vendor, this is a finding.
Upgrade to a supported version of RHEL 8.
Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). Obtain the list of available package security updates from Red Hat. The URL for updates is https://rhn.redhat.com/errata/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. Check that the available package security updates have been installed on the system with the following command: $ sudo yum history list | more Loaded plugins: langpacks, product-id, subscription-manager ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 70 | install aide | 2020-03-05 10:58 | Install | 1 69 | update -y | 2020-03-04 14:34 | Update | 18 EE 68 | install vlc | 2020-02-21 17:12 | Install | 21 67 | update -y | 2020-02-21 17:04 | Update | 7 EE If package updates have not been performed on the system within the timeframe the site/program documentation requires, this is a finding. Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.
Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.
Verify the operating system implements DOD-approved encryption to protect the confidentiality of remote access sessions. Check to see if FIPS mode is enabled with the following command: $ fips-mode-setup --check FIPS mode is enabled If FIPS mode is "enabled", check to see if the kernel boot parameter is configured for FIPS mode with the following command: $ sudo grub2-editenv list | grep fips kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the kernel boot parameter is configured to use FIPS mode, check to see if the system is in FIPS mode with the following command: $ sudo cat /proc/sys/crypto/fips_enabled 1 If FIPS mode is not "on", the kernel boot parameter is not configured for FIPS mode, or the system does not have a value of "1" for "fips_enabled" in "/proc/sys/crypto", this is a finding.
Configure the operating system to implement DOD-approved encryption by following the steps below: To enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. Enable FIPS mode after installation (not strict FIPS-compliant) with the following command: $ sudo fips-mode-setup --enable Reboot the system for the changes to take effect.
Verify RHEL 8 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable. Verify all system partitions are encrypted with the following command: $ sudo blkid /dev/mapper/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.
Configure RHEL 8 to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.
Verify any publicly accessible connection to the operating system displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the system. Check for the location of the banner file being used with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*banner' banner /etc/issue This command will return the banner keyword and the name of the file that contains the ssh banner (in this case "/etc/issue"). If the line is commented out, this is a finding. If conflicting results are returned, this is a finding. View the file specified by the banner keyword to check that it matches the text of the Standard Mandatory DOD Notice and Consent Banner: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the system does not display a graphical logon banner or the banner does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding. If the text in the file does not match the Standard Mandatory DOD Notice and Consent Banner, this is a finding.
Configure the operating system to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the ssh. Edit the "/etc/ssh/sshd_config" file to uncomment the banner keyword and configure it to point to a file that will contain the logon banner (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). An example configuration line is: banner /etc/issue Either create the file containing the banner or replace the text in the file with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." The SSH service must be restarted for changes to take effect.
Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Check that the operating system displays the exact Standard Mandatory DoD Notice and Consent Banner text with the command: $ sudo grep banner-message-text /etc/dconf/db/local.d/* banner-message-text= 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. If the banner does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.
Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": banner-message-text='You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.\nBy using this IS (which includes any device attached to this IS), you consent to the following conditions:\n-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.\n-At any time, the USG may inspect and seize data stored on this IS.\n-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.\n-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.\n-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. ' Note: The "\n " characters are for formatting only. They will not be displayed on the graphical interface. Run the following command to update the database: $ sudo dconf update
Verify RHEL 8 displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. Check that RHEL 8 displays a banner at the command line login screen with the following command: $ sudo cat /etc/issue If the banner is set correctly it will return the following text: “You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.” If the banner text does not match the Standard Mandatory DoD Notice and Consent Banner exactly, this is a finding.
Configure RHEL 8 to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via command line logon. Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DoD Notice and Consent Banner. The DoD-required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
Verify that RHEL 8 monitors all remote access methods. Check that remote access methods are being logged by running the following command: $ sudo grep -E '(auth\.\*|authpriv\.\*|daemon\.\*)' /etc/rsyslog.conf /etc/rsyslog.d/*.conf auth.*;authpriv.*;daemon.* /var/log/secure If "auth.*", "authpriv.*" or "daemon.*" are not configured to be logged, this is a finding.
Configure RHEL 8 to monitor all remote access methods by installing rsyslog with the following command: $ sudo yum install rsyslog Then add or update the following lines to the "/etc/rsyslog.conf" file: auth.*;authpriv.*;daemon.* /var/log/secure The "rsyslog" service must be restarted for the changes to take effect. To restart the "rsyslog" service, run the following command: $ sudo systemctl restart rsyslog.service
Verify RHEL 8 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Check that the system has a valid DoD root CA installed with the following command: $ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Validity Not Before: Mar 20 18:46:41 2012 GMT Not After : Dec 30 18:46:41 2029 GMT Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 Subject Public Key Info: Public Key Algorithm: rsaEncryption If the root ca file is not a DoD-issued certificate with a valid date and installed in the /etc/sssd/pki/sssd_auth_ca_db.pem location, this is a finding.
Configure RHEL 8, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle at cyber.mil and copy into the following file: /etc/sssd/pki/sssd_auth_ca_db.pem
Verify the SSH private key files have a passcode. For each private key stored on the system, use the following command: $ sudo ssh-keygen -y -f /path/to/file If the contents of the key are displayed, this is a finding.
Create a new private and public key pair that utilizes a passcode with the following command: $ sudo ssh-keygen -n [passphrase]
Verify that the shadow password suite configuration is set to encrypt password with a FIPS 140-2 approved cryptographic hashing algorithm. Check the hashing algorithm that is being used to hash passwords with the following command: $ sudo grep -i crypt /etc/login.defs ENCRYPT_METHOD SHA512 If "ENCRYPT_METHOD" does not equal SHA512 or greater, this is a finding.
Configure RHEL 8 to encrypt all stored passwords. Edit/Modify the following line in the "/etc/login.defs" file and set "[ENCRYPT_METHOD]" to SHA512. ENCRYPT_METHOD SHA512
Confirm that the interactive user account passwords are using a strong password hash with the following command: $ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/ Password hashes "!" or "*" indicate inactive accounts not available for logon and are not evaluated. If any interactive user password hash does not begin with "$6$", this is a finding.
Lock all interactive user accounts not using SHA-512 hashing until the passwords can be regenerated with SHA-512.
Check that a minimum number of hash rounds is configured by running the following command: $ sudo grep -E "^SHA_CRYPT_" /etc/login.defs If only one of "SHA_CRYPT_MIN_ROUNDS" or "SHA_CRYPT_MAX_ROUNDS" is set, and this value is below "5000", this is a finding. If both "SHA_CRYPT_MIN_ROUNDS" and "SHA_CRYPT_MAX_ROUNDS" are set, and the highest value for either is below "5000", this is a finding.
Configure RHEL 8 to encrypt all stored passwords with a strong cryptographic hash. Edit/modify the following line in the "/etc/login.defs" file and set "SHA_CRYPT_MIN_ROUNDS" to a value no lower than "5000": SHA_CRYPT_MIN_ROUNDS 5000
For systems that use BIOS, this is Not Applicable. Check to see if an encrypted grub superusers password is set. On systems that use UEFI, use the following command: $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.
Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/efi/EFI/redhat/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: $ sudo grub2-setpassword Enter password: Confirm password:
For systems that use UEFI, this is Not Applicable. Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command: $ sudo grep -iw grub2_password /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.
Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: $ sudo grub2-setpassword Enter password: Confirm password:
Check to see if the system requires authentication for rescue mode with the following command: $ sudo grep sulogin-shell /usr/lib/systemd/system/rescue.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell rescue", commented out, or missing, this is a finding.
Configure the system to require authentication upon booting into rescue mode by adding the following line to the "/usr/lib/systemd/system/rescue.service" file. ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
Verify that the pam_unix.so module is configured to use sha512. Check that the pam_unix.so module is configured to use sha512 in /etc/pam.d/password-auth with the following command: $ sudo grep password /etc/pam.d/password-auth | grep pam_unix password sufficient pam_unix.so sha512 If "sha512" is missing, or is commented out, this is a finding.
Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the "/etc/pam.d/password-auth" file to include the sha512 option for pam_unix.so: password sufficient pam_unix.so sha512
Verify that RHEL 8 prevents system daemons from using Kerberos for authentication. If the system is a server utilizing krb5-server-1.17-18.el8.x86_64 or newer, this requirement is not applicable. If the system is a workstation utilizing krb5-workstation-1.17-18.el8.x86_64 or newer, this requirement is not applicable. Check if there are available keytabs with the following command: $ sudo ls -al /etc/*.keytab If this command produces any file(s), this is a finding.
Configure RHEL 8 to prevent system daemons from using Kerberos for authentication. Remove any files with the .keytab extension from the operating system.
Verify the krb5-workstation package has not been installed on the system with the following commands: If the system is a server or is utilizing krb5-workstation-1.17-18.el8.x86_64 or newer, this is Not Applicable. $ sudo yum list installed krb5-workstation krb5-workstation.x86_64 1.17-9.el8 repository If the krb5-workstation package is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Document the krb5-workstation package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove krb5-workstation
Verify the operating system verifies correct operation of all security functions. Check if "SELinux" is active and in "Enforcing" mode with the following command: $ sudo getenforce Enforcing If "SELinux" is not active and not in "Enforcing" mode, this is a finding.
Configure the operating system to verify correct operation of all security functions. Set the "SELinux" status and the "Enforcing" mode by modifying the "/etc/selinux/config" file to have the following line: SELINUX=enforcing A reboot is required for the changes to take effect.
Verify the operating system has the policycoreutils package installed with the following command: $ sudo yum list installed policycoreutils policycoreutils.x86_64 2.9-3.el8 @anaconda If the policycoreutils package is not installed, this is a finding.
Configure the operating system to have the policycoreutils package installed with the following command: $ sudo yum install policycoreutils
Verify that all world-writable directories have the sticky bit set. Check to see that all world-writable directories have the sticky bit set by running the following command: $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null drwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.
Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: $ sudo chmod 1777 [World-Writable Directory]
Verify the SSH server automatically terminates a user session after the SSH client has become unresponsive. Check that the "ClientAliveCountMax" is set to "1" by performing the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientalivecountmax' ClientAliveCountMax 1 If "ClientAliveCountMax" do not exist, is not set to a value of "1" in "/etc/ssh/sshd_config", or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Note: This setting must be applied in conjunction with RHEL-08-010201 to function correctly. Configure the SSH server to terminate a user session automatically after the SSH client has become unresponsive. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveCountMax 1 For the changes to take effect, the SSH daemon must be restarted: $ sudo systemctl restart sshd.service
Verify that the "/var/log/messages" file has mode "0640" or less permissive with the following command: $ sudo stat -c "%a %n" /var/log/messages 640 /var/log/messages If a value of "0640" or less permissive is not returned, this is a finding.
Change the permissions of the file "/var/log/messages" to "0640" by running the following command: $ sudo chmod 0640 /var/log/messages
Verify that the /var/log/messages file is owned by root with the following command: $ sudo stat -c "%U" /var/log/messages root If "root" is not returned as a result, this is a finding.
Change the owner of the file /var/log/messages to root by running the following command: $ sudo chown root /var/log/messages
Verify the "/var/log/messages" file is group-owned by root with the following command: $ sudo stat -c "%G" /var/log/messages root If "root" is not returned as a result, this is a finding.
Change the group of the file "/var/log/messages" to "root" by running the following command: $ sudo chgrp root /var/log/messages
Verify that the "/var/log" directory has a mode of "0755" or less with the following command: $ sudo stat -c "%a %n" /var/log 755 If a value of "0755" or less permissive is not returned, this is a finding.
Change the permissions of the directory "/var/log" to "0755" by running the following command: $ sudo chmod 0755 /var/log
Verify the /var/log directory is owned by root with the following command: $ sudo stat -c "%U" /var/log root If "root" is not returned as a result, this is a finding.
Change the owner of the directory /var/log to root by running the following command: $ sudo chown root /var/log
Verify the "/var/log" directory is group-owned by root with the following command: $ sudo stat -c "%G" /var/log root If "root" is not returned as a result, this is a finding.
Change the group of the directory "/var/log" to "root" by running the following command: $ sudo chgrp root /var/log
Verify the SSH server is configured to use only MACs employing FIPS 140-2-approved algorithms with the following command: $ sudo grep -i macs /etc/crypto-policies/back-ends/opensshserver.config -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com If the MACs entries in the "opensshserver.config" file have any hashes other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.
Configure the RHEL 8 SSH server to use only MACs employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: -oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com A reboot is required for the changes to take effect.
Verify the SSH server is configured to use only ciphers employing FIPS 140-2-approved algorithms with the following command: $ sudo grep -i ciphers /etc/crypto-policies/back-ends/opensshserver.config CRYPTO_POLICY='-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com' If the cipher entries in the "opensshserver.config" file have any ciphers other than shown here, the order differs from the example above, or they are missing or commented out, this is a finding.
Configure the RHEL 8 SSH server to use only ciphers employing FIPS 140-2-approved algorithms by updating the "/etc/crypto-policies/back-ends/opensshserver.config" file with the following line: -oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com A reboot is required for the changes to take effect.
Verify the operating system SSH server uses strong entropy with the following command: Note: If the operating system is RHEL versions 8.0 or 8.1, this requirement is not applicable. $ sudo grep -i ssh_use_strong_rng /etc/sysconfig/sshd SSH_USE_STRONG_RNG=32 If the "SSH_USE_STRONG_RNG" line does not equal "32", is commented out or missing, this is a finding.
Configure the operating system SSH server to use strong entropy. Add or modify the following line in the "/etc/sysconfig/sshd" file. SSH_USE_STRONG_RNG=32 The SSH service must be restarted for changes to take effect.
Verify the OpenSSL library is configured to use only ciphers employing FIPS 140-2-approved algorithms: Verify that system-wide crypto policies are in effect: $ sudo grep -i opensslcnf.config /etc/pki/tls/openssl.cnf .include /etc/crypto-policies/back-ends/opensslcnf.config If the "opensslcnf.config" is not defined in the "/etc/pki/tls/openssl.cnf" file, this is a finding. Verify which system-wide crypto policy is in use: $ sudo update-crypto-policies --show FIPS If the system-wide crypto policy is set to anything other than "FIPS", this is a finding.
Configure the RHEL 8 OpenSSL library to use only ciphers employing FIPS 140-2-approved algorithms with the following command: $ sudo fips-mode-setup --enable A reboot is required for the changes to take effect.
Verify the OpenSSL library is configured to use only DoD-approved TLS encryption: For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config MinProtocol = TLSv1.2 If the "MinProtocol" is set to anything older than "TLSv1.2", this is a finding. For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 If the "TLS.MinProtocol" is set to anything older than "TLSv1.2" or the "DTLS.MinProtocol" is set to anything older than DTLSv1.2, this is a finding.
Configure the RHEL 8 OpenSSL library to use only DoD-approved TLS encryption by editing the following line in the "/etc/crypto-policies/back-ends/opensslcnf.config" file: For versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch: MinProtocol = TLSv1.2 For version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer: TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 A reboot is required for the changes to take effect.
Verify the GnuTLS library is configured to only allow DoD-approved SSL/TLS Versions: $ sudo grep -io +vers.* /etc/crypto-policies/back-ends/gnutls.config +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:+COMP-NULL:%PROFILE_MEDIUM If the "gnutls.config" does not list "-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0" to disable unapproved SSL/TLS versions, this is a finding.
Configure the RHEL 8 GnuTLS library to use only DoD-approved encryption by adding the following line to "/etc/crypto-policies/back-ends/gnutls.config": +VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 A reboot is required for the changes to take effect.
Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; If any system commands are found to be group-writable or world-writable, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command with a mode more permissive than "755". $ sudo chmod 755 [FILE]
Verify the system commands contained in the following directories are owned by "root" with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; If any system commands are returned, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root". $ sudo chown root [FILE]
Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; If any system commands are returned and is not group-owned by a required system account, this is a finding.
Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. $ sudo chgrp root [FILE]
Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; If any system-wide shared library file is found to be group-writable or world-writable, this is a finding.
Configure the library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file with a mode more permissive than 755. $ sudo chmod 755 [FILE]
Verify the system-wide shared library files are owned by "root" with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; If any system wide shared library file is returned, this is a finding.
Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not owned by "root". $ sudo chown root [FILE]
Verify the system-wide shared library files are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; If any system wide shared library file is returned and is not group-owned by a required system account, this is a finding.
Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not group-owned by "root". $ sudo chgrp root [FILE]
Verify the operating system routinely checks the baseline configuration for unauthorized changes and notifies the system administrator when anomalies in the operation of any security functions are discovered. Check that RHEL 8 routinely executes a file integrity scan for changes to the system baseline. The command used in the example will use a daily occurrence. Check the cron directories for scripts controlling the execution and notification of results of the file integrity application. For example, if AIDE is installed on the system, use the following commands: $ sudo ls -al /etc/cron.* | grep aide -rwxr-xr-x 1 root root 29 Nov 22 2015 aide $ sudo grep aide /etc/crontab /var/spool/cron/root /etc/crontab: 30 04 * * * root /usr/sbin/aide /var/spool/cron/root: 30 04 * * * root /usr/sbin/aide $ sudo more /etc/cron.daily/aide #!/bin/bash /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil If the file integrity application does not exist, or a script file controlling the execution of the file integrity application does not exist, or the file integrity application does not notify designated personnel of changes, this is a finding.
Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. $ sudo more /etc/cron.daily/aide #!/bin/bash /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily AIDE integrity check run" root@example_server_name.mil Note: Per requirement RHEL-08-010358, the "mailx" package must be installed on the system to enable email functionality.
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check that YUM verifies the signature of packages from a repository prior to install with the following command: $ sudo grep -E '^\[.*\]|gpgcheck' /etc/yum.repos.d/*.repo /etc/yum.repos.d/appstream.repo:[appstream] /etc/yum.repos.d/appstream.repo:gpgcheck=1 /etc/yum.repos.d/baseos.repo:[baseos] /etc/yum.repos.d/baseos.repo:gpgcheck=1 If "gpgcheck" is not set to "1", or if options are missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. If there is no process to validate certificates that is approved by the organization, this is a finding.
Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the "/etc/yum.repos.d/[your_repo_name].repo" file: gpgcheck=1
Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. Check if YUM is configured to perform a signature check on local packages with the following command: $ sudo grep -i localpkg_gpgcheck /etc/dnf/dnf.conf localpkg_gpgcheck =True If "localpkg_gpgcheck" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.
Configure the operating system to remove all software components after updated versions have been installed. Set the "localpkg_gpgcheck" option to "True" in the "/etc/dnf/dnf.conf" file: localpkg_gpgcheck=True
Verify the operating system is configured to disable kernel image loading with the following commands: Check the status of the kernel.kexec_load_disabled kernel parameter. $ sudo sysctl kernel.kexec_load_disabled kernel.kexec_load_disabled = 1 If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r kernel.kexec_load_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:kernel.kexec_load_disabled = 1 If "kernel.kexec_load_disabled" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to disable kernel image loading. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.kexec_load_disabled = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify the operating system is configured to enable DAC on symlinks with the following commands: Check the status of the fs.protected_symlinks kernel parameter. $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r fs.protected_symlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:fs.protected_symlinks = 1 If "fs.protected_symlinks" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to enable DAC on symlinks. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: fs.protected_symlinks = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify the operating system is configured to enable DAC on hardlinks with the following commands: Check the status of the fs.protected_hardlinks kernel parameter. $ sudo sysctl fs.protected_hardlinks fs.protected_hardlinks = 1 If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r fs.protected_hardlinks /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:fs.protected_hardlinks = 1 If "fs.protected_hardlinks" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to enable DAC on hardlinks. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: fs.protected_hardlinks = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify the operating system is configured to restrict access to the kernel message buffer with the following commands: Check the status of the kernel.dmesg_restrict kernel parameter. $ sudo sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to restrict access to the kernel message buffer. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify the operating system is configured to prevent kernel profiling by unprivileged users with the following commands: Check the status of the kernel.perf_event_paranoid kernel parameter. $ sudo sysctl kernel.perf_event_paranoid kernel.perf_event_paranoid = 2 If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r kernel.perf_event_paranoid /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:kernel.perf_event_paranoid = 2 If "kernel.perf_event_paranoid" is not set to "2", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to prevent kernel profiling by unprivileged users. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.perf_event_paranoid = 2 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify that "/etc/sudoers" has no occurrences of "NOPASSWD". Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* %admin ALL=(ALL) NOPASSWD: ALL If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding.
Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
Verify that "/etc/sudoers" has no occurrences of "!authenticate". Check that the "/etc/sudoers" file has no occurrences of "!authenticate" by running the following command: $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/* If any occurrences of "!authenticate" return from the command, this is a finding.
Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.
Verify the operating system has the packages required for multifactor authentication installed with the following commands: $ sudo yum list installed openssl-pkcs11 openssl-pkcs11.x86_64 0.4.8-2.el8 @anaconda If the "openssl-pkcs11" package is not installed, ask the administrator to indicate what type of multifactor authentication is being utilized and what packages are installed to support it. If there is no evidence of multifactor authentication being used, this is a finding.
Configure the operating system to implement multifactor authentication by installing the required package with the following command: $ sudo yum install openssl-pkcs11
Verify the operating system implements certificate status checking for multifactor authentication. Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Check to see if Online Certificate Status Protocol (OCSP) is enabled and using the proper digest value on the system with the following command: $ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#" certificate_verification = ocsp_dgst=sha1 If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha1", ask the administrator to indicate what type of multifactor authentication is being utilized and how the system implements certificate status checking. If there is no evidence of certificate status checking being used, this is a finding.
Configure the operating system to implement certificate status checking for multifactor authentication. Review the "/etc/sssd/sssd.conf" file to determine if the system is configured to prevent OCSP or certificate verification. Add the following line to the [sssd] section of the "/etc/sssd/sssd.conf" file: certificate_verification = ocsp_dgst=sha1 The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Verify RHEL 8 accepts PIV credentials. Check that the "opensc" package is installed on the system with the following command: $ sudo yum list installed opensc opensc.x86_64 0.19.0-5.el8 @anaconda Check that "opensc" accepts PIV cards with the following command: $ sudo opensc-tool --list-drivers | grep -i piv PIV-II Personal Identity Verification Card If the "opensc" package is not installed and the "opensc-tool" driver list does not include "PIV-II", this is a finding.
Configure RHEL 8 to accept PIV credentials. Install the "opensc" package using the following command: $ sudo yum install opensc
Verify the NX (no-execution) bit flag is set on the system. Check that the no-execution bit flag is set with the following commands: $ sudo dmesg | grep NX [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection" active, check the cpuinfo settings with the following command: $ sudo less /proc/cpuinfo | grep -i flags flags : fpu vme de pse tsc ms nx rdtscp lm constant_tsc If "flags" does not contain the "nx" flag, this is a finding.
The NX bit execute protection must be enabled in the system BIOS.
Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities with the following commands: Check that the current GRUB 2 configuration has page poisoning enabled: $ sudo grub2-editenv list | grep page_poison kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "page_poison" is not set to "1" or is missing, this is a finding. Check that page poisoning is enabled by default to persist in kernel updates: $ sudo grep page_poison /etc/default/grub GRUB_CMDLINE_LINUX="page_poison=1" If "page_poison" is not set to "1", is missing or commented out, this is a finding.
Configure RHEL 8 to enable page poisoning with the following commands: $ sudo grubby --update-kernel=ALL --args="page_poison=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="page_poison=1"
Verify that GRUB 2 is configured to disable vsyscalls with the following commands: Check that the current GRUB 2 configuration disables vsyscalls: $ sudo grub2-editenv list | grep vsyscall kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "vsyscall" is not set to "none" or is missing, this is a finding. Check that vsyscalls are disabled by default to persist in kernel updates: $ sudo grep vsyscall /etc/default/grub GRUB_CMDLINE_LINUX="vsyscall=none" If "vsyscall" is not set to "none", is missing or commented out and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Document the use of vsyscalls with the ISSO as an operational requirement or disable them with the following command: $ sudo grubby --update-kernel=ALL --args="vsyscall=none" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="vsyscall=none"
Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands: Check that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled: $ sudo grub2-editenv list | grep slub_debug kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 slub_debug=P page_poison=1 vsyscall=none audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If "slub_debug" does not contain "P" or is missing, this is a finding. Check that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates: $ sudo grep slub_debug /etc/default/grub GRUB_CMDLINE_LINUX="slub_debug=P" If "slub_debug" does not contain "P", is missing, or is commented out, this is a finding.
Configure RHEL 8 to enable poisoning of SLUB/SLAB objects with the following commands: $ sudo grubby --update-kernel=ALL --args="slub_debug=P" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="slub_debug=P"
Verify RHEL 8 implements ASLR with the following command: $ sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not set to "2", this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r kernel.randomize_va_space /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not set to "2", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to implement virtual address space randomization. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.randomize_va_space=2 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Issue the following command to make the changes take effect: $ sudo sysctl --system
Verify the operating system removes all software components after updated versions have been installed. Check if YUM is configured to remove unneeded packages with the following command: $ sudo grep -i clean_requirements_on_remove /etc/dnf/dnf.conf clean_requirements_on_remove=True If "clean_requirements_on_remove" is not set to either "1", "True", or "yes", commented out, or is missing from "/etc/dnf/dnf.conf", this is a finding.
Configure the operating system to remove all software components after updated versions have been installed. Set the "clean_requirements_on_remove" option to "True" in the "/etc/dnf/dnf.conf" file: clean_requirements_on_remove=True
Ensure the operating system verifies correct operation of all security functions. Check if "SELinux" is active and is enforcing the targeted policy with the following command: $ sudo sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 If the "Loaded policy name" is not set to "targeted", this is a finding. Verify that the /etc/selinux/config file is configured to the "SELINUXTYPE" to "targeted": $ sudo grep -i "selinuxtype" /etc/selinux/config | grep -v '^#' SELINUXTYPE = targeted If no results are returned or "SELINUXTYPE" is not set to "targeted", this is a finding.
Configure the operating system to verify correct operation of all security functions. Set the "SELinuxtype" to the "targeted" policy by modifying the "/etc/selinux/config" file to have the following line: SELINUXTYPE=targeted A reboot is required for the changes to take effect.
Verify there are no "shosts.equiv" files on RHEL 8 with the following command: $ sudo find / -name shosts.equiv If a "shosts.equiv" file is found, this is a finding.
Remove any found "shosts.equiv" files from the system. $ sudo rm /etc/ssh/shosts.equiv
Verify there are no ".shosts" files on RHEL 8 with the following command: $ sudo find / -name '*.shosts' If any ".shosts" files are found, this is a finding.
Remove any found ".shosts" files from the system. $ sudo rm /[path]/[to]/[file]/.shosts
Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. Check that RHEL 8 has enabled the hardware random number generator entropy gatherer service. Verify the rngd service is enabled and active with the following commands: $ sudo systemctl is-enabled rngd enabled $ sudo systemctl is-active rngd active If the service is not "enabled" and "active", this is a finding.
Start the rngd service and enable the rngd service with the following commands: $ sudo systemctl start rngd.service $ sudo systemctl enable rngd.service
Verify the SSH public host key files have mode "0644" or less permissive with the following command: $ sudo ls -l /etc/ssh/*.pub -rw-r--r-- 1 root root 618 Nov 28 06:43 ssh_host_dsa_key.pub -rw-r--r-- 1 root root 347 Nov 28 06:43 ssh_host_key.pub -rw-r--r-- 1 root root 238 Nov 28 06:43 ssh_host_rsa_key.pub If any key.pub file has a mode more permissive than "0644", this is a finding. Note: SSH public key files may be found in other directories on the system depending on the installation.
Change the mode of public host key files under "/etc/ssh" to "0644" with the following command: $ sudo chmod 0644 /etc/ssh/*key.pub The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify the SSH private host key files have mode "0640" or less permissive with the following command: $ sudo ls -l /etc/ssh/ssh_host*key -rw-r----- 1 root ssh_keys 668 Nov 28 06:43 ssh_host_dsa_key -rw-r----- 1 root ssh_keys 582 Nov 28 06:43 ssh_host_key -rw-r----- 1 root ssh_keys 887 Nov 28 06:43 ssh_host_rsa_key If any private host key file has a mode more permissive than "0640", this is a finding.
Configure the mode of SSH private host key files under "/etc/ssh" to "0640" with the following command: $ sudo chmod 0640 /etc/ssh/ssh_host*key The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify the SSH daemon performs strict mode checking of home directory configuration files with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*strictmodes' StrictModes yes If "StrictModes" is set to "no", is missing, or the returned line is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure SSH to perform strict mode checking of home directory configuration files. Uncomment the "StrictModes" keyword in "/etc/ssh/sshd_config" and set the value to "yes": StrictModes yes The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify the SSH daemon does not allow authentication using known host’s authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*ignoreuserknownhosts' IgnoreUserKnownHosts yes If the value is returned as "no", the returned line is commented out, or no output is returned, this is a finding. If conflicting results are returned, this is a finding.
Configure the SSH daemon to not allow authentication using known host’s authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "yes": IgnoreUserKnownHosts yes The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify the SSH daemon does not allow Kerberos authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*kerberosauthentication' KerberosAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding. If conflicting results are returned, this is a finding.
Configure the SSH daemon to not allow Kerberos authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": KerberosAuthentication no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify that a separate file system has been created for "/var". Check that a file system has been created for "/var" with the following command: $ sudo grep /var /etc/fstab /dev/mapper/... /var xfs defaults,nodev 0 0 If a separate entry for "/var" is not in use, this is a finding.
Migrate the "/var" path onto a separate file system.
Verify that a separate file system has been created for "/var/log". Check that a file system has been created for "/var/log" with the following command: $ sudo grep /var/log /etc/fstab /dev/mapper/... /var/log xfs defaults,nodev,noexec,nosuid 0 0 If a separate entry for "/var/log" is not in use, this is a finding.
Migrate the "/var/log" path onto a separate file system.
Verify that a separate file system/partition has been created for the system audit data path with the following command: Note: /var/log/audit is used as the example as it is a common location. $ sudo grep /var/log/audit /etc/fstab UUID=3645951a /var/log/audit xfs defaults 1 2 If an entry for "/var/log/audit" does not exist, ask the System Administrator if the system audit logs are being written to a different file system/partition on the system, then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.
Migrate the system audit data path onto a separate file system.
Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. $ sudo grep /tmp /etc/fstab /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 If a separate entry for the file system/partition "/tmp" does not exist, this is a finding.
Migrate the "/tmp" directory onto a separate file system/partition.
Verify remote access using SSH prevents users from logging on directly as "root". Check that SSH prevents users from logging on directly as "root" with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitrootlogin' PermitRootLogin no If the "PermitRootLogin" keyword is set to "yes", is missing, or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to stop users from logging on remotely as the "root" user via SSH. Edit the appropriate "/etc/ssh/sshd_config" file to uncomment or add the line for the "PermitRootLogin" keyword and set its value to "no": PermitRootLogin no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify the rsyslog service is enabled and active with the following commands: $ sudo systemctl is-enabled rsyslog enabled $ sudo systemctl is-active rsyslog active If the service is not "enabled" and "active" this is a finding.
Start the auditd service, and enable the rsyslog service with the following commands: $ sudo systemctl start rsyslog.service $ sudo systemctl enable rsyslog.service
Verify file systems that contain user home directories are mounted with the "nosuid" option. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding as the "nosuid" option cannot be used on the "/" system. Find the file system(s) that contain the user home directories with the following command: $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd smithj:1001: /home/smithj robinst:1002: /home/robinst Check the file systems that are mounted at boot time with the following command: $ sudo more /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home xfs rw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on file systems that contain user home directories for interactive users.
For systems that use UEFI, this is Not Applicable. Verify the /boot directory is mounted with the "nosuid" option with the following command: $ sudo mount | grep '\s/boot\s' /dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota) If the /boot file system does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on the /boot directory.
Verify all non-root local partitions are mounted with the "nodev" option with the following command: $ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' If any output is produced, this is a finding.
Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.
Verify file systems that contain user home directories are mounted with the "noexec" option. Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding as the "noexec" option cannot be used on the "/" system. Find the file system(s) that contain the user home directories with the following command: $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd smithj:1001: /home/smithj robinst:1002: /home/robinst Check the file systems that are mounted at boot time with the following command: $ sudo more /etc/fstab UUID=a411dc99-f2a1-4c87-9e05-184977be8539 /home ext4 rw,relatime,discard,data=ordered,nosuid,nodev,noexec 0 2 If a file system found in "/etc/fstab" refers to the user home directory file system and it does not have the "noexec" option set, this is a finding.
Configure the "/etc/fstab" to use the "noexec" option on file systems that contain user home directories for interactive users.
Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: $ sudo more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.
Configure the "/etc/fstab" to use the "nodev" option on file systems that are associated with removable media.
Verify file systems that are used for removable media are mounted with the "noexec" option with the following command: $ sudo more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "noexec" option set, this is a finding.
Configure the "/etc/fstab" to use the "noexec" option on file systems that are associated with removable media.
Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: $ sudo more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.
Verify that file systems being imported via NFS are mounted with the "noexec" option with the following command: $ sudo grep nfs /etc/fstab | grep noexec UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "noexec" option set, this is a finding.
Configure the "/etc/fstab" to use the "noexec" option on file systems that are being imported via NFS.
Verify file systems that are being NFS-imported are mounted with the "nodev" option with the following command: $ sudo grep nfs /etc/fstab | grep nodev UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "nodev" option set, this is a finding.
Configure the "/etc/fstab" to use the "nodev" option on file systems that are being imported via NFS.
Verify that file systems being imported via NFS are mounted with the "nosuid" option with the following command: $ sudo grep nfs /etc/fstab | grep nosuid UUID=e06097bb-cfcd-437b-9e4d-a691f5662a7d /store nfs rw,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to NFS and it does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on file systems that are being imported via NFS.
Verify that local initialization files do not execute world-writable programs. Check the system for world-writable files. The following command will discover and print world-writable files. Run it once for each local partition [PART]: $ sudo find [PART] -xdev -type f -perm -0002 -print For all files listed, check for their presence in the local initialization files with the following commands: Note: The example will be for a system that is configured to create user home directories in the "/home" directory. $ sudo grep <file> /home/*/.* If any local initialization files are found to reference world-writable files, this is a finding.
Set the mode on files being executed by the local initialization files with the following command: $ sudo chmod 0755 <file>
Verify that kernel core dumps are disabled unless needed with the following command: $ sudo systemctl status kdump.service kdump.service - Crash recovery kernel arming Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled) Active: active (exited) since Mon 2020-05-04 16:08:09 EDT; 3min ago Main PID: 1130 (code=exited, status=0/SUCCESS) If the "kdump" service is active, ask the System Administrator if the use of the service is required and documented with the Information System Security Officer (ISSO). If the service is active and is not documented, this is a finding.
If kernel core dumps are not required, disable the "kdump" service with the following command: # systemctl disable kdump.service If kernel core dumps are required, document the need with the ISSO.
Verify RHEL 8 disables storing core dumps with the following commands: $ sudo sysctl kernel.core_pattern kernel.core_pattern = |/bin/false If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo grep -r kernel.core_pattern /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf:kernel.core_pattern = |/bin/false If "kernel.core_pattern" is not set to "|/bin/false", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to disable storing core dumps. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.core_pattern = |/bin/false Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Verify RHEL 8 is not configured to acquire, save, or process core dumps with the following command: $ sudo systemctl status systemd-coredump.socket systemd-coredump.socket Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) Active: inactive (dead) If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Configure the system to disable the systemd-coredump.socket with the following commands: $ sudo systemctl disable --now systemd-coredump.socket $ sudo systemctl mask systemd-coredump.socket Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload
Verify the operating system disables core dumps for all users by issuing the following command: $ sudo grep -r -s '^[^#].*core' /etc/security/limits.conf /etc/security/limits.d/*.conf * hard core 0 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. If the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.
Configure the operating system to disable core dumps for all users. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: * hard core 0
Verify the operating system disables storing core dumps for all users by issuing the following command: $ sudo grep -i storage /etc/systemd/coredump.conf Storage=none If the "Storage" item is missing, commented out, or the value is anything other than "none" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.
Configure the operating system to disable storing core dumps for all users. Add or modify the following line in /etc/systemd/coredump.conf: Storage=none
Verify the operating system disables core dump backtraces by issuing the following command: $ sudo grep -i ProcessSizeMax /etc/systemd/coredump.conf ProcessSizeMax=0 If the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.
Configure the operating system to disable core dump backtraces. Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0
Determine whether the system is using local or DNS name resolution with the following command: $ sudo grep hosts /etc/nsswitch.conf hosts: files dns If the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: $ sudo ls -al /etc/resolv.conf -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.conf If local host authentication is being used and the "/etc/resolv.conf" file is not empty, this is a finding. If the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, verify the operating system is configured to use two or more name servers for DNS resolution. Determine the name servers used by the system with the following command: $ sudo grep nameserver /etc/resolv.conf nameserver 192.168.1.2 nameserver 192.168.1.3 If less than two lines are returned that are not commented out, this is a finding.
Configure the operating system to use two or more name servers for DNS resolution. By default, "NetworkManager" on RHEL 8 dynamically updates the /etc/resolv.conf file with the DNS settings from active "NetworkManager" connection profiles. However, this feature can be disabled to allow manual configurations. If manually configuring DNS, edit the "/etc/resolv.conf" file to uncomment or add the two or more "nameserver" option lines with the IP address of local authoritative name servers. If local host resolution is being performed, the "/etc/resolv.conf" file must be empty. An empty "/etc/resolv.conf" file can be created as follows: $ sudo echo -n > /etc/resolv.conf
Verify that all local interactive user initialization file executable search path statements do not contain statements that will reference a working directory other than user home directories with the following commands: $ sudo grep -i path= /home/*/.* /home/[localinteractiveuser]/.bash_profile:PATH=$PATH:$HOME/.local/bin:$HOME/bin If any local interactive user initialization files have executable search path statements that include directories outside of their home directory and is not documented with the ISSO as an operational requirement, this is a finding.
Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. If a local interactive user requires path variables to reference a directory owned by the application, it must be documented with the ISSO.
The following command will discover and print world-writable directories that are not owned by a system account, given the assumption that only system accounts have a uid lower than 1000. Run it once for each local partition [PART]: $ sudo find [PART] -xdev -type d -perm -0002 -uid +999 -print If there is output, this is a finding.
All directories in local partitions which are world-writable should be owned by root or another system account. If any world-writable directories are not owned by a system account, this should be investigated. Following this, the files should be deleted or assigned to an appropriate group.
The following command will discover and print world-writable directories that are not group-owned by a system account, given the assumption that only system accounts have a gid lower than 1000. Run it once for each local partition [PART]: $ sudo find [PART] -xdev -type d -perm -0002 -gid +999 -print If there is output, this is a finding.
All directories in local partitions which are world-writable must be group-owned by root or another system account. If any world-writable directories are not group-owned by a system account, this must be investigated. Following this, the directories must be deleted or assigned to an appropriate group.
Verify local interactive users on RHEL 8 have a home directory assigned with the following command: $ sudo pwck -r user 'lp': directory '/var/spool/lpd' does not exist user 'news': directory '/var/spool/news' does not exist user 'uucp': directory '/var/spool/uucp' does not exist user 'www-data': directory '/var/www' does not exist Ask the System Administrator (SA) if any users found without home directories are local interactive users. If the SA is unable to provide a response, check for users with a User Identifier (UID) of 1000 or greater with the following command: $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd If any interactive users do not have a home directory assigned, this is a finding.
Assign home directories to all local interactive users on RHEL 8 that currently do not have a home directory assigned.
Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command: Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.
Change the mode of interactive user’s home directories to "0750". To change the mode of a local interactive user’s home directory, use the following command: Note: The example will be for the user "smithj". $ sudo chmod 0750 /home/smithj
Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID with the following command: Note: This may miss local interactive users that have been assigned a privileged UID. Evidence of interactive use may be obtained from a number of log files containing system logon information. The returned directory "/home/smithj" is used as an example. $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj Check the user's primary group with the following command: $ sudo grep $(grep smithj /etc/passwd | awk -F: '{print $4}') /etc/group admin:x:250:smithj,jonesj,jacksons If the user home directory referenced in "/etc/passwd" is not group-owned by that user’s primary GID, this is a finding.
Change the group owner of a local interactive user’s home directory to the group found in "/etc/passwd". To change the group owner of a local interactive user’s home directory, use the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj", and has a primary group of users. $ sudo chgrp users /home/smithj
Verify the assigned home directory of all local interactive users on RHEL 8 exists with the following command: $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-xr-x 2 smithj admin 4096 Jun 5 12:41 smithj Note: This may miss interactive users that have been assigned a privileged User ID (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. Check that all referenced home directories exist with the following command: $ sudo pwck -r user 'smithj': directory '/home/smithj' does not exist If any home directories referenced in "/etc/passwd" are returned as not defined, this is a finding.
Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in "/etc/ passwd": Note: The example will be for the user smithj, who has a home directory of "/home/smithj", a UID of "smithj", and a Group Identifier (GID) of "users assigned" in "/etc/passwd". $ sudo mkdir /home/smithj $ sudo chown smithj /home/smithj $ sudo chgrp users /home/smithj $ sudo chmod 0750 /home/smithj
Verify all local interactive users on RHEL 8 are assigned a home directory upon creation with the following command: $ sudo grep -i create_home /etc/login.defs CREATE_HOME yes If the value for "CREATE_HOME" parameter is not set to "yes", the line is missing, or the line is commented out, this is a finding.
Configure RHEL 8 to assign home directories to all new local interactive users by setting the "CREATE_HOME" parameter in "/etc/login.defs" to "yes" as follows. CREATE_HOME yes
Verify that all local initialization files have a mode of "0740" or less permissive with the following command: Note: The example will be for the "smithj" user, who has a home directory of "/home/smithj". $ sudo ls -al /home/smithj/.[^.]* | more -rw-------. 1 smithj users 2984 Apr 27 19:02 .bash_history -rw-r--r--. 1 smithj users 18 Aug 21 2019 .bash_logout -rw-r--r--. 1 smithj users 193 Aug 21 2019 .bash_profile If any local initialization files have a mode more permissive than "0740", this is a finding.
Set the mode of the local initialization files to "0740" with the following command: Note: The example will be for the smithj user, who has a home directory of "/home/smithj". $ sudo chmod 0740 /home/smithj/.<INIT_FILE>
Verify all local files and directories on RHEL 8 have a valid owner with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. $ sudo find / -fstype xfs -nouser If any files on the system do not have an assigned owner, this is a finding. Note: Command may produce error messages from the /proc and /sys directories.
Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 8 with the "chown" command: $ sudo chown <user> <file>
Verify all local files and directories on RHEL 8 have a valid group with the following command: Note: The value after -fstype must be replaced with the filesystem type. XFS is used as an example. $ sudo find / -fstype xfs -nogroup If any files on the system do not have an assigned group, this is a finding. Note: Command may produce error messages from the /proc and /sys directories.
Either remove all files and directories from RHEL 8 that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: $ sudo chgrp <group> <file>
Verify that a separate file system has been created for non-privileged local interactive user home directories. Check the home directory assignment for all non-privileged users, users with a User Identifier (UID) greater than 1000, on the system with the following command: $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1,$3,$6}' /etc/passwd doej 1001 /home/doej publicj 1002 /home/publicj smithj 1003 /home/smithj The output of the command will give the directory/partition that contains the home directories for the non-privileged users on the system (in this example, "/home") and users’ shell. All accounts with a valid shell (such as /bin/bash) are considered interactive users. Check that a file system/partition has been created for the nonprivileged interactive users with the following command: Note: The partition of "/home" is used in the example. $ sudo grep /home /etc/fstab /dev/mapper/... /home xfs defaults,noexec,nosuid,nodev 0 0 If a separate entry for the file system/partition containing the nonprivileged interactive user home directories does not exist, this is a finding.
Migrate the "/home" directory onto a separate file system.
Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Check for the value of the "AutomaticLoginEnable" in the "/etc/gdm/custom.conf" file with the following command: $ sudo grep -i automaticloginenable /etc/gdm/custom.conf AutomaticLoginEnable=false If the value of "AutomaticLoginEnable" is not set to "false", this is a finding.
Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. Add or edit the line for the "AutomaticLoginEnable" parameter in the [daemon] section of the "/etc/gdm/custom.conf" file to "false": [daemon] AutomaticLoginEnable=false
Verify that unattended or automatic logon via ssh is disabled with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permituserenvironment' PermitUserEnvironment no If "PermitUserEnvironment" is set to "yes", is missing completely, or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to allow the SSH daemon to not allow unattended or automatic logon to the system. Add or edit the following line in the "/etc/ssh/sshd_config" file: PermitUserEnvironment no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify that temporary accounts have been provisioned with an expiration date of 72 hours. For every existing temporary account, run the following command to obtain its account expiration information. $ sudo chage -l system_account_name Verify each of these accounts has an expiration date set within 72 hours. If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
If a temporary account must be created configure the system to terminate the account after a 72 hour time period with the following command to set an expiration date on it. Substitute "system_account_name" with the account to be created. $ sudo chage -E `date -d "+3 days" +%Y-%m-%d` system_account_name
Check that the system locks an account after three unsuccessful logon attempts with the following commands: Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module, or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "deny" option is not set to "3" or less (but not "0") on the "preauth" line with the "pam_faillock.so" module, or is missing from this line, this is a finding. If any line referencing the "pam_faillock.so" module is commented out, this is a finding.
Configure the operating system to lock an account when three unsuccessful logon attempts occur. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts: $ sudo grep 'deny =' /etc/security/faillock.conf deny = 3 If the "deny" option is not set to "3" or less (but not "0"), is missing or commented out, this is a finding.
Configure the operating system to lock an account when three unsuccessful logon attempts occur. Add/Modify the "/etc/security/faillock.conf" file to match the following line: deny = 3
Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands: Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock.so" module, or is missing from this line, this is a finding.
Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to lock an account after three unsuccessful logon attempts within 15 minutes: $ sudo grep 'fail_interval =' /etc/security/faillock.conf fail_interval = 900 If the "fail_interval" option is not set to "900" or more, is missing or commented out, this is a finding.
Configure the operating system to lock an account when three unsuccessful logon attempts occur in 15 minutes. Add/Modify the "/etc/security/faillock.conf" file to match the following line: fail_interval = 900
Check that the system locks an account after three unsuccessful logon attempts within a period of 15 minutes until released by an administrator with the following commands: Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "unlock_time" option is not set to "0" on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "unlock_time" option is not set to "0" on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to lock an account until released by an administrator after three unsuccessful logon attempts: $ sudo grep 'unlock_time =' /etc/security/faillock.conf unlock_time = 0 If the "unlock_time" option is not set to "0", is missing or commented out, this is a finding.
Configure the operating system to lock an account until released by an administrator when three unsuccessful logon attempts occur in 15 minutes. Add/Modify the "/etc/security/faillock.conf" file to match the following line: unlock_time = 0
Check that the faillock directory contents persists after a reboot with the following commands: Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "dir" option is not set to a non-default documented tally log directory on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "dir" option is not set to a non-default documented tally log directory on the "preauth" and "authfail" lines with the "pam_faillock.so" module, or is missing from these lines, this is a finding.
Configure the operating system maintain the contents of the faillock directory after a reboot. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: Note: Using the default faillock directory of /var/run/faillock will result in the contents being cleared in the event of a reboot. auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: $ sudo grep 'dir =' /etc/security/faillock.conf dir = /var/log/faillock If the "dir" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.
Configure the operating system maintain the contents of the faillock directory after a reboot. Add/Modify the "/etc/security/faillock.conf" file to match the following line: dir = /var/log/faillock
Check that the system prevents informative messages from being presented to the user pertaining to logon information with the following commands: Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. Note: This check applies to RHEL versions 8.0 and 8.1, if the system is RHEL version 8.2 or newer, this check is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "silent" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "silent" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.
Configure the operating system to prevent informative messages from being presented at logon attempts. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to prevent informative messages from being presented at logon attempts: $ sudo grep silent /etc/security/faillock.conf silent If the "silent" option is not set, is missing or commented out, this is a finding.
Configure the operating system to prevent informative messages from being presented at logon attempts. Add/Modify the "/etc/security/faillock.conf" file to match the following line: silent
Check that the system logs user name information when unsuccessful logon attempts occur with the following commands: If the system is RHEL version 8.2 or newer, this check is not applicable. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "audit" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "audit" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.
Configure the operating system to log user name information when unsuccessful logon attempts occur. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: $ sudo grep audit /etc/security/faillock.conf audit If the "audit" option is not set, is missing or commented out, this is a finding.
Configure the operating system to log user name information when unsuccessful logon attempts occur. Add/Modify the "/etc/security/faillock.conf" file to match the following line: audit
Check that the system includes the root account when locking an account after three unsuccessful logon attempts within a period of 15 minutes with the following commands: If the system is RHEL version 8.2 or newer, this check is not applicable. Note: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable. $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "even_deny_root" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding. $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so If the "even_deny_root" option is missing from the "preauth" line with the "pam_faillock.so" module, this is a finding.
Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" and "/etc/pam.d/password-auth" files to match the following lines: auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0 auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0 account required pam_faillock.so The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur: $ sudo grep even_deny_root /etc/security/faillock.conf even_deny_root If the "even_deny_root" option is not set, is missing or commented out, this is a finding.
Configure the operating system to include root when locking an account after three unsuccessful logon attempts occur in 15 minutes. Add/Modify the "/etc/security/faillock.conf" file to match the following line: even_deny_root
Verify the operating system limits the number of concurrent sessions to "10" for all accounts and/or account types by issuing the following command: $ sudo grep -r -s '^[^#].*maxlogins' /etc/security/limits.conf /etc/security/limits.d/*.conf * hard maxlogins 10 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. If the "maxlogins" item is missing, commented out, or the value is set greater than "10" and is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "maxlogins" item assigned, this is a finding.
Configure the operating system to limit the number of concurrent sessions to "10" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf or in a ".conf" file defined in /etc/security/limits.d/: * hard maxlogins 10
Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures with the following command: $ sudo gsettings get org.gnome.desktop.screensaver lock-enabled true If the setting is "false", this is a finding. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable.
Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following example: $ sudo vi /etc/dconf/db/local.d/00-screensaver Edit the "[org/gnome/desktop/screensaver]" section of the database file and add or update the following lines: # Set this to true to lock the screen when the screensaver activates lock-enabled=true Update the system databases: $ sudo dconf update
Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures with the following command: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo grep -R removal-action /etc/dconf/db/* /etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen' If the "removal-action='lock-screen'" setting is missing or commented out from the dconf database files, this is a finding.
Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. Select/Create an authselect profile and incorporate the "with-smartcard-lock-on-removal" feature with the following example: $ sudo authselect select sssd with-smartcard with-smartcard-lock-on-removal Alternatively, the dconf settings can be edited in the /etc/dconf/db/* location. Edit or add the "[org/gnome/settings-daemon/peripherals/smartcard]" section of the database file and add or update the following lines: removal-action='lock-screen' Update the system databases: $ sudo dconf update
Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces with the following commands: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo gsettings get org.gnome.desktop.session idle-delay uint32 900 If "idle-delay" is set to "0" or a value greater than "900", this is a finding.
Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: $ sudo touch /etc/dconf/db/local.d/00-screensaver Edit /etc/dconf/db/local.d/00-screensaver and add or update the following lines: [org/gnome/desktop/session] # Set the lock time out to 900 seconds before the session is considered idle idle-delay=uint32 900 Update the system databases: $ sudo dconf update
Verify the operating system prevents a user from overriding settings for graphical user interfaces. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: $ sudo grep system-db /etc/dconf/profile/user system-db:local Check that graphical settings are locked from non-privileged user modification with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. $ sudo grep -i lock-delay /etc/dconf/db/local.d/locks/* /org/gnome/desktop/screensaver/lock-delay If the command does not return at least the example result, this is a finding.
Configure the operating system to prevent a user from overriding settings for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: /org/gnome/desktop/screensaver/lock-delay
Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. $ sudo cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = pam, sudo, ssh domains = testing.test [pam] pam_cert_auth = True [domain/testing.test] id_provider = ldap [certmap/testing.test/rule_name] matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding.
Configure the operating system to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf file based on the following example: [certmap/testing.test/rule_name] matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" in the password-auth file with the following command: $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality password requisite pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so" as shown, or the line is commented out, this is a finding.
Configure the operating system to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password requisite pam_pwquality.so
Verify the value for "ucredit" with the following command: $ sudo grep -r ucredit /etc/security/pwquality.conf* /etc/security/pwquality.conf:ucredit = -1 If the value of "ucredit" is a positive number or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to enforce password complexity by requiring that at least one uppercase character be used by setting the "ucredit" option. Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): ucredit = -1 Remove any configurations that conflict with the above value.
Verify the value for "lcredit" with the following command: $ sudo grep -r lcredit /etc/security/pwquality.conf* /etc/security/pwquality.conf:lcredit = -1 If the value of "lcredit" is a positive number or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to enforce password complexity by requiring that at least one lower-case character be used by setting the "lcredit" option. Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): lcredit = -1 Remove any configurations that conflict with the above value.
Verify the value for "dcredit" with the following command: $ sudo grep -r dcredit /etc/security/pwquality.conf* /etc/security/pwquality.conf:dcredit = -1 If the value of "dcredit" is a positive number or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the "dcredit" option. Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): dcredit = -1 Remove any configurations that conflict with the above value.
Check for the value of the "maxclassrepeat" option with the following command: $ sudo grep -r maxclassrepeat /etc/security/pwquality.conf* /etc/security/pwquality.conf:maxclassrepeat = 4 If the value of "maxclassrepeat" is set to "0", more than "4" or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the "maxclassrepeat" option. Add the following line to "/etc/security/pwquality.conf" conf (or modify the line to have the required value): maxclassrepeat = 4 Remove any configurations that conflict with the above value.
Check for the value of the "maxrepeat" option with the following command: $ sudo grep -r maxrepeat /etc/security/pwquality.conf* /etc/security/pwquality.conf:maxrepeat = 3 If the value of "maxrepeat" is set to more than "3" or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the "maxrepeat" option. Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): maxrepeat = 3 Remove any configurations that conflict with the above value.
Verify the value of the "minclass" option with the following command: $ sudo grep -r minclass /etc/security/pwquality.conf* /etc/security/pwquality.conf:minclass = 4 If the value of "minclass" is set to less than "4" or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to require the change of at least four character classes when passwords are changed by setting the "minclass" option. Add the following line to "/etc/security/pwquality.conf conf" (or modify the line to have the required value): minclass = 4 Remove any configurations that conflict with the above value.
Verify the value of the "difok" option with the following command: $ sudo grep -r difok /etc/security/pwquality.conf* /etc/security/pwquality.conf:difok = 8 If the value of "difok" is set to less than "8" or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the "difok" option. Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): difok = 8 Remove any configurations that conflict with the above value.
Check whether the minimum time period between password changes for each user account is one day or greater. $ sudo awk -F: '$4 < 1 {print $1 " " $4}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: $ sudo chage -m 1 [user]
Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. Check for the value of "PASS_MIN_DAYS" in "/etc/login.defs" with the following command: $ sudo grep -i pass_min_days /etc/login.defs PASS_MIN_DAYS 1 If the "PASS_MIN_DAYS" parameter value is not "1" or greater, or is commented out, this is a finding.
Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. Add the following line in "/etc/login.defs" (or modify the line to have the required value): PASS_MIN_DAYS 1
Verify that RHEL 8 enforces a 60-day maximum password lifetime for new user accounts by running the following command: $ sudo grep -i pass_max_days /etc/login.defs PASS_MAX_DAYS 60 If the "PASS_MAX_DAYS" parameter value is greater than "60", or commented out, this is a finding.
Configure RHEL 8 to enforce a 60-day maximum password lifetime. Add, or modify the following line in the "/etc/login.defs" file: PASS_MAX_DAYS 60
Check whether the maximum time period for existing passwords is restricted to 60 days with the following commands: $ sudo awk -F: '$5 > 60 {print $1 " " $5}' /etc/shadow $ sudo awk -F: '$5 <= 0 {print $1 " " $5}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding.
Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. $ sudo chage -M 60 [user]
Verify the operating system enforces a minimum 15-character password length. The "minlen" option sets the minimum number of characters in a new password. Check for the value of the "minlen" option with the following command: $ sudo grep -r minlen /etc/security/pwquality.conf* /etc/security/pwquality.conf:minlen = 15 If the command does not return a "minlen" value of 15 or greater, this is a finding. If conflicting results are returned, this is a finding.
Configure operating system to enforce a minimum 15-character password length. Add the following line to "/etc/security/pwquality.conf" (or modify the line to have the required value): minlen = 15 Remove any configurations that conflict with the above value.
Verify that RHEL 8 enforces a minimum 15-character password length for new user accounts by running the following command: $ sudo grep -i pass_min_len /etc/login.defs PASS_MIN_LEN 15 If the "PASS_MIN_LEN" parameter value is less than "15", or commented out, this is a finding.
Configure operating system to enforce a minimum 15-character password length for new user accounts. Add, or modify the following line in the "/etc/login.defs" file: PASS_MIN_LEN 15
Verify that RHEL 8 contains no duplicate User IDs (UIDs) for interactive users. Check that the operating system contains no duplicate UIDs for interactive users with the following command: $ sudo awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd If output is produced, and the accounts listed are interactive user accounts, this is a finding.
Edit the file "/etc/passwd" and provide each interactive user account that has a duplicate User ID (UID) with a unique UID.
Verify RHEL 8 uses multifactor authentication for local access to accounts. Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Check that the "pam_cert_auth" setting is set to "true" in the "/etc/sssd/sssd.conf" file. Check that the "try_cert_auth" or "require_cert_auth" options are configured in both "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files with the following command: $ sudo grep -ir cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf /etc/pam.d/* /etc/sssd/sssd.conf:pam_cert_auth = True /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth If "pam_cert_auth" is not set to "true" in "/etc/sssd/sssd.conf", this is a finding. If "pam_sss.so" is not set to "try_cert_auth" or "require_cert_auth" in both the "/etc/pam.d/smartcard-auth" and "/etc/pam.d/system-auth" files, this is a finding.
Configure RHEL 8 to use multifactor authentication for local access to accounts. Add or update the "pam_cert_auth" setting in the "/etc/sssd/sssd.conf" file to match the following line: [pam] pam_cert_auth = True Add or update "pam_sss.so" with "try_cert_auth" or "require_cert_auth" in the "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files based on the following examples: /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command: $ sudo systemctl restart sssd.service
Verify the account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: Check the account inactivity value by performing the following command: $ sudo grep -i inactive /etc/default/useradd INACTIVE=35 If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding.
Configure RHEL 8 to disable account identifiers after 35 days of inactivity after the password expiration. Run the following command to change the configuration for useradd: $ sudo useradd -D -f 35 DoD recommendation is 35 days, but a lower value is acceptable. The value "-1" will disable this feature, and "0" will disable the account immediately after the password expires.
Verify temporary accounts have been provisioned with an expiration date of 72 hours. For every existing temporary account, run the following command to obtain its account expiration information: $ sudo chage -l <temporary_account_name> | grep -i "account expires" Verify each of these accounts has an expiration date set within 72 hours. If any temporary accounts have no expiration date set or do not expire within 72 hours, this is a finding.
Configure the operating system to expire temporary accounts after 72 hours with the following command: $ sudo chage -E $(date -d +3days +%Y-%m-%d) <temporary_account_name>
Verify the value for "ocredit" with the following command: $ sudo grep -r ocredit /etc/security/pwquality.conf* /etc/security/pwquality.conf:ocredit = -1 If the value of "ocredit" is a positive number or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the "ocredit" option. Add the following line to /etc/security/pwquality.conf (or modify the line to have the required value): ocredit = -1 Remove any configurations that conflict with the above value.
Verify that the SSSD prohibits the use of cached authentications after one day. Note: If smart card authentication is not being used on the system this item is Not Applicable. Check that SSSD allows cached authentications with the following command: $ sudo grep -ir cache_credentials /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf cache_credentials = true If "cache_credentials" is set to "false" or missing from the configuration file, this is not a finding and no further checks are required. If "cache_credentials" is set to "true", check that SSSD prohibits the use of cached authentications after one day with the following command: $ sudo grep -ir offline_credentials_expiration /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf offline_credentials_expiration = 1 If "offline_credentials_expiration" is not set to a value of "1", this is a finding.
Configure the SSSD to prohibit the use of cached authentications after one day. Add or change the following line in "/etc/sssd/sssd.conf" just below the line "[pam]". offline_credentials_expiration = 1
Verify RHEL 8 prevents the use of dictionary words for passwords. Determine if the field "dictcheck" is set with the following command: $ sudo grep -r dictcheck /etc/security/pwquality.conf* /etc/security/pwquality.conf:dictcheck=1 If the "dictcheck" parameter is not set to "1", or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to prevent the use of dictionary words for passwords. Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the /etc/pwquality.conf.d/ directory to contain the "dictcheck" parameter: dictcheck=1 Remove any configurations that conflict with the above value.
Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt with the following command: $ sudo grep -i fail_delay /etc/login.defs FAIL_DELAY 4 If the value of "FAIL_DELAY" is not set to "4" or greater, or the line is commented out, this is a finding.
Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the "/etc/login.defs" file to set the "FAIL_DELAY" parameter to "4" or greater: FAIL_DELAY 4
Verify that there are no unauthorized interactive user accounts with the following command: $ less /etc/passwd root:x:0:0:root:/root:/bin/bash ... games:x:12:100:games:/usr/games:/sbin/nologin scsaustin:x:1001:1001:scsaustin:/home/scsaustin:/bin/bash djohnson:x:1002:1002:djohnson:/home/djohnson:/bin/bash Interactive user account, generally will have a user identifier (UID) of 1000 or greater, a home directory in a specific partition, and an interactive shell. Obtain the list of interactive user accounts authorized to be on the system from the system administrator or information system security officer (ISSO) and compare it to the list of local interactive user accounts on the system. If there are unauthorized local user accounts on the system, this is a finding.
Remove unauthorized local interactive user accounts with the following command where <unauthorized_user> is the unauthorized account: $ sudo userdel <unauthorized_user>
To verify that null passwords cannot be used, run the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*permitemptypasswords' PermitEmptyPasswords no If "PermitEmptyPasswords" is set to "yes", this is a finding. If conflicting results are returned, this is a finding.
Edit the following line in "etc/ssh/sshd_config" to prevent logons with empty passwords. PermitEmptyPasswords no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify users are provided with feedback on when account accesses last occurred with the following command: $ sudo grep pam_lastlog /etc/pam.d/postlogin session required pam_lastlog.so showfailed If "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present, this is a finding.
Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/postlogin". Add the following line to the top of "/etc/pam.d/postlogin": session required pam_lastlog.so showfailed
Verify SSH provides users with feedback on when account accesses last occurred with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*printlastlog' PrintLastLog yes If the "PrintLastLog" keyword is set to "no", is missing, or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in "/etc/pam.d/sshd" or in the "sshd_config" file used by the system ("/etc/ssh/sshd_config" will be used in the example) (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). Modify the "PrintLastLog" line in "/etc/ssh/sshd_config" to match the following: PrintLastLog yes The SSH service must be restarted for changes to "sshd_config" to take effect.
Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. Check for the value of the "UMASK" parameter in "/etc/login.defs" file with the following command: Note: If the value of the "UMASK" parameter is set to "000" in "/etc/login.defs" file, the Severity is raised to a CAT I. # grep -i umask /etc/login.defs UMASK 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.
Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the line for the "UMASK" parameter in "/etc/login.defs" file to "077": UMASK 077
Verify that the default umask for all local interactive users is "077". Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. Check all local interactive user initialization files for interactive users with the following command: Note: The example is for a system that is configured to create users home directories in the "/home" directory. $ sudo grep -ir ^umask /home | grep -v '.bash_history' If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than "077", this is a finding.
Remove the umask statement from all local interactive user's initialization files. If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the Information System Security Officer, but the user agreement for access to the account must specify that the local interactive user must log on to their account first and then switch the user to the application account with the correct option to gain the account's environment variables.
Verify that the umask default for installed shells is "077". Check for the value of the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc" and "/etc/profile" files with the following command: Note: If the value of the "UMASK" parameter is set to "000" in the "/etc/bashrc" the "/etc/csh.cshrc" or the "/etc/profile" files, the Severity is raised to a CAT I. # grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile /etc/bashrc: umask 077 /etc/bashrc: umask 077 /etc/csh.cshrc: umask 077 /etc/csh.cshrc: umask 077 /etc/profile: umask 077 /etc/profile: umask 077 If the value for the "UMASK" parameter is not "077", or the "UMASK" parameter is missing or is commented out, this is a finding.
Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. Add or edit the lines for the "UMASK" parameter in the "/etc/bashrc", "/etc/csh.cshrc" and "/etc/profile"files to "077": UMASK 077
Verify RHEL 8 audits the execution of privileged functions. Check if RHEL 8 is configured to audit the execution of the "execve" system call, by running the following command: $ sudo grep execve /etc/audit/audit.rules -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv If the command does not return all lines, or the lines are commented out, this is a finding.
Configure RHEL 8 to audit the execution of the "execve" system call. Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv The audit daemon must be restarted for the changes to take effect.
Verify that "rsyslog" is configured to log cron events with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. $ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages /etc/rsyslog.conf:# Log cron stuff /etc/rsyslog.conf:cron.* /var/log/cron If the command does not return a response, check for cron logging all facilities with the following command. $ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.
Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: cron.* /var/log/cron The rsyslog daemon must be restarted for the changes to take effect: $ sudo systemctl restart rsyslog.service
Verify that the SA and ISSO (at a minimum) are notified in the event of an audit processing failure. Check that RHEL 8 notifies the SA and ISSO (at a minimum) in the event of an audit processing failure with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct = root If the value of the "action_mail_acct" keyword is not set to "root" and/or other accounts for security personnel, the "action_mail_acct" keyword is missing, or the retuned line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.
Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Edit the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: action_mail_acct = root
Verify that the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". $ sudo grep "postmaster:\s*root$" /etc/aliases If the command does not return a line, or the line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.
Configure RHEL 8 to notify administrators in the event of an audit processing failure. Add/update the following line in "/etc/aliases": postmaster: root
Verify RHEL 8 takes the appropriate action when an audit processing failure occurs. Check that RHEL 8 takes the appropriate action when an audit processing failure occurs with the following command: $ sudo grep disk_error_action /etc/audit/auditd.conf disk_error_action = HALT If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs. If there is no evidence of appropriate action, this is a finding.
Configure RHEL 8 to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on configuration "disk_error_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file: disk_error_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_error_action" to "SYSLOG".
Verify RHEL 8 takes the appropriate action when the audit storage volume is full. Check that RHEL 8 takes the appropriate action when the audit storage volume is full with the following command: $ sudo grep disk_full_action /etc/audit/auditd.conf disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.
Configure RHEL 8 to shut down by default upon audit failure (unless availability is an overriding concern). Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG" or "SINGLE" depending on configuration) in "/etc/audit/auditd.conf" file: disk_full_action = HALT If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the "disk_full_action" to "SYSLOG".
Verify the RHEL 8 Audit Daemon is configured to include local events, with the following command: $ sudo grep local_events /etc/audit/auditd.conf local_events = yes If the value of the "local_events" option is not set to "yes", or the line is commented out, this is a finding.
Configure RHEL 8 to audit local events on the system. Add or update the following line in "/etc/audit/auditd.conf" file: local_events = yes
Verify the RHEL 8 Audit Daemon is configured to label all off-loaded audit logs, with the following command: $ sudo grep "name_format" /etc/audit/auditd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.
Edit the /etc/audit/auditd.conf file and add or update the "name_format" option: name_format = hostname The audit daemon must be restarted for changes to take effect.
Verify the RHEL 8 Audit Daemon is configured to resolve audit information before writing to disk, with the following command: $ sudo grep "log_format" /etc/audit/auditd.conf log_format = ENRICHED If the "log_format" option is not "ENRICHED", or the line is commented out, this is a finding.
Edit the /etc/audit/auditd.conf file and add or update the "log_format" option: log_format = ENRICHED The audit daemon must be restarted for changes to take effect.
Verify the audit logs have a mode of "0600" or less permissive. First, determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, check if the audit log has a mode of "0600" or less permissive with the following command: $ sudo stat -c "%a %n" /var/log/audit/audit.log 600 /var/log/audit/audit.log If the audit log has a mode more permissive than "0600", this is a finding.
Configure the audit log to be protected from unauthorized read access by setting the correct permissive mode with the following command: $ sudo chmod 0600 /var/log/audit/audit.log
Verify the audit logs are owned by "root". First, determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, determine if the audit log is owned by "root" using the following command: $ sudo ls -al /var/log/audit/audit.log rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log If the audit log is not owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access, by setting the correct owner as "root" with the following command: $ sudo chown root [audit_log_file] Replace "[audit_log_file]" to the correct audit log path, by default this location is "/var/log/audit/audit.log".
Verify the audit logs are group-owned by "root". First determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log file, determine if the audit log is group-owned by "root" using the following command: $ sudo ls -al /var/log/audit/audit.log rw------- 2 root root 23 Jun 11 11:56 /var/log/audit/audit.log If the audit log is not group-owned by "root", this is a finding.
Configure the audit log to be owned by root by configuring the log group in the /etc/audit/auditd.conf file: log_group = root
Verify the audit log directory is owned by "root" to prevent unauthorized read access. Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Determine the owner of the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path: $ sudo ls -ld /var/log/audit drw------- 2 root root 23 Jun 11 11:56 /var/log/audit If the audit log directory is not owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access, by setting the correct owner as "root" with the following command: $ sudo chown root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".
Verify the audit log directory is group-owned by "root" to prevent unauthorized read access. Determine where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Determine the group owner of the audit log directory by using the output of the above command (ex: "/var/log/audit/"). Run the following command with the correct audit log directory path: $ sudo ls -ld /var/log/audit drw------- 2 root root 23 Jun 11 11:56 /var/log/audit If the audit log directory is not group-owned by "root", this is a finding.
Configure the audit log to be protected from unauthorized read access by setting the correct group-owner as "root" with the following command: $ sudo chgrp root [audit_log_directory] Replace "[audit_log_directory]" with the correct audit log directory path, by default this location is usually "/var/log/audit".
Verify the audit log directories have a mode of "0700" or less permissive by first determining where the audit logs are stored with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Using the location of the audit log, determine the directory where the audit logs are stored (ex: "/var/log/audit"). Run the following command to determine the permissions for the audit log folder: $ sudo stat -c "%a %n" /var/log/audit 700 /var/log/audit If the audit log directory has a mode more permissive than "0700", this is a finding.
Configure the audit log directory to be protected from unauthorized read access by setting the correct permissive mode with the following command: $ sudo chmod 0700 [audit_log_directory] Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".
Verify the audit system prevents unauthorized changes with the following command: $ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1 -e 2 If the audit system is not set to be immutable by adding the "-e 2" option to the "/etc/audit/audit.rules", this is a finding.
Configure the audit system to set the audit rules to be immutable by adding the following line to "/etc/audit/rules.d/audit.rules" -e 2 Note: Once set, the system must be rebooted for auditing to be changed. It is recommended to add this option as the last step in securing the system.
Verify the audit system prevents unauthorized changes to logon UIDs with the following command: $ sudo grep -i immutable /etc/audit/audit.rules --loginuid-immutable If the login UIDs are not set to be immutable by adding the "--loginuid-immutable" option to the "/etc/audit/audit.rules", this is a finding.
Configure the audit system to set the logon UIDs to be immutable by adding the following line to "/etc/audit/rules.d/audit.rules" --loginuid-immutable
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/shadow /etc/audit/audit.rules -w /etc/shadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/security/opasswd /etc/audit/audit.rules -w /etc/security/opasswd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/security/opasswd -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/passwd /etc/audit/audit.rules -w /etc/passwd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/gshadow /etc/audit/audit.rules -w /etc/gshadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/gshadow -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/group /etc/audit/audit.rules -w /etc/group -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/group -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/sudoers /etc/audit/audit.rules -w /etc/sudoers -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/sudoers.d/ /etc/audit/audit.rules -w /etc/sudoers.d/ -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/sudoers.d/ -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Verify the audit service is configured to produce audit records. Check that the audit service is installed with the following command: $ sudo yum list installed audit If the "audit" package is not installed, this is a finding.
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred. Install the audit service (if the audit service is not already installed) with the following command: $ sudo yum install audit
Verify RHEL 8 generates audit records when successful/unsuccessful attempts to use the "su" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w /usr/bin/su /etc/audit/audit.rules -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to generate audit records when successful/unsuccessful attempts to use the "su" command occur by adding or updating the following rule in "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change The audit daemon must be restarted for the changes to take effect.
Verify if RHEL 8 is configured to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by running the following command: $ sudo grep xattr /etc/audit/audit.rules -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod If the command does not return an audit rule for "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" or any of the lines returned are commented out, this is a finding.
Configure RHEL 8 to audit the execution of the "setxattr", "fsetxattr", "lsetxattr", "removexattr", "fremovexattr", and "lremovexattr" system calls by adding or updating the following lines to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "chage" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chage /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "chage" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chcon" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chcon /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chcon" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ssh-agent" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep ssh-agent /etc/audit/audit.rules -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-agent" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "passwd" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w passwd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "passwd" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "mount" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w /usr/bin/mount /etc/audit/audit.rules -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "umount" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w /usr/bin/umount /etc/audit/audit.rules -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "umount" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "mount" syscall by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "\-S mount" /etc/audit/audit.rules -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "mount" syscall by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "unix_update" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "unix_update" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_update" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "postdrop" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "postdrop" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "postdrop" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "postqueue" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "postqueue" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "postqueue" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "semanage" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "semanage" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "semanage" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "setfiles" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "setfiles" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "setfiles" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "userhelper" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "userhelper" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "userhelper" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "setsebool" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "setsebool" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "setsebool" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of "unix_chkpwd" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "unix_chkpwd" /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "unix_chkpwd" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "ssh-keysign" by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep ssh-keysign /etc/audit/audit.rules -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "ssh-keysign" by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "setfacl" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w setfacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "setfacl" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "pam_timestamp_check" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w pam_timestamp_check /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "pam_timestamp_check" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "newgrp" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w newgrp /etc/audit/audit.rules -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "newgrp" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "init_module" and "finit_module" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep init_module /etc/audit/audit.rules -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng If the command does not return an audit rule for "init_module" and "finit_module" or any of the lines returned are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "init_module" and "finit_module" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep 'rename\|unlink\|rmdir' /etc/audit/audit.rules -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete If the command does not return an audit rule for "rename", "unlink", "rmdir", "renameat", and "unlinkat" or any of the lines returned are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "rename", "unlink", "rmdir", "renameat", and "unlinkat" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "gpasswd" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w gpasswd /etc/audit/audit.rules -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "gpasswd" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "delete_module" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w "delete_module" /etc/audit/audit.rules -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "delete_module" command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "crontab" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w crontab /etc/audit/audit.rules -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "crontab" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chsh" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chsh /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chsh" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep 'open\|truncate\|creat' /etc/audit/audit.rules -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access If the output does not produce rules containing "-F exit=-EPERM", this is a finding. If the output does not produce rules containing "-F exit=-EACCES", this is a finding. If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "chown", "fchown", "fchownat" and "lchown" system calls by using the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep chown /etc/audit/audit.rules -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod If audit rules are not defined for "chown", "fchown", "fchownat", and "lchown" or any of the lines returned are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chown", "fchown", "fchownat", and "lchown" system calls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record upon successful/unsuccessful attempts to use the "chmod", "fchmod", and "fchmodat" syscalls by using the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep chmod /etc/audit/audit.rules -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return an audit rule for "chmod", "fchmod", and "fchmodat", or any of the lines returned are commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chmod", "fchmod", and "fchmodat" syscalls by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "sudo" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w sudo /etc/audit/audit.rules -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "sudo" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd The audit daemon must be restarted for the changes to take effect.
Verify that an audit event is generated for any successful/unsuccessful use of the "usermod" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w usermod /etc/audit/audit.rules -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "usermod" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful attempts to use the "chacl" command by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w chacl /etc/audit/audit.rules -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful use of the "chacl" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod The audit daemon must be restarted for the changes to take effect.
Verify if RHEL 8 is configured to audit the execution of the module management program "kmod", by running the following command: $ sudo grep "/usr/bin/kmod" /etc/audit/audit.rules -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules If the command does not return a line, or the line is commented out, this is a finding.
Configure RHEL 8 to audit the execution of the module management program "kmod" by adding or updating the following line to "/etc/audit/rules.d/audit.rules": -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful modifications to the "faillock" file occur. First, determine where the faillock tallies are stored with the following commands: For RHEL versions 8.0 and 8.1: $ sudo grep -i pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth dir=/var/log/faillock silent deny=3 fail_interval=900 even_deny_root For RHEL versions 8.2 and newer: $ sudo grep dir /etc/security/faillock.conf dir=/var/log/faillock Using the location of the faillock log file, check that the following calls are being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w faillock /etc/audit/audit.rules -w /var/log/faillock -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "faillock" file by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/faillock -p wa -k logins The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 generates an audit record when successful/unsuccessful modifications to the "lastlog" file by performing the following command to check the file system rules in "/etc/audit/audit.rules": $ sudo grep -w lastlog /etc/audit/audit.rules -w /var/log/lastlog -p wa -k logins If the command does not return a line, or the line is commented out, this is a finding.
Configure the audit system to generate an audit event for any successful/unsuccessful modifications to the "lastlog" file by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: -w /var/log/lastlog -p wa -k logins The audit daemon must be restarted for the changes to take effect.
Verify RHEL 8 enables auditing of processes that start prior to the audit daemon with the following commands: $ sudo grub2-editenv list | grep audit kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the "audit" entry does not equal "1", is missing, or the line is commented out, this is a finding. Check that auditing is enabled by default to persist in kernel updates: $ sudo grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit=1" If "audit" is not set to "1", is missing or commented out, this is a finding.
Configure RHEL 8 to audit processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args="audit=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="audit=1"
Verify RHEL 8 allocates a sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following commands: $ sudo grub2-editenv list | grep audit kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the "audit_backlog_limit" entry does not equal "8192" or greater, is missing, or the line is commented out, this is a finding. Check the audit_backlog_limit is set to persist in kernel updates: $ sudo grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit_backlog_limit=8192" If "audit_backlog_limit" is not set to "8192" or greater, is missing or commented out, this is a finding.
Configure RHEL 8 to allocate sufficient audit_backlog_limit to capture processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args="audit_backlog_limit=8192" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"
Verify RHEL 8 enables Linux audit logging of the USBGuard daemon with the following commands: Note: If the USBGuard daemon is not installed and enabled, this requirement is Not Applicable. $ sudo grep -i auditbackend /etc/usbguard/usbguard-daemon.conf AuditBackend=LinuxAudit If the "AuditBackend" entry does not equal "LinuxAudit", is missing, or the line is commented out, this is a finding. If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding.
Configure RHEL 8 to enable Linux audit logging of the USBGuard daemon by adding or modifying the following line in "/etc/usbguard/usbguard-daemon.conf": AuditBackend=LinuxAudit
Verify that the files in directory "/etc/audit/rules.d/" and "/etc/audit/auditd.conf" file have a mode of "0640" or less permissive by using the following commands: $ sudo ls -al /etc/audit/rules.d/*.rules -rw-r----- 1 root root 1280 Feb 16 17:09 audit.rules $ sudo ls -l /etc/audit/auditd.conf -rw-r----- 1 root root 621 Sep 22 17:19 auditd.conf If the files in the "/etc/audit/rules.d/" directory or the "/etc/audit/auditd.conf" file have a mode more permissive than "0640", this is a finding.
Configure the files in directory "/etc/audit/rules.d/" and the "/etc/audit/auditd.conf" file to have a mode of "0640" with the following commands: $ sudo chmod 0640 /etc/audit/rules.d/audit.rules $ sudo chmod 0640 /etc/audit/rules.d/[customrulesfile].rules $ sudo chmod 0640 /etc/audit/auditd.conf
Verify the audit tools are protected from unauthorized access, deletion, or modification by checking the permissive mode. Check the octal permission of each audit tool by running the following command: $ sudo stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules 755 /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 750 /sbin/autrace 755 /sbin/auditd 755 /sbin/rsyslogd 755 /sbin/augenrules If any of the audit tools has a mode more permissive than "0755", this is a finding.
Configure the audit tools to be protected from unauthorized access by setting the correct permissive mode using the following command: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with the audit tool that does not have the correct permissive mode.
Verify the audit tools are owned by "root" to prevent any unauthorized access, deletion, or modification. Check the owner of each audit tool by running the following command: $ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules root /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules If any of the audit tools are not owned by "root", this is a finding.
Configure the audit tools to be owned by "root", by running the following command: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root".
Verify the audit tools are group-owned by "root" to prevent any unauthorized access, deletion, or modification. Check the owner of each audit tool by running the following commands: $ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules root /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules If any of the audit tools are not group-owned by "root", this is a finding.
Configure the audit tools to be group-owned by "root", by running the following command: $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root".
Verify that Advanced Intrusion Detection Environment (AIDE) is properly configured to use cryptographic mechanisms to protect the integrity of audit tools. If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. Check the selection lines to ensure AIDE is configured to add/check with the following command: $ sudo grep -E '(\/usr\/sbin\/(audit|au|rsys))' /etc/aide.conf /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 If any of the audit tools listed above do not have an appropriate selection line, ask the system administrator to indicate what cryptographic mechanisms are being used to protect the integrity of the audit tools. If there is no evidence of integrity protection, this is a finding.
Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. # Audit Tools /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
Verify RHEL 8 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. Determine to which partition the audit records are being written with the following command: $ sudo grep -iw log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition to which audit records are written (with the example being /var/log/audit/) with the following command: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit If the audit records are not written to a partition made specifically for audit records (/var/log/audit is a separate partition), determine the amount of space being used by other files in the partition with the following command: $ sudo du -sh [audit_partition] 1.8G /var/log/audit If the audit record partition is not allocated for sufficient storage capacity, this is a finding. Note: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0 GB of storage space for audit records should be sufficient.
Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility. If audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records. If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.
Verify the operating system has the packages required for offloading audit logs installed with the following commands: $ sudo yum list installed rsyslog rsyslog.x86_64 8.1911.0-3.el8 @AppStream If the "rsyslog" package is not installed, ask the administrator to indicate how audit logs are being offloaded and what packages are installed to support it. If there is no evidence of audit logs being offloaded, this is a finding.
Configure the operating system to offload audit logs by installing the required packages with the following command: $ sudo yum install rsyslog
Verify the operating system has the packages required for encrypting offloaded audit logs installed with the following commands: $ sudo yum list installed rsyslog-gnutls rsyslog-gnutls.x86_64 8.1911.0-3.el8 @AppStream If the "rsyslog-gnutls" package is not installed, ask the administrator to indicate how audit logs are being encrypted during offloading and what packages are installed to support it. If there is no evidence of audit logs being encrypted during offloading, this is a finding.
Configure the operating system to encrypt offloaded audit logs by installing the required packages with the following command: $ sudo yum install rsyslog-gnutls
Verify the audit system offloads audit records onto a different system or media from the system being audited with the following command: $ sudo grep @@ /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:*.* @@[logaggregationserver.example.mil]:[port] If a remote server is not configured, or the line is commented out, ask the system administrator to indicate how the audit logs are offloaded to a different system or media. If there is no evidence that the audit logs are being offloaded to another system or media, this is a finding.
Configure the operating system to offload audit records onto a different system or media from the system being audited by specifying the remote logging server in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf" with the name or IP address of the log aggregation server. For UDP: *.* @[logaggregationserver.example.mil]:[port] For TCP: *.* @@[logaggregationserver.example.mil]:[port]
Verify the audit system is configured to take an appropriate action when the internal event queue is full: $ sudo grep -i overflow_action /etc/audit/auditd.conf overflow_action = syslog If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.
Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option: overflow_action = syslog The audit daemon must be restarted for changes to take effect.
Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited with the following commands: $ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$DefaultNetstreamDriver gtls If the value of the "$DefaultNetstreamDriver" option is not set to "gtls" or the line is commented out, this is a finding. $ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverMode 1 If the value of the "$ActionSendStreamDriverMode" option is not set to "1" or the line is commented out, this is a finding. If neither of the definitions above are set, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.
Configure the operating system to encrypt off-loaded audit records by setting the following options in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $DefaultNetstreamDriver gtls $ActionSendStreamDriverMode 1
Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command: $ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf /etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name If the value of the "$ActionSendStreamDriverAuthMode" option is not set to "x509/name" or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media. If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding.
Configure the operating system to authenticate the remote logging server for off-loading audit logs by setting the following option in "/etc/rsyslog.conf" or "/etc/rsyslog.d/[customfile].conf": $ActionSendStreamDriverAuthMode x509/name
Verify RHEL 8 takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following commands: $ sudo grep -w space_left /etc/audit/auditd.conf space_left = 25% If the value of the "space_left" keyword is not set to "25%" or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If there is no evidence that real-time alerts are configured on the system, this is a finding.
Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. space_left = 25% Note: Option names and values in the auditd.conf file are case insensitive.
Verify RHEL 8 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands: $ sudo grep maxpoll /etc/chrony.conf server 0.us.pool.ntp.mil iburst maxpoll 16 If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. Verify the "chrony.conf" file is configured to an authoritative DoD time source by running the following command: $ sudo grep -i server /etc/chrony.conf server 0.us.pool.ntp.mil If the parameter "server" is not set or is not set to an authoritative DoD time source, this is a finding.
Configure the operating system to securely compare internal information system clocks at least every 24 hours with an NTP server by adding/modifying the following line in the /etc/chrony.conf file. server [ntp.server.name] iburst maxpoll 16
Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable. Verify RHEL 8 disables the chrony daemon from acting as a server with the following command: $ sudo grep -w 'port' /etc/chrony.conf port 0 If the "port" option is not set to "0", is commented out or missing, this is a finding.
Configure the operating system to disable the chrony daemon from acting as a server by adding or modifying the following line in the "/etc/chrony.conf" file: port 0
Note: If the system is approved and documented by the information system security officer (ISSO) to function as an NTP time server, this requirement is Not Applicable. Verify RHEL 8 disables network management of the chrony daemon with the following command: $ sudo grep -w 'cmdport' /etc/chrony.conf cmdport 0 If the "cmdport" option is not set to "0", is commented out or missing, this is a finding.
Configure the operating system disable network management of the chrony daemon by adding or modifying the following line in the "/etc/chrony.conf" file. cmdport 0
Check to see if the telnet-server package is installed with the following command: $ sudo yum list installed telnet-server If the telnet-server package is installed, this is a finding.
Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command: $ sudo yum remove telnet-server
Check to see if any automated bug reporting packages are installed with the following command: $ sudo yum list installed abrt* If any automated bug reporting package is installed, this is a finding.
Configure the operating system to disable non-essential capabilities by removing automated bug reporting packages from the system with the following command: $ sudo yum remove abrt*
Check to see if the sendmail package is installed with the following command: $ sudo yum list installed sendmail If the sendmail package is installed, this is a finding.
Configure the operating system to disable non-essential capabilities by removing the sendmail package from the system with the following command: $ sudo yum remove sendmail
Verify RHEL 8 enables kernel page-table isolation with the following commands: $ sudo grub2-editenv list | grep pti kernelopts=root=/dev/mapper/rhel-root ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on boot=UUID=8d171156-cd61-421c-ba41-1c021ac29e82 If the "pti" entry does not equal "on", is missing, or the line is commented out, this is a finding. Check that kernel page-table isolation is enabled by default to persist in kernel updates: $ sudo grep pti /etc/default/grub GRUB_CMDLINE_LINUX="pti=on" If "pti" is not set to "on", is missing or commented out, this is a finding.
Configure RHEL 8 to enable kernel page-table isolation with the following command: $ sudo grubby --update-kernel=ALL --args="pti=on" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="pti=on"
Check to see if the rsh-server package is installed with the following command: $ sudo yum list installed rsh-server If the rsh-server package is installed, this is a finding.
Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: $ sudo yum remove rsh-server
If the device or operating system does not have a camera installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision. This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed. For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding. For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding. If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands: Verify the operating system disables the ability to load the uvcvideo kernel module. $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/false" install uvcvideo /bin/false If the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use, this is a finding. Verify the camera is disabled via blacklist with the following command: $ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist" blacklist uvcvideo If the command does not return any output or the output is not "blacklist uvcvideo", and the collaborative computing device has not been authorized for use, this is a finding.
Configure the operating system to disable the built-in or attached camera when not in use. Build or modify the "/etc/modprobe.d/blacklist.conf" file by using the following example: install uvcvideo /bin/false blacklist uvcvideo Reboot the system for the settings to take effect.
Verify the operating system disables the ability to load the ATM protocol kernel module. $ sudo grep -r atm /etc/modprobe.d/* | grep "/bin/false" install atm /bin/false If the command does not return any output, or the line is commented out, and use of the ATM protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the ATM protocol. Check to see if the ATM protocol is disabled with the following command: $ sudo grep -r atm /etc/modprobe.d/* | grep "blacklist" blacklist atm If the command does not return any output or the output is not "blacklist atm", and use of the ATM protocol is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the ATM protocol kernel module. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install atm /bin/false blacklist atm Reboot the system for the settings to take effect.
Verify the operating system disables the ability to load the CAN protocol kernel module. $ sudo grep -r can /etc/modprobe.d/* | grep "/bin/false" install can /bin/false If the command does not return any output, or the line is commented out, and use of the CAN protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the CAN protocol. Check to see if the CAN protocol is disabled with the following command: $ sudo grep -r can /etc/modprobe.d/* | grep "blacklist" blacklist can If the command does not return any output or the output is not "blacklist can", and use of the CAN protocol is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the CAN protocol kernel module. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install can /bin/false blacklist can Reboot the system for the settings to take effect.
Verify the operating system disables the ability to load the SCTP kernel module. $ sudo grep -r sctp /etc/modprobe.d/* | grep "/bin/false" install sctp /bin/false If the command does not return any output, or the line is commented out, and use of the SCTP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the SCTP. Check to see if the SCTP is disabled with the following command: $ sudo grep -r sctp /etc/modprobe.d/* | grep "blacklist" blacklist sctp If the command does not return any output or the output is not "blacklist sctp", and use of the SCTP is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the SCTP kernel module. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install sctp /bin/false blacklist sctp Reboot the system for the settings to take effect.
Verify the operating system disables the ability to load the TIPC protocol kernel module. $ sudo grep -r tipc /etc/modprobe.d/* | grep "/bin/false" install tipc /bin/false If the command does not return any output, or the line is commented out, and use of the TIPC protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the TIPC protocol. Check to see if the TIPC protocol is disabled with the following command: $ sudo grep -r tipc /etc/modprobe.d/* | grep "blacklist" blacklist tipc If the command does not return any output or the output is not "blacklist tipc", and use of the TIPC protocol is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the TIPC protocol kernel module. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install tipc /bin/false blacklist tipc Reboot the system for the settings to take effect.
Verify the operating system disables the ability to load the cramfs kernel module. $ sudo grep -r cramfs /etc/modprobe.d/* | grep "/bin/false" install cramfs /bin/false If the command does not return any output, or the line is commented out, and use of the cramfs protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the cramfs kernel module. Check to see if the cramfs kernel module is disabled with the following command: $ sudo grep -r cramfs /etc/modprobe.d/* | grep "blacklist" blacklist cramfs If the command does not return any output or the output is not "blacklist cramfs", and use of the cramfs kernel module is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the cramfs kernel module. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install cramfs /bin/false blacklist cramfs Reboot the system for the settings to take effect.
Verify the operating system disables the ability to load the firewire-core kernel module. $ sudo grep -r firewire-core /etc/modprobe.d/* | grep "/bin/false" install firewire-core /bin/false If the command does not return any output, or the line is commented out, and use of the firewire-core protocol is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use the firewire-core kernel module. Check to see if the firewire-core kernel module is disabled with the following command: $ sudo grep -r firewire-core /etc/modprobe.d/* | grep "blacklist" blacklist firewire-core If the command does not return any output or the output is not "blacklist firewire-core", and use of the firewire-core kernel module is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the firewire-core kernel module. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install firewire-core /bin/false blacklist firewire-core Reboot the system for the settings to take effect.
Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. Check which services are currently active with the following command: $ sudo firewall-cmd --list-all-zones custom (active) target: DROP icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client dns http https ldaps rpc-bind ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.
Update the host's firewall settings and/or running services to comply with the PPSM Component Local Service Assessment (CLSA) for the site or program and the PPSM CAL.
Verify the operating system disables the ability to automount devices. Check to see if automounter service is active with the following command: Note: If the autofs service is not installed, this requirement is not applicable. $ sudo systemctl status autofs autofs.service - Automounts filesystems on demand Loaded: loaded (/usr/lib/systemd/system/autofs.service; disabled) Active: inactive (dead) If the "autofs" status is set to "active" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Configure the operating system to disable the ability to automount devices. Turn off the automount service with the following commands: $ sudo systemctl stop autofs $ sudo systemctl disable autofs If "autofs" is required for Network File System (NFS), it must be documented with the ISSO.
Verify the operating system disables the ability to load the USB Storage kernel module. $ sudo grep -r usb-storage /etc/modprobe.d/* | grep -i "/bin/false" install usb-storage /bin/false If the command does not return any output, or the line is commented out, and use of USB Storage is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Verify the operating system disables the ability to use USB mass storage devices. Check to see if USB mass storage is disabled with the following command: $ sudo grep usb-storage /etc/modprobe.d/* | grep -i "blacklist" blacklist usb-storage If the command does not return any output or the output is not "blacklist usb-storage" and use of USB storage devices is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the ability to use the USB Storage kernel module and the ability to use USB mass storage devices. Add or update the following lines in the file "/etc/modprobe.d/blacklist.conf": install usb-storage /bin/false blacklist usb-storage Reboot the system for the settings to take effect.
Verify "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: $ sudo firewall-cmd --state running $ sudo firewall-cmd --get-active-zones [custom] interfaces: ens33 $ sudo firewall-cmd --info-zone=[custom] | grep target target: DROP If no zones are active on the RHEL 8 interfaces or if the target is set to a different option other than "DROP", this is a finding. If the "firewalld" package is not installed, ask the System Administrator if an alternate firewall (such as iptables) is installed and in use, and how is it configured to employ a deny-all, allow-by-exception policy. If the alternate firewall is not configured to employ a deny-all, allow-by-exception policy, this is a finding. If no firewall is installed, this is a finding.
Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands: $ sudo firewall-cmd --permanent --new-zone=[custom] $ sudo cp /usr/lib/firewalld/zones/drop.xml /etc/firewalld/zones/[custom].xml This will provide a clean configuration file to work with that employs a deny-all approach. Note: Add the exceptions that are required for mission functionality and update the short title in the xml file to match the [custom] zone name. Reload the firewall rules to make the new [custom] zone available to load: $ sudo firewall-cmd --reload Set the default zone to the new [custom] zone: $ sudo firewall-cmd --set-default-zone=[custom] Note: This is a runtime and permanent change. Add any interfaces to the new [custom] zone: $ sudo firewall-cmd --permanent --zone=[custom] --change-interface=ens33 Reload the firewall rules for changes to take effect: $ sudo firewall-cmd --reload
Verify that "firewalld" is installed with the following commands: $ sudo yum list installed firewalld firewalld.noarch 0.7.0-5.el8 If the "firewalld" package is not installed, ask the System Administrator if another firewall is installed. If no firewall is installed this is a finding.
Install "firewalld" with the following command: $ sudo yum install firewalld.noarch
Verify there are no wireless interfaces configured on the system with the following command: Note: This requirement is Not Applicable for systems that do not have physical wireless network radios. $ sudo nmcli device status DEVICE TYPE STATE CONNECTION virbr0 bridge connected virbr0 wlp7s0 wifi connected wifiSSID enp6s0 ethernet disconnected -- p2p-dev-wlp7s0 wifi-p2p disconnected -- lo loopback unmanaged -- virbr0-nic tun unmanaged -- If a wireless interface is configured and has not been documented and approved by the Information System Security Officer (ISSO), this is a finding.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off
If the device or operating system does not have a Bluetooth adapter installed, this requirement is not applicable. This requirement is not applicable to mobile devices (smartphones and tablets), where the use of Bluetooth is a local AO decision. Determine if Bluetooth is disabled with the following command: $ sudo grep bluetooth /etc/modprobe.d/* /etc/modprobe.d/bluetooth.conf:install bluetooth /bin/false If the Bluetooth driver blacklist entry is missing, a Bluetooth driver is determined to be in use, and the collaborative computing device has not been authorized for use, this is a finding. Verify the operating system disables the ability to use Bluetooth with the following command: $ sudo grep -r bluetooth /etc/modprobe.d | grep -i "blacklist" | grep -v "^#" blacklist bluetooth If the command does not return any output or the output is not "blacklist bluetooth", and use of Bluetooth is not documented with the ISSO as an operational requirement, this is a finding.
Configure the operating system to disable the Bluetooth adapter when not in use. Build or modify the "/etc/modprobe.d/bluetooth.conf" file with the following line: install bluetooth /bin/false Disable the ability to use the Bluetooth kernel module. $ sudo vi /etc/modprobe.d/blacklist.conf Add or update the line: blacklist bluetooth Reboot the system for the settings to take effect.
Verify "/dev/shm" is mounted with the "nodev" option: $ sudo mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev"option is configured for /dev/shm: $ sudo cat /etc/fstab | grep /dev/shm tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /dev/shm is mounted without the "nodev" option, this is a finding.
Configure the system so that /dev/shm is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Verify "/dev/shm" is mounted with the "nosuid" option: $ sudo mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nosuid" option is configured for /dev/shm: $ sudo cat /etc/fstab | grep /dev/shm tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nosuid" option is missing, or if /dev/shm is mounted without the "nosuid" option, this is a finding.
Configure the system so that /dev/shm is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Verify "/dev/shm" is mounted with the "noexec" option: $ sudo mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "noexec" options is configured for /dev/shm: $ sudo cat /etc/fstab | grep /dev/shm tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "noexec" option is missing, or if /dev/shm is mounted without the "noexec" option, this is a finding.
Configure the system so that /dev/shm is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
Verify "/tmp" is mounted with the "nodev" option: $ sudo mount | grep /tmp /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /tmp: $ sudo cat /etc/fstab | grep /tmp /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /tmp is mounted without the "nodev" option, this is a finding.
Configure the system so that /tmp is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
Verify "/tmp" is mounted with the "nosuid" option: $ sudo mount | grep /tmp /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nosuid" option is configured for /tmp: $ sudo cat /etc/fstab | grep /tmp /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nosuid" option is missing, or if /tmp is mounted without the "nosuid" option, this is a finding.
Configure the system so that /tmp is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
Verify "/tmp" is mounted with the "noexec" option: $ sudo mount | grep /tmp /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "noexec" option is configured for /tmp: $ sudo cat /etc/fstab | grep /tmp /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "noexec" option is missing, or if /tmp is mounted without the "noexec" option, this is a finding.
Configure the system so that /tmp is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-tmp /tmp xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/log" is mounted with the "nodev" option: $ sudo mount | grep /var/log /dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /var/log: $ sudo cat /etc/fstab | grep /var/log /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /var/log is mounted without the "nodev" option, this is a finding.
Configure the system so that /var/log is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/log" is mounted with the "nosuid" option: $ sudo mount | grep /var/log /dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nosuid" option is configured for /var/log: $ sudo cat /etc/fstab | grep /var/log /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nosuid" option is missing, or if /var/log is mounted without the "nosuid" option, this is a finding.
Configure the system so that /var/log is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/log" is mounted with the "noexec" option: $ sudo mount | grep /var/log /dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "noexec" option is configured for /var/log: $ sudo cat /etc/fstab | grep /var/log /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "noexec" option is missing, or if /var/log is mounted without the "noexec" option, this is a finding.
Configure the system so that /var/log is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-log /var/log xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/log/audit" is mounted with the "nodev" option: $ sudo mount | grep /var/log/audit /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /var/log/audit: $ sudo cat /etc/fstab | grep /var/log/audit /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /var/log/audit is mounted without the "nodev" option, this is a finding.
Configure the system so that /var/log/audit is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/log/audit" is mounted with the "nosuid" option: $ sudo mount | grep /var/log/audit /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nosuid" option is configured for /var/log/audit: $ sudo cat /etc/fstab | grep /var/log/audit /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nosuid" option is missing, or if /var/log/audit is mounted without the "nosuid" option, this is a finding.
Configure the system so that /var/log/audit is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/log/audit" is mounted with the "noexec" option: $ sudo mount | grep /var/log/audit /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "noexec" option is configured for /var/log/audit: $ sudo cat /etc/fstab | grep /var/log/audit /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "noexec" option is missing, or if /var/log/audit is mounted without the "noexec" option, this is a finding.
Configure the system so that /var/log/audit is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-log-audit /var/log/audit xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/tmp" is mounted with the "nodev" option: $ sudo mount | grep /var/tmp /dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nodev" option is configured for /var/tmp: $ sudo cat /etc/fstab | grep /var/tmp /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nodev" option is missing, or if /var/tmp is mounted without the "nodev" option, this is a finding.
Configure the system so that /var/tmp is mounted with the "nodev" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/tmp" is mounted with the "nosuid" option: $ sudo mount | grep /var/tmp /dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "nosuid" option is configured for /var/tmp: $ sudo cat /etc/fstab | grep /var/tmp /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "nosuid" option is missing, or if /var/tmp is mounted without the "nosuid" option, this is a finding.
Configure the system so that /var/tmp is mounted with the "nosuid" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
Verify "/var/tmp" is mounted with the "noexec" option: $ sudo mount | grep /var/tmp /dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) Verify that the "noexec" option is configured for /var/tmp: $ sudo cat /etc/fstab | grep /var/tmp /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0 If results are returned and the "noexec" option is missing, or if /var/tmp is mounted without the "noexec" option, this is a finding.
Configure the system so that /var/tmp is mounted with the "noexec" option by adding /modifying the /etc/fstab with the following line: /dev/mapper/rhel-var-tmp /var/tmp xfs defaults,nodev,nosuid,noexec 0 0
Verify the RHEL 8 "fapolicyd" is installed. Check that "fapolicyd" is installed with the following command: $ sudo yum list installed fapolicyd Installed Packages fapolicyd.x86_64 If fapolicyd is not installed, this is a finding.
Install "fapolicyd" with the following command: $ sudo yum install fapolicyd.x86_64
Verify the USBGuard has a policy configured with the following command: $ sudo usbguard list-rules If the command does not return results or an error is returned, ask the SA to indicate how unauthorized peripherals are being blocked. If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding.
Configure the operating system to enable the blocking of unauthorized peripherals with the following command: This command must be run from a root shell and will create an allow list for any usb devices currently connect to the system. # usbguard generate-policy > /etc/usbguard/rules.conf Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse
Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: Verify "firewalld" has "nftables" set as the default backend: $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf # FirewallBackend FirewallBackend=nftables If the "nftables" is not set as the "firewallbackend" default, this is a finding.
Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "/etc/firewalld/firewalld.conf": FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.
Verify SSH is loaded and active with the following command: $ sudo systemctl status sshd sshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) Active: active (running) since Tue 2015-11-17 15:17:22 EST; 4 weeks 0 days ago Main PID: 1348 (sshd) CGroup: /system.slice/sshd.service 1053 /usr/sbin/sshd -D If "sshd" does not show a status of "active" and "running", this is a finding.
Configure the SSH service to automatically start after reboot with the following command: $ sudo systemctl enable sshd.service
Verify the SSH server is configured to force frequent session key renegotiation with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*rekeylimit' RekeyLimit 1G 1h If "RekeyLimit" does not have a maximum data amount and maximum time defined, is missing, or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the system to force a frequent session key renegotiation for SSH connections to the server by add or modifying the following line in the "/etc/ssh/sshd_config" file: RekeyLimit 1G 1h Restart the SSH daemon for the settings to take effect. $ sudo systemctl restart sshd.service
Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: $ sudo systemctl status ctrl-alt-del.target ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If the "ctrl-alt-del.target" is loaded and not masked, this is a finding.
Configure the system to disable the Ctrl-Alt-Delete sequence for the command line with the following commands: $ sudo systemctl disable ctrl-alt-del.target $ sudo systemctl mask ctrl-alt-del.target Created symlink /etc/systemd/system/ctrl-alt-del.target -> /dev/null Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload
Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed when using a graphical user interface with the following command: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo grep logout /etc/dconf/db/local.d/* logout='' If the "logout" key is bound to an action, is commented out, or is missing, this is a finding.
Configure the system to disable the Ctrl-Alt-Delete sequence when using a graphical user interface by creating or editing the /etc/dconf/db/local.d/00-disable-CAD file. Add the setting to disable the Ctrl-Alt-Delete sequence for a graphical user interface: [org/gnome/settings-daemon/plugins/media-keys] logout='' Note: The value above is set to two single quotations. Then update the dconf settings: $ sudo dconf update
Verify RHEL 8 is not configured to reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: $ sudo grep -i ctrl /etc/systemd/system.conf CtrlAltDelBurstAction=none If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.
Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload
Verify RHEL 8 is configured to mask the debug-shell systemd service with the following command: $ sudo systemctl status debug-shell.service debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding.
Configure the system to mask the debug-shell systemd service with the following command: $ sudo systemctl mask debug-shell.service Created symlink /etc/systemd/system/debug-shell.service -> /dev/null Reload the daemon to take effect. $ sudo systemctl daemon-reload
Verify a TFTP server has not been installed on the system with the following command: $ sudo yum list installed tftp-server tftp-server.x86_64 5.2-24.el8 If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding.
Remove the TFTP package from the system with the following command: $ sudo yum remove tftp-server
Check the system for duplicate UID "0" assignments with the following command: $ sudo awk -F: '$3 == 0 {print $1}' /etc/passwd If any accounts other than root have a UID of "0", this is a finding.
Change the UID of any account on the system, other than root, that has a UID of "0". If the account is associated with system commands or applications, the UID should be changed to one greater than "0" but less than "1000". Otherwise, assign a UID of greater than "1000" that has not already been assigned.
Verify RHEL 8 will not accept IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the default "accept_redirects" variables with the following command: $ sudo sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_redirects = 0 If "net.ipv6.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to prevent IPv6 ICMP redirect messages from being accepted. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.default.accept_redirects = 0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not IPv4 ICMP redirect messages. Check the value of the "all send_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.all.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.send_redirects = 0 If "net.ipv4.conf.all.send_redirects" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not allow interfaces to perform IPv4 ICMP redirects. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.send_redirects=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not respond to ICMP echoes sent to a broadcast address. Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: $ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.icmp_echo_ignore_broadcasts /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.icmp_echo_ignore_broadcasts = 1 If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not respond to IPv4 ICMP echoes sent to a broadcast address. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.icmp_echo_ignore_broadcasts=1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not accept IPv6 source-routed packets. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_source_route = 0 If "net.ipv6.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not forward IPv6 source-routed packets. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_source_route=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not accept IPv6 source-routed packets by default. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv6.conf.default.accept_source_route net.ipv6.conf.default.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_source_route = 0 If "net.ipv6.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not forward IPv6 source-routed packets by default. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.default.accept_source_route=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 is not performing IPv6 packet forwarding, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check that IPv6 forwarding is disabled using the following commands: $ sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 If the IPv6 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.forwarding = 0 If "net.ipv6.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not allow IPv6 packet forwarding, unless the system is a router. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.forwarding=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is not applicable. Check to see if router advertisements are not accepted by using the following command: $ sudo sysctl net.ipv6.conf.all.accept_ra net.ipv6.conf.all.accept_ra = 0 If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.all.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_ra = 0 If "net.ipv6.conf.all.accept_ra" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces unless the system is a router. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_ra=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is not applicable. Check to see if router advertisements are not accepted by default by using the following command: $ sudo sysctl net.ipv6.conf.default.accept_ra net.ipv6.conf.default.accept_ra = 0 If the "accept_ra" value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.default.accept_ra /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.default.accept_ra = 0 If "net.ipv6.conf.default.accept_ra" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.default.accept_ra=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. Check the value of the "default send_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects=0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.default.send_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.send_redirects = 0 If "net.ipv4.conf.default.send_redirects" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.send_redirects = 0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 ignores IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the "accept_redirects" variables with the following command: $ sudo sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv6.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv6.conf.all.accept_redirects = 0 If "net.ipv6.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to ignore IPv6 ICMP redirect messages. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_redirects = 0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 prevents privilege escalation thru the kernel by disabling access to the bpf syscall with the following commands: $ sudo sysctl kernel.unprivileged_bpf_disabled kernel.unprivileged_bpf_disabled = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r kernel.unprivileged_bpf_disabled /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: kernel.unprivileged_bpf_disabled = 1 If "kernel.unprivileged_bpf_disabled" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.unprivileged_bpf_disabled = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Verify RHEL 8 restricts usage of ptrace to descendant processes with the following commands: $ sudo sysctl kernel.yama.ptrace_scope kernel.yama.ptrace_scope = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r kernel.yama.ptrace_scope /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: kernel.yama.ptrace_scope = 1 If "kernel.yama.ptrace_scope" is not set to "1", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.yama.ptrace_scope = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Verify RHEL 8 restricts exposed kernel pointer addresses access with the following commands: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r kernel.kptr_restrict /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: kernel.kptr_restrict = 1 If "kernel.kptr_restrict" is not set to "1" or "2", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to restrict exposed kernel pointer addresses access by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.kptr_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Verify RHEL 8 disables the use of user namespaces with the following commands: $ sudo sysctl user.max_user_namespaces user.max_user_namespaces = 0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r user.max_user_namespaces /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: user.max_user_namespaces = 0 If "user.max_user_namespaces" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding. If the use of namespaces is operationally required and documented with the ISSM, it is not a finding.
Configure RHEL 8 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: user.max_user_namespaces = 0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Verify RHEL 8 uses reverse path filtering on all IPv4 interfaces with the following commands: $ sudo sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 If the returned line does not have a value of "1" or "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.all.rp_filter /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.rp_filter = 1 If "net.ipv4.conf.all.rp_filter" is not set to "1" or "2", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to use reverse path filtering on all IPv4 interfaces by adding the following line to a file, in the "/etc/sysctl.d" directory: net.ipv4.conf.all.rp_filter = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
Verify the system is configured to prevent unrestricted mail relaying. Determine if "postfix" is installed with the following commands: $ sudo yum list installed postfix postfix.x86_64 2:3.3.1-9.el8 If postfix is not installed, this is Not Applicable. If postfix is installed, determine if it is configured to reject connections from unknown or untrusted networks with the following command: $ sudo postconf -n smtpd_client_restrictions smtpd_client_restrictions = permit_mynetworks, reject If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", this is a finding.
If "postfix" is installed, modify the "/etc/postfix/main.cf" file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'
Verify the file integrity tool is configured to verify extended attributes. If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory. Use the following command to determine if the file is in another location: $ sudo find / -name aide.conf Check the "aide.conf" file to determine if the "xattrs" rule has been added to the rule list being applied to the files and directories selection lists. An example rule that includes the "xattrs" rule follows: All= p+i+n+u+g+s+m+S+sha512+acl+xattrs+selinux /bin All # apply the custom rule to the files in bin /sbin All # apply the same custom rule to the files in sbin If the "xattrs" rule is not being used on all uncommented selection lines in the "/etc/aide.conf" file, or extended attributes are not being checked by another file integrity tool, this is a finding.
Configure the file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the "xattrs" rule is present on all uncommented file and directory selection lists.
Verify the file integrity tool is configured to verify ACLs. Note: AIDE is highly configurable at install time. This requirement assumes the "aide.conf" file is under the "/etc" directory. If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. Use the following command to determine if the file is in a location other than "/etc/aide/aide.conf": $ sudo find / -name aide.conf Check the "aide.conf" file to determine if the "acl" rule has been added to the rule list being applied to the files and directories selection lists with the following command: $ sudo grep -E "[+]?acl" /etc/aide.conf VarFile = OwnerMode+n+l+X+acl If the "acl" rule is not being used on all selection lines in the "/etc/aide.conf" file, is commented out, or ACLs are not being checked by another file integrity tool, this is a finding.
Configure the file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the "acl" rule is present on all file and directory selection lists.
Verify that a graphical user interface is not installed: $ rpm -qa | grep xorg | grep server Ask the System Administrator if use of a graphical user interface is an operational requirement. If the use of a graphical user interface on the system is not documented with the ISSO, this is a finding.
Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: Open an SSH session and enter the following commands: $ sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland A reboot is required for the changes to take effect.
Verify network interfaces are not in promiscuous mode unless approved by the ISSO and documented. Check for the status with the following command: $ sudo ip link | grep -i promisc If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.
Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. Set the promiscuous mode of an interface to off with the following command: $ sudo ip link set dev <devicename> multicast off promisc off
Verify X11Forwarding is disabled with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11forwarding' X11Forwarding no If the "X11Forwarding" keyword is set to "yes" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding. If conflicting results are returned, this is a finding.
Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11Forwarding" keyword and set its value to "no" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11Forwarding no The SSH service must be restarted for changes to take effect: $ sudo systemctl restart sshd
Verify the SSH daemon prevents remote hosts from connecting to the proxy display. Check the SSH X11UseLocalhost setting with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*x11uselocalhost' X11UseLocalhost yes If the "X11UseLocalhost" keyword is set to "no", is missing, or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure the SSH daemon to prevent remote hosts from connecting to the proxy display. Edit the "/etc/ssh/sshd_config" file to uncomment or add the line for the "X11UseLocalhost" keyword and set its value to "yes" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): X11UseLocalhost yes
Verify the TFTP daemon is configured to operate in secure mode with the following commands: $ sudo yum list installed tftp-server tftp-server.x86_64 x.x-x.el8 If a TFTP server is not installed, this is Not Applicable. If a TFTP server is installed, check for the server arguments with the following command: $ sudo grep server_args /etc/xinetd.d/tftp server_args = -s /var/lib/tftpboot If the "server_args" line does not have a "-s" option, and a subdirectory is not assigned, this is a finding.
Configure the TFTP daemon to operate in secure mode by adding the following line to "/etc/xinetd.d/tftp" (or modify the line to have the required value): server_args = -s /var/lib/tftpboot
Verify an FTP server has not been installed on the system with the following commands: $ sudo yum list installed *ftpd* vsftpd.x86_64 3.0.3-28.el8 appstream If an FTP server is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Document the FTP server package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove vsftpd
Verify the gssproxy package has not been installed on the system with the following commands: $ sudo yum list installed gssproxy gssproxy.x86_64 0.8.0-14.el8 @anaconda If the gssproxy package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. If NFS mounts are being used, this is not a finding.
Document the gssproxy package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove gssproxy
Verify the iprutils package has not been installed on the system with the following commands: $ sudo yum list installed iprutils iprutils.x86_64 2.4.18.1-1.el8 @anaconda If the iprutils package is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Document the iprutils package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove iprutils
Verify the tuned package has not been installed on the system with the following commands: $ sudo yum list installed tuned tuned.noarch 2.12.0-3.el8 @anaconda If the tuned package is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Document the tuned package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove tuned
Verify the krb5-server package has not been installed on the system with the following commands: If the system is a workstation or is utilizing krb5-server-1.17-18.el8.x86_64 or newer, this is Not Applicable $ sudo yum list installed krb5-server krb5-server.x86_64 1.17-9.el8 repository If the krb5-server package is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding.
Document the krb5-server package with the ISSO as an operational requirement or remove it from the system with the following command: $ sudo yum remove krb5-server
Verify the "sudoers" file restricts sudo access to authorized personnel. $ sudo grep -iw 'ALL' /etc/sudoers /etc/sudoers.d/* If the either of the following entries are returned, this is a finding: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Remove the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL
Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation. $ sudo grep -Eir '(rootpw|targetpw|runaspw)' /etc/sudoers /etc/sudoers.d* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If conflicting results are returned, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding.
Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw Remove any configurations that conflict with the above from the following locations: /etc/sudoers /etc/sudoers.d/
Verify the operating system requires re-authentication when using the "sudo" command to elevate privileges. $ sudo grep -ir 'timestamp_timeout' /etc/sudoers /etc/sudoers.d /etc/sudoers:Defaults timestamp_timeout=0 If conflicting results are returned, this is a finding. If "timestamp_timeout" is set to a negative number, is commented out, or no results are returned, this is a finding.
Configure the "sudo" command to require re-authentication. Edit the /etc/sudoers file: $ sudo visudo Add or modify the following line: Defaults timestamp_timeout=[value] Note: The "[value]" must be a number that is greater than or equal to "0". Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.
Verify RHEL 8 displays a banner before granting access to the operating system via a graphical user logon. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Check to see if the operating system displays a banner at the logon screen with the following command: $ sudo grep banner-message-enable /etc/dconf/db/local.d/* banner-message-enable=true If "banner-message-enable" is set to "false" or is missing, this is a finding.
Configure the operating system to display a banner before granting access to the system. Note: If the system does not have a graphical user interface installed, this requirement is Not Applicable. Create a database to contain the system-wide graphical user logon settings (if it does not already exist) with the following command: $ sudo touch /etc/dconf/db/local.d/01-banner-message Add the following lines to the [org/gnome/login-screen] section of the "/etc/dconf/db/local.d/01-banner-message": [org/gnome/login-screen] banner-message-enable=true Run the following command to update the database: $ sudo dconf update
For systems that use BIOS, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers If "superusers" is identical to any OS account name or is missing a name, this is a finding.
Configure the system to have a unique name for the grub superusers account. Edit the /etc/grub.d/01_users file and add or modify the following lines: set superusers="[someuniquestringhere]" export superusers password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: $ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
For systems that use UEFI, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/grub2/grub.cfg set superusers="[someuniquestringhere]" export superusers If "superusers" is identical to any OS account name or is missing a name, this is a finding.
Configure the system to have a unique name for the grub superusers account. Edit the /etc/grub.d/01_users file and add or modify the following lines: set superusers="[someuniquestringhere]" export superusers password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: $ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
Check to see if the system requires authentication for emergency mode with the following command: $ sudo grep sulogin-shell /usr/lib/systemd/system/emergency.service ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency If the "ExecStart" line is configured for anything other than "/usr/lib/systemd/systemd-sulogin-shell emergency", commented out, or missing, this is a finding.
Configure the system to require authentication upon booting into emergency mode by adding the following line to the "/usr/lib/systemd/system/emergency.service" file. ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
Verify that pam_unix.so module is configured to use sha512. Check that pam_unix.so module is configured to use sha512 in /etc/pam.d/system-auth with the following command: $ sudo grep password /etc/pam.d/system-auth | grep pam_unix password sufficient pam_unix.so sha512 If "sha512" is missing, or is commented out, this is a finding.
Configure RHEL 8 to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication. Edit/modify the following line in the "/etc/pam.d/system-auth" file to include the sha512 option for pam_unix.so: password sufficient pam_unix.so sha512
Verify the SSH server automatically terminates a user session after the SSH client has been unresponsive for 10 minutes. Check that the "ClientAliveInterval" variable is set to a value of "600" or less by performing the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*clientaliveinterval' ClientAliveInterval 600 If "ClientAliveInterval" does not exist, does not have a value of "600" or less in "/etc/ssh/sshd_config", or is commented out, this is a finding. If conflicting results are returned, this is a finding.
Note: This setting must be applied in conjunction with RHEL-08-010200 to function correctly. Configure the SSH server to terminate a user session automatically after the SSH client has been unresponsive for 10 minutes. Modify or append the following lines in the "/etc/ssh/sshd_config" file: ClientAliveInterval 600 For the changes to take effect, the SSH daemon must be restarted. $ sudo systemctl restart sshd.service
Verify that system-wide crypto policies are in effect: $ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd # CRYPTO_POLICY= If the "CRYPTO_POLICY " is uncommented, this is a finding.
Configure the RHEL 8 SSH daemon to use system-wide crypto policies by adding the following line to /etc/sysconfig/sshd: # CRYPTO_POLICY= A reboot is required for the changes to take effect.
Note: For RHEL versions 8.4 and above running with kernel FIPS mode enabled as specified by RHEL-08-010020, this requirement is Not Applicable. Check that RHEL 8 has the packages required to enabled the hardware random number generator entropy gatherer service with the following command: $ sudo yum list installed rng-tools rng-tools.x86_64 6.8-3.el8 @anaconda If the "rng-tools" package is not installed, this is a finding.
Install the packages required to enabled the hardware random number generator entropy gatherer service with the following command: $ sudo yum install rng-tools
Verify the SSH daemon does not allow GSSAPI authentication with the following command: $ sudo /usr/sbin/sshd -dd 2>&1 | awk '/filename/ {print $4}' | tr -d '\r' | tr '\n' ' ' | xargs sudo grep -iH '^\s*gssapiauthentication' GSSAPIAuthentication no If the value is returned as "yes", the returned line is commented out, no output is returned, or has not been documented with the information system security officer (ISSO), this is a finding. If conflicting results are returned, this is a finding.
Configure the SSH daemon to not allow GSSAPI authentication. Add the following line in "/etc/ssh/sshd_config", or uncomment the line and set the value to "no": GSSAPIAuthentication no The SSH daemon must be restarted for the changes to take effect. To restart the SSH daemon, run the following command: $ sudo systemctl restart sshd.service
Verify that a separate file system has been created for "/var/tmp". Check that a file system has been created for "/var/tmp" with the following command: $ sudo grep /var/tmp /etc/fstab /dev/mapper/... /var/tmp xfs defaults,nodev,noexec,nosuid 0 0 If a separate entry for "/var/tmp" is not in use, this is a finding.
Migrate the "/var/tmp" path onto a separate file system.
For systems that use BIOS, this is Not Applicable. Verify the /boot/efi directory is mounted with the "nosuid" option with the following command: $ sudo mount | grep '\s/boot/efi\s' /dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro) If the /boot/efi file system does not have the "nosuid" option set, this is a finding.
Configure the "/etc/fstab" to use the "nosuid" option on the /boot/efi directory.
Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of "0750". Files that begin with a "." are excluded from this requirement. Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". $ sudo ls -lLR /home/smithj -rwxr-x--- 1 smithj smithj 18 Mar 5 17:06 file1 -rwxr----- 1 smithj smithj 193 Mar 5 17:06 file2 -rw-r-x--- 1 smithj smithj 231 Mar 5 17:06 file3 If any files or directories are found with a mode more permissive than "0750", this is a finding.
Set the mode on files and directories in the local interactive user home directory with the following command: Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. $ sudo chmod 0750 /home/smithj/<file or directory>
Verify all files and directories in a local interactive user home directory are group-owned by a group that the user is a member. Check the group owner of all files and directories in a local interactive user's home directory with the following command: Note: The example will be for the user "smithj", who has a home directory of "/home/smithj". $ sudo ls -lLR /<home directory>/<users home directory>/ -rw-r--r-- 1 smithj smithj 18 Mar 5 17:06 file1 -rw-r--r-- 1 smithj smithj 193 Mar 5 17:06 file2 -rw-r--r-- 1 smithj sa 231 Mar 5 17:06 file3 If any files found with a group-owner different from the home directory user private group, check to see if the user is a member of that group with the following command: $ sudo grep smithj /etc/group sa:x:100:juan,shelley,bob,smithj smithj:x:521:smithj If any files or directories are group owned by a group that the directory owner is not a member of, this is a finding.
Change the group of a local interactive user's files and directories to a group that the interactive user is a member. To change the group owner of a local interactive user's files and directories, use the following command: Note: The example will be for the user smithj, who has a home directory of "/home/smithj" and is a member of the users group. $ sudo chgrp smithj /home/smithj/<file or directory>
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the pam_faillock.so module is present in the "/etc/pam.d/system-auth" file: $ sudo grep pam_faillock.so /etc/pam.d/system-auth auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so If the pam_faillock.so module is not present in the "/etc/pam.d/system-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.
Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. Add/Modify the appropriate sections of the "/etc/pam.d/system-auth" file to match the following lines: Note: The "preauth" line must be listed before pam_unix.so. auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so
Note: This check applies to RHEL versions 8.2 or newer, if the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the pam_faillock.so module is present in the "/etc/pam.d/password-auth" file: $ sudo grep pam_faillock.so /etc/pam.d/password-auth auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so If the pam_faillock.so module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.
Configure the operating system to include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. Add/Modify the appropriate sections of the "/etc/pam.d/password-auth" file to match the following lines: Note: The "preauth" line must be listed before pam_unix.so. auth required pam_faillock.so preauth auth required pam_faillock.so authfail account required pam_faillock.so
Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated with the following command: Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo gsettings get org.gnome.desktop.screensaver lock-delay uint32 5 If the "uint32" setting is missing, or is not set to "5" or less, this is a finding.
Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/00-screensaver [org/gnome/desktop/screensaver] lock-delay=uint32 5 The "uint32" must be included along with the integer key values as shown. Update the system databases: $ sudo dconf update
Verify the operating system disables the user logon list for graphical user interfaces with the following command: Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. $ sudo gsettings get org.gnome.login-screen disable-user-list true If the setting is "false", this is a finding.
Configure the operating system to disable the user list at logon for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/02-login-screen [org/gnome/login-screen] disable-user-list=true Update the system databases: $ sudo dconf update
Verify the operating system prevents a user from overriding settings for graphical user interfaces. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: $ sudo grep system-db /etc/dconf/profile/user system-db:local Check that graphical settings are locked from non-privileged user modification with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. $ sudo grep -i idle /etc/dconf/db/local.d/locks/* /org/gnome/desktop/session/idle-delay If the command does not return at least the example result, this is a finding.
Configure the operating system to prevent a user from overriding settings for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: /org/gnome/desktop/session/idle-delay
Verify the operating system prevents a user from overriding settings for graphical user interfaces. Note: This requirement assumes the use of the RHEL 8 default graphical user interface, Gnome Shell. If the system does not have any graphical user interface installed, this requirement is Not Applicable. Determine which profile the system database is using with the following command: $ sudo grep system-db /etc/dconf/profile/user system-db:local Check that graphical settings are locked from non-privileged user modification with the following command: Note: The example below is using the database "local" for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than "local" is being used. $ sudo grep -i lock-enabled /etc/dconf/db/local.d/locks/* /org/gnome/desktop/screensaver/lock-enabled If the command does not return at least the example result, this is a finding.
Configure the operating system to prevent a user from overriding settings for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command: Note: The example below is using the database "local" for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory. $ sudo touch /etc/dconf/db/local.d/locks/session Add the following setting to prevent non-privileged users from modifying it: /org/gnome/desktop/screensaver/lock-enabled
To verify that null passwords cannot be used, run the following command: $ sudo grep -i nullok /etc/pam.d/password-auth If output is produced, this is a finding.
Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" file to prevent logons with empty passwords. Note: Manual changes to the listed file may be overwritten by the "authselect" program.
Verify the audit service is configured to produce audit records with the following command: $ sudo systemctl status auditd.service auditd.service - Security Auditing Service Loaded:loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Tues 2020-12-11 12:56:56 EST; 4 weeks 0 days ago If the audit service is not "active" and "running", this is a finding.
Configure the audit service to produce audit records containing the information needed to establish when (date and time) an event occurred with the following commands: $ sudo systemctl enable auditd.service $ sudo systemctl start auditd.service
Verify RHEL 8 notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w space_left_action /etc/audit/auditd.conf space_left_action = email If the value of the "space_left_action" is not set to "email", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO. If there is no evidence that real-time alerts are configured on the system, this is a finding.
Configure the operating system to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file. space_left_action = email Note: Option names and values in the auditd.conf file are case insensitive.
Verify that "firewalld" is active with the following commands: $ sudo systemctl is-active firewalld active If the "firewalld" package is not "active", ask the System Administrator if another firewall is installed. If no firewall is installed and active this is a finding.
Configure "firewalld" to protect the operating system with the following command: $ sudo systemctl enable firewalld
Verify the RHEL 8 "fapolicyd" is enabled and running with the following command: $ sudo systemctl status fapolicyd.service fapolicyd.service - File Access Policy Daemon Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; vendor preset: disabled) Active: active (running) If fapolicyd is not enabled and running, this is a finding.
Enable "fapolicyd" using the following command: $ sudo systemctl enable --now fapolicyd
Verify the RHEL 8 "fapolicyd" employs a deny-all, permit-by-exception policy. Check that "fapolicyd" is in enforcement mode with the following command: $ sudo grep permissive /etc/fapolicyd/fapolicyd.conf permissive = 0 Check that fapolicyd employs a deny-all policy on system mounts with the following commands: For RHEL 8.4 systems and older: $ sudo tail /etc/fapolicyd/fapolicyd.rules For RHEL 8.5 systems and newer: $ sudo tail /etc/fapolicyd/compiled.rules allow exe=/usr/bin/python3.7 : ftype=text/x-python deny_audit perm=any pattern=ld_so : all deny perm=any all : all If fapolicyd is not running in enforcement mode with a deny-all, permit-by-exception policy, this is a finding.
Configure RHEL 8 to employ a deny-all, permit-by-exception application whitelisting policy with "fapolicyd". With the "fapolicyd" installed and enabled, configure the daemon to function in permissive mode until the whitelist is built correctly to avoid system lockout. Do this by editing the "/etc/fapolicyd/fapolicyd.conf" file with the following line: permissive = 1 For RHEL 8.4 systems and older: Build the whitelist in the "/etc/fapolicyd/fapolicyd.rules" file ensuring the last rule is "deny perm=any all : all". For RHEL 8.5 systems and newer: Build the whitelist in a file within the "/etc/fapolicyd/rules.d" directory ensuring the last rule is "deny perm=any all : all". Once it is determined the whitelist is built correctly, set the fapolicyd to enforcing mode by editing the "permissive" line in the /etc/fapolicyd/fapolicyd.conf file. permissive = 0
Verify USBGuard is installed on the operating system with the following command: $ sudo yum list installed usbguard Installed Packages usbguard.x86_64 0.7.8-7.el8 @ol8_appstream If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding.
Install the USBGuard package with the following command: $ sudo yum install usbguard.x86_64
Verify the operating system has enabled the use of the USBGuard with the following command: $ sudo systemctl status usbguard.service usbguard.service - USBGuard daemon Loaded: loaded (/usr/lib/systemd/system/usbguard.service; enabled; vendor preset: disabled) Active: active (running) If the usbguard.service is not enabled and active, ask the SA to indicate how unauthorized peripherals are being blocked. If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. If the USBGuard package is not installed, ask the SA to indicate how unauthorized peripherals are being blocked. If there is no evidence that unauthorized peripherals are being blocked before establishing a connection, this is a finding. If the system is a virtual machine with no virtual or physical USB peripherals attached, this is not a finding.
Configure the operating system to enable the blocking of unauthorized peripherals with the following commands: $ sudo systemctl enable usbguard.service $ sudo systemctl start usbguard.service Note: Enabling and starting usbguard without properly configuring it for an individual system will immediately prevent any access over a usb device such as a keyboard or mouse
Verify SSH is installed with the following command: $ sudo yum list installed openssh-server openssh-server.x86_64 8.0p1-5.el8 @anaconda If the "SSH server" package is not installed, this is a finding.
Install SSH packages onto the host with the following command: $ sudo yum install openssh-server.x86_64
Verify RHEL 8 will not accept IPv4 ICMP redirect messages. Check the value of the default "accept_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.default.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_redirects = 0 If "net.ipv4.conf.default.accept_redirects" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to prevent IPv4 ICMP redirect messages from being accepted. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.accept_redirects = 0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not accept IPv4 source-routed packets. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.all.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_source_route = 0 If "net.ipv4.conf.all.accept_source_route" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not forward IPv4 source-routed packets. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.accept_source_route=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 does not accept IPv4 source-routed packets by default. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.default.accept_source_route /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.default.accept_source_route = 0 If "net.ipv4.conf.default.accept_source_route" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not forward IPv4 source-routed packets by default. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.accept_source_route=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 ignores IPv4 ICMP redirect messages. Check the value of the "accept_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.all.accept_redirects /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.accept_redirects = 0 If "net.ipv4.conf.all.accept_redirects" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to ignore IPv4 ICMP redirect messages. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.accept_redirects = 0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Verify RHEL 8 enables hardening for the BPF JIT with the following commands: $ sudo sysctl net.core.bpf_jit_harden net.core.bpf_jit_harden = 2 If the returned line does not have a value of "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.core.bpf_jit_harden /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.core.bpf_jit_harden = 2 If "net.core.bpf_jit_harden" is not set to "2", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: net.core.bpf_jit_harden = 2 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system
If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/security/faillock.conf dir = /var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding.
Configure RHEL 8 to allow the use of a non-default faillock tally directory while SELinux enforces a targeted policy. Create a non-default faillock tally directory (if it does not already exist) with the following example: $ sudo mkdir /var/log/faillock Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the non-default faillock tally directory with the following command: $ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" Next, update the context type of the non-default faillock directory/subdirectories and files with the following command: $ sudo restorecon -R -v /var/log/faillock
If the system does not have SELinux enabled and enforcing a targeted policy, or if the pam_faillock module is not configured for use, this requirement is not applicable. Note: This check applies to RHEL versions 8.0 and 8.1. If the system is RHEL version 8.2 or newer, this check is not applicable. Verify the location of the non-default tally directory for the pam_faillock module with the following command: $ sudo grep -w dir /etc/pam.d/password-auth auth required pam_faillock.so preauth dir=/var/log/faillock auth required pam_faillock.so authfail dir=/var/log/faillock Check the security context type of the non-default tally directory with the following command: $ sudo ls -Zd /var/log/faillock unconfined_u:object_r:faillog_t:s0 /var/log/faillock If the security context type of the non-default tally directory is not "faillog_t", this is a finding.
Configure RHEL 8 to allow the use of a non-default faillock tally directory while SELinux enforces a targeted policy. Update the /etc/selinux/targeted/contexts/files/file_contexts.local with "faillog_t" context type for the non-default faillock tally directory with the following command: $ sudo semanage fcontext -a -t faillog_t "/var/log/faillock(/.*)?" Next, update the context type of the non-default faillock directory/subdirectories and files with the following command: $ sudo restorecon -R -v /var/log/faillock
Verify RHEL 8 is not performing IPv4 packet forwarding, unless the system is a router. Check that IPv4 forwarding is disabled using the following command: $ sudo sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 0 If the IPv4 forwarding value is not "0" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo grep -r net.ipv4.conf.all.forwarding /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf /etc/sysctl.d/99-sysctl.conf: net.ipv4.conf.all.forwarding = 0 If "net.ipv4.conf.all.forwarding" is not set to "0", is missing or commented out, this is a finding. If conflicting results are returned, this is a finding.
Configure RHEL 8 to not allow IPv4 packet forwarding, unless the system is a router. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.forwarding=0 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf Load settings from all system configuration files with the following command: $ sudo sysctl --system
Check the "/etc/shadow" file for blank passwords with the following command: $ sudo awk -F: '!$2 {print $1}' /etc/shadow If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset: $ sudo passwd [username] Lock an account: $ sudo passwd -l [username]
Verify the system-wide shared library directories within "/lib", "/lib64", "/usr/lib" and "/usr/lib64" have mode "755" or less permissive with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec stat -c "%n %a" '{}' \; If any system-wide shared library directories are found to be group-writable or world-writable, this is a finding.
Configure the library directories to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755. $ sudo chmod 755 [DIRECTORY]
Verify the system-wide shared library directories are owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system-wide shared library directory is returned, this is a finding.
Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root". $ sudo chown root [DIRECTORY]
Verify the system-wide shared library directories are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.
Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". $ sudo chgrp root [DIRECTORY]
Verify that Advanced Intrusion Detection Environment (AIDE) is installed and verifies the correct operation of all security functions. Check that the AIDE package is installed with the following command: $ sudo rpm -q aide aide-0.16-14.el8_5.1.x86_64 If AIDE is not installed, ask the System Administrator how file integrity checks are performed on the system. If there is no application installed to perform integrity checks, this is a finding. If AIDE is installed, check if it has been initialized with the following command: $ sudo /usr/sbin/aide --check If the output is "Couldn't open file /var/lib/aide/aide.db.gz for reading", this is a finding.
Install AIDE, initialize it, and perform a manual check. Install AIDE: $ sudo yum install aide Initialize it: $ sudo /usr/sbin/aide --init Example output: Number of entries: 48623 --------------------------------------------------- The attributes of the (uncompressed) database(s): --------------------------------------------------- /var/lib/aide/aide.db.new.gz SHA1 : LTAVQ8tFJthsrf4m9gfRpnf1vyc= SHA256 : NJ9+uzRQKSwmLQ8A6IpKNvYjVKGbhSjt BeJBVcmOVrI= SHA512 : 7d8I/F6A1b07E4ZuGeilZjefRgJJ/F20 eC2xoag1OsOVpctt3Mi7Jjjf3vFW4xoY 5mdS6/ImQpm0xtlTLOPeQQ== End timestamp: 2022-10-20 10:50:52 -0700 (run time: 0m 46s) The new database will need to be renamed to be read by AIDE: $ sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Perform a manual check: $ sudo /usr/sbin/aide --check Example output: Start timestamp: 2022-10-20 11:03:16 -0700 (AIDE 0.16) AIDE found differences between database and filesystem!! ... Done.
Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. Verify the operating system specifies only the default "include" directory for the /etc/sudoers file with the following command: $ sudo grep include /etc/sudoers #includedir /etc/sudoers.d If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding. Verify the operating system does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: $ sudo grep -r include /etc/sudoers.d If results are returned, this is a finding.
Configure the /etc/sudoers file to only include the /etc/sudoers.d directory. Edit the /etc/sudoers file with the following command: $ sudo visudo Add or modify the following line: #includedir /etc/sudoers.d
Verify the operating system is not be configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
Configure the operating system to require users to supply a password for privilege escalation. Check the configuration of the "/etc/ pam.d/sudo" file with the following command: $ sudo vi /etc/pam.d/sudo Remove any occurrences of "pam_succeed_if" in the file.
Verify the operating system uses "pwquality" to enforce the password complexity rules. Check for the use of "pwquality" in the system-auth file with the following command: $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality password requisite pam_pwquality.so If the command does not return a line containing the value "pam_pwquality.so" as shown, or the line is commented out, this is a finding.
Configure the operating system to use "pwquality" to enforce password complexity rules. Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): password requisite pam_pwquality.so
Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the system-auth file with the following command: $ sudo cat /etc/pam.d/system-auth | grep pam_pwquality password requisite pam_pwquality.so retry=3 If the value of "retry" is set to "0" or greater than "3", this is a finding.
Configure the operating system to limit the "pwquality" retry option to 3. Add the following line to the "/etc/pam.d/system-auth" file (or modify the line to have the required value): password requisite pam_pwquality.so retry=3
Note: This requirement applies to RHEL versions 8.0 through 8.3. If the system is RHEL version 8.4 or newer, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option in the password-auth file with the following command: $ sudo cat /etc/pam.d/password-auth | grep pam_pwquality password requisite pam_pwquality.so retry=3 If the value of "retry" is set to "0" or greater than "3", this is a finding.
Configure the operating system to limit the "pwquality" retry option to 3. Add the following line to the "/etc/pam.d/password-auth" file (or modify the line to have the required value): password requisite pam_pwquality.so retry=3
Note: This requirement applies to RHEL versions 8.4 or newer. If the system is RHEL below version 8.4, this requirement is not applicable. Verify the operating system is configured to limit the "pwquality" retry option to 3. Check for the use of the "pwquality" retry option with the following command: $ sudo grep -r retry /etc/security/pwquality.conf* /etc/security/pwquality.conf:retry = 3 If the value of "retry" is set to "0" or greater than "3", is commented out or missing, this is a finding. If conflicting results are returned, this is a finding. Check for the use of the "pwquality" retry option in the system-auth and password-auth files with the following command: $ sudo grep pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth | grep retry If the command returns any results, this is a finding.
Configure the operating system to limit the "pwquality" retry option to 3. Add the following line to the "/etc/security/pwquality.conf" file(or modify the line to have the required value): retry = 3 Remove any configurations that conflict with the above value.
Verify that the system is configured to boot to the command line: $ systemctl get-default multi-user.target If the system default target is not set to "multi-user.target" and the Information System Security Officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.
Document the requirement for a graphical user interface with the ISSO or reinstall the operating system without the graphical user interface. If reinstallation is not feasible, then continue with the following procedure: Open an SSH session and enter the following commands: $ sudo systemctl set-default multi-user.target A reboot is required for the changes to take effect.
Verify the operating system prevents nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Obtain a list of authorized users (other than system administrator and guest accounts) for the system. Check the list against the system by using the following command: $ sudo semanage login -l | more Login Name SELinux User MLS/MCS Range Service __default__ user_u s0-s0:c0.c1023 * root unconfined_u s0-s0:c0.c1023 * system_u system_u s0-s0:c0.c1023 * joe staff_u s0-s0:c0.c1023 * All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization. All authorized nonadministrative users must be mapped to the "user_u" role. If they are not mapped in this way, this is a finding.
Configure RHEL 8 to prevent nonprivileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures. Use the following command to map a new user to the "sysadm_u" role: $ sudo semanage login -a -s sysadm_u <username> Use the following command to map an existing user to the "sysadm_u" role: $ sudo semanage login -m -s sysadm_u <username> Use the following command to map a new user to the "staff_u" role: $ sudo semanage login -a -s staff_u <username> Use the following command to map an existing user to the "staff_u" role: $ sudo semanage login -m -s staff_u <username> Use the following command to map a new user to the "user_u" role: $ sudo semanage login -a -s user_u <username> Use the following command to map an existing user to the "user_u" role: $ sudo semanage login -m -s user_u <username> Note: SELinux confined users mapped to sysadm_u are not allowed to log in to the system over SSH, by default. If this is a required function, it can be configured by setting the ssh_sysadm_login SELinux boolean to "on" with the following command: $ sudo setsebool -P ssh_sysadm_login on This must be documented with the information system security officer (ISSO) as an operational requirement.
Verify that the SSH server is configured to use only FIPS-validated key exchange algorithms: $ sudo grep -i kexalgorithms /etc/crypto-policies/back-ends/opensshserver.config CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512' If the entries following "KexAlgorithms" have any algorithms defined other than "ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512", appear in different order than shown, or are missing or commented out, this is a finding.
Configure the SSH server to use only FIPS-validated key exchange algorithms by adding or modifying the following line in "/etc/crypto-policies/back-ends/opensshserver.config": -oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 A reboot is required for the changes to take effect.
Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For RHEL 8 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key 2". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default. List Red Hat GPG keys installed on the system: $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat" gpg(Red Hat, Inc. (release key 2) <security@redhat.com>) gpg(Red Hat, Inc. (auxiliary key) <security@redhat.com>) If Red Hat GPG keys "release key 2" and "auxiliary key 2" are not installed, this is a finding. Note: The "auxiliary key 2" appears as "auxiliary key" on a RHEL 8 system. List key fingerprints of installed Red Hat GPG keys: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding. Example output: pub rsa4096/FD431D51 2009-10-22 [SC] Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 uid Red Hat, Inc. (release key 2) <security@redhat.com> pub rsa4096/D4082792 2018-06-27 [SC] Key fingerprint = 6A6A A7C9 7C88 90AE C6AE BFE2 F76F 66C3 D408 2792 uid Red Hat, Inc. (auxiliary key) <security@redhat.com> sub rsa4096/1B5584D3 2018-06-27 [E] Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 8 on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key. If key fingerprints do not match, this is a finding.
Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. Insert RHEL 8 installation disc or attach RHEL 8 installation image to the system. Mount the disc or image to make the contents accessible inside the system. Assuming the mounted location is "/media/cdrom", use the following command to copy Red Hat GPG key file onto the system: $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/ Import Red Hat GPG keys from key file into system keyring: $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Using the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.
Verify that the operating system is configured to allow sending email notifications. Note: The "mailx" package provides the "mail" command that is used to send email messages. Verify that the "mailx" package is installed on the system: $ sudo yum list installed mailx mailx.x86_64 12.5-29.el8 @rhel-8-for-x86_64-baseos-rpm If "mailx" package is not installed, this is a finding.
Install the "mailx" package on the system: $ sudo yum install mailx
Note: This requirement applies to RHEL versions 8.7 and higher. If the system is not RHEL version 8.7 or newer, this requirement is not applicable. Verify that RHEL 8 logs out sessions that are idle for 10 minutes with the following command: $ sudo grep -i ^StopIdleSessionSec /etc/systemd/logind.conf StopIdleSessionSec=600 If "StopIdleSessionSec" is not configured to "600" seconds, this is a finding.
Configure RHEL 8 to log out idle sessions after 10 minutes by editing the /etc/systemd/logind.conf file with the following line: StopIdleSessionSec=600 The "logind" service must be restarted for the changes to take effect. To restart the "logind" service, run the following command: $ sudo systemctl restart systemd-logind
To verify that null passwords cannot be used, run the following command: $ sudo grep -i nullok /etc/pam.d/system-auth If output is produced, this is a finding.
Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" file to prevent logons with empty passwords. Note: Manual changes to the listed file may be overwritten by the "authselect" program.