Red Hat Enterprise Linux 9 Security Technical Implementation Guide

  • Version/Release: V2R2
  • Published: 2024-08-30
  • Released: 2024-10-24
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
c
RHEL 9 must be a vendor-supported release.
CM-6 - High - CCI-000366 - V-257777 - SV-257777r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-09-211010
Vuln IDs
  • V-257777
Rule IDs
  • SV-257777r991589_rule
An operating system release is considered "supported" if the vendor continues to provide security patches for the product. With an unsupported release, it will not be possible to resolve security issues discovered in the system software. Red Hat offers the Extended Update Support (EUS) add-on to a Red Hat Enterprise Linux subscription, for a fee, for those customers who wish to standardize on a specific minor release for an extended period.
Checks: C-61518r925316_chk

Verify that the version or RHEL 9 is vendor supported with the following command: $ cat /etc/redhat-release Red Hat Enterprise Linux release 9.2 (Plow) If the installed version of RHEL 9 is not supported, this is a finding.

Fix: F-61442r925317_fix

Upgrade to a supported version of RHEL 9.

b
RHEL 9 vendor packaged system security patches and updates must be installed and up to date.
CM-6 - Medium - CCI-000366 - V-257778 - SV-257778r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-211015
Vuln IDs
  • V-257778
Rule IDs
  • SV-257778r991589_rule
Installing software updates is a fundamental mitigation against the exploitation of publicly known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise.
Checks: C-61519r925319_chk

Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. Check that the available package security updates have been installed on the system with the following command: $ dnf history list | more ID | Command line | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 70 | install aide | 2023-03-05 10:58 | Install | 1 69 | update -y | 2023-03-04 14:34 | Update | 18 EE 68 | install vlc | 2023-02-21 17:12 | Install | 21 67 | update -y | 2023-02-21 17:04 | Update | 7 EE Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. If the system is in noncompliance with the organizational patching policy, this is a finding.

Fix: F-61443r925320_fix

Install RHEL 9 security patches and updates at the organizationally defined frequency. If system updates are installed via a centralized repository that is configured on the system, all updates can be installed with the following command: $ sudo dnf update

b
RHEL 9 must display the Standard Mandatory DOD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
AC-8 - Medium - CCI-000048 - V-257779 - SV-257779r958390_rule
RMF Control
AC-8
Severity
Medium
CCI
CCI-000048
Version
RHEL-09-211020
Vuln IDs
  • V-257779
Rule IDs
  • SV-257779r958390_rule
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist. Satisfies: SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088
Checks: C-61520r925322_chk

Verify RHEL 9 displays the Standard Mandatory DOD Notice and Consent Banner before granting access to the operating system via a command line user logon. Check that a banner is displayed at the command line login screen with the following command: $ sudo cat /etc/issue If the banner is set correctly it will return the following text: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details." If the banner text does not match the Standard Mandatory DOD Notice and Consent Banner exactly, or the line is commented out, this is a finding.

Fix: F-61444r925323_fix

Configure RHEL 9 to display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via command line logon. Edit the "/etc/issue" file to replace the default text with the Standard Mandatory DOD Notice and Consent Banner. The DOD-required text is: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."

b
The graphical display manager must not be the default target on RHEL 9 unless approved.
CM-6 - Medium - CCI-000366 - V-257781 - SV-257781r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-211030
Vuln IDs
  • V-257781
Rule IDs
  • SV-257781r991589_rule
Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
Checks: C-61522r925328_chk

Verify that RHEL 9 is configured to boot to the command line: $ systemctl get-default multi-user.target If the system default target is not set to "multi-user.target" and the information system security officer (ISSO) lacks a documented requirement for a graphical user interface, this is a finding.

Fix: F-61446r925329_fix

Document the requirement for a graphical user interface with the ISSO or set the default target to multi-user with the following command: $ sudo systemctl set-default multi-user.target

a
RHEL 9 must enable the hardware random number generator entropy gatherer service.
CM-6 - Low - CCI-000366 - V-257782 - SV-257782r991589_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-09-211035
Vuln IDs
  • V-257782
Rule IDs
  • SV-257782r991589_rule
The most important characteristic of a random number generator is its randomness, namely its ability to deliver random numbers that are impossible to predict. Entropy in computer security is associated with the unpredictability of a source of randomness. The random source with high entropy tends to achieve a uniform distribution of random values. Random number generators are one of the most important building blocks of cryptosystems. The rngd service feeds random data from hardware device to kernel random device. Quality (nonpredictable) random number generation is important for several security functions (i.e., ciphers).
Checks: C-61523r942960_chk

Note: For RHEL 9 systems running with kernel FIPS mode enabled as specified by RHEL-09-671010, this requirement is Not Applicable. Verify that RHEL 9 has enabled the hardware random number generator entropy gatherer service with the following command: $ systemctl is-active rngd active If the "rngd" service is not active, this is a finding.

Fix: F-61447r925332_fix

Install the rng-tools package with the following command: $ sudo dnf install rng-tools Then enable the rngd service run the following command: $ sudo systemctl enable --now rngd

b
RHEL 9 systemd-journald service must be enabled.
SC-24 - Medium - CCI-001665 - V-257783 - SV-257783r991562_rule
RMF Control
SC-24
Severity
Medium
CCI
CCI-001665
Version
RHEL-09-211040
Vuln IDs
  • V-257783
Rule IDs
  • SV-257783r991562_rule
In the event of a system failure, RHEL 9 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
Checks: C-61524r925334_chk

Verify that "systemd-journald" is active with the following command: $ systemctl is-active systemd-journald active If the systemd-journald service is not active, this is a finding.

Fix: F-61448r925335_fix

To enable the systemd-journald service, run the following command: $ sudo systemctl enable --now systemd-journald

c
The systemd Ctrl-Alt-Delete burst key sequence in RHEL 9 must be disabled.
CM-6 - High - CCI-000366 - V-257784 - SV-257784r958726_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-09-211045
Vuln IDs
  • V-257784
Rule IDs
  • SV-257784r958726_rule
A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Checks: C-61525r925337_chk

Verify RHEL 9 is configured to not reboot the system when Ctrl-Alt-Delete is pressed seven times within two seconds with the following command: $ grep -i ctrl /etc/systemd/system.conf CtrlAltDelBurstAction=none If the "CtrlAltDelBurstAction" is not set to "none", commented out, or is missing, this is a finding.

Fix: F-61449r925338_fix

Configure the system to disable the CtrlAltDelBurstAction by added or modifying the following line in the "/etc/systemd/system.conf" configuration file: CtrlAltDelBurstAction=none Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload

c
The x86 Ctrl-Alt-Delete key sequence must be disabled on RHEL 9.
CM-6 - High - CCI-000366 - V-257785 - SV-257785r958726_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-09-211050
Vuln IDs
  • V-257785
Rule IDs
  • SV-257785r958726_rule
A locally logged-on user who presses Ctrl-Alt-Delete when at the console can reboot the system. If accidentally pressed, as could happen in the case of a mixed OS environment, this can create the risk of short-term loss of availability of systems due to unintentional reboot. In a graphical user environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Checks: C-61526r925340_chk

Verify RHEL 9 is not configured to reboot the system when Ctrl-Alt-Delete is pressed with the following command: $ sudo systemctl status ctrl-alt-del.target ctrl-alt-del.target Loaded: masked (Reason: Unit ctrl-alt-del.target is masked.) Active: inactive (dead) If the "ctrl-alt-del.target" is loaded and not masked, this is a finding.

Fix: F-61450r925341_fix

Configure RHEL 9 to disable the ctrl-alt-del.target with the following command: $ sudo systemctl disable --now ctrl-alt-del.target $ sudo systemctl mask --now ctrl-alt-del.target

b
RHEL 9 debug-shell systemd service must be disabled.
CM-6 - Medium - CCI-000366 - V-257786 - SV-257786r958726_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-211055
Vuln IDs
  • V-257786
Rule IDs
  • SV-257786r958726_rule
The debug-shell requires no authentication and provides root privileges to anyone who has physical access to the machine. While this feature is disabled by default, masking it adds an additional layer of assurance that it will not be enabled via a dependency in systemd. This also prevents attackers with physical access from trivially bypassing security on the machine through valid troubleshooting configurations and gaining root access when the system is rebooted. Satisfies: SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227
Checks: C-61527r925343_chk

Verify RHEL 9 is configured to mask the debug-shell systemd service with the following command: $ sudo systemctl status debug-shell.service debug-shell.service Loaded: masked (Reason: Unit debug-shell.service is masked.) Active: inactive (dead) If the "debug-shell.service" is loaded and not masked, this is a finding.

Fix: F-61451r943025_fix

Configure RHEL 9 to mask the debug-shell systemd service with the following command: $ sudo systemctl disable --now debug-shell.service $ sudo systemctl mask --now debug-shell.service

b
RHEL 9 must require a boot loader superuser password.
AC-3 - Medium - CCI-000213 - V-257787 - SV-257787r958472_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-000213
Version
RHEL-09-212010
Vuln IDs
  • V-257787
Rule IDs
  • SV-257787r958472_rule
To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Checks: C-61528r925346_chk

Verify the boot loader superuser password has been set and run the following command: $ sudo grep "superusers" /etc/grub2.cfg password_pbkdf2 superusers-account ${GRUB2_PASSWORD} To verify the boot loader superuser account password has been set, and the password encrypted, run the following command: $ sudo cat /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC 2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0 916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7 0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828 If a "GRUB2_PASSWORD" is not set, this is a finding.

Fix: F-61452r925347_fix

Configure RHEL 9 to require a grub bootloader password for the grub superuser account. Generate an encrypted grub2 password for the grub superuser account with the following command: $ sudo grub2-setpassword Enter password: Confirm password:

b
RHEL 9 must disable the ability of systemd to spawn an interactive boot process.
CM-6 - Medium - CCI-000366 - V-257788 - SV-257788r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-212015
Vuln IDs
  • V-257788
Rule IDs
  • SV-257788r991589_rule
Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
Checks: C-61529r925349_chk

Verify that GRUB 2 is configured to disable interactive boot. Check that the current GRUB 2 configuration disables the ability of systemd to spawn an interactive boot process with the following command: $ sudo grubby --info=ALL | grep args | grep 'systemd.confirm_spawn' If any output is returned, this is a finding.

Fix: F-61453r925350_fix

Configure RHEL 9 to allocate sufficient audit_backlog_limit to disable the ability of systemd to spawn an interactive boot process with the following command: $ sudo grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"

c
RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.
AC-3 - High - CCI-000213 - V-257789 - SV-257789r1014822_rule
RMF Control
AC-3
Severity
High
CCI
CCI-000213
Version
RHEL-09-212020
Vuln IDs
  • V-257789
Rule IDs
  • SV-257789r1014822_rule
Having a nondefault grub superuser username makes password-guessing attacks less effective.
Checks: C-61530r943053_chk

Verify the boot loader superuser account has been set with the following command: $ sudo grep -A1 "superusers" /etc/grub2.cfg set superusers="<superusers-account>" export superusers The <superusers-account> is the actual account name different from common names like root, admin, or administrator. If superusers contains easily guessable usernames, this is a finding.

Fix: F-61454r1014821_fix

Configure RHEL 9 to have a unique username for the grub superuser account. Edit the "/etc/grub.d/01_users" file and add or modify the following lines with a nondefault username for the superusers account: set superusers="<superusers-account>" export superusers Once the superuser account has been added, update the grub.cfg file by running: $ sudo grubby --update-kernel=ALL

b
RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257790 - SV-257790r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-212025
Vuln IDs
  • V-257790
Rule IDs
  • SV-257790r991589_rule
The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Checks: C-61531r925355_chk

Verify the group ownership of the "/boot/grub2/grub.cfg" file with the following command: $ sudo stat -c "%G %n" /boot/grub2/grub.cfg root /boot/grub2/grub.cfg If "/boot/grub2/grub.cfg" file does not have a group owner of "root", this is a finding.

Fix: F-61455r925356_fix

Change the group of the file /boot/grub2/grub.cfg to root by running the following command: $ sudo chgrp root /boot/grub2/grub.cfg

b
RHEL 9 /boot/grub2/grub.cfg file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257791 - SV-257791r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-212030
Vuln IDs
  • V-257791
Rule IDs
  • SV-257791r991589_rule
The " /boot/grub2/grub.cfg" file stores sensitive system configuration. Protection of this file is critical for system security.
Checks: C-61532r925358_chk

Verify the ownership of the "/boot/grub2/grub.cfg" file with the following command: $ sudo stat -c "%U %n" /boot/grub2/grub.cfg root /boot/grub2/grub.cfg If "/boot/grub2/grub.cfg" file does not have an owner of "root", this is a finding.

Fix: F-61456r925359_fix

Change the owner of the file /boot/grub2/grub.cfg to root by running the following command: $ sudo chown root /boot/grub2/grub.cfg

b
RHEL 9 must disable virtual system calls.
CM-6 - Medium - CCI-000366 - V-257792 - SV-257792r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-212035
Vuln IDs
  • V-257792
Rule IDs
  • SV-257792r991589_rule
System calls are special routines in the Linux kernel, which userspace applications ask to do privileged tasks. Invoking a system call is an expensive operation because the processor must interrupt the currently executing task and switch context to kernel mode and then back to userspace after the system call completes. Virtual system calls map into user space a page that contains some variables and the implementation of some system calls. This allows the system calls to be executed in userspace to alleviate the context switching expense. Virtual system calls provide an opportunity of attack for a user who has control of the return instruction pointer. Disabling virtual system calls help to prevent return oriented programming (ROP) attacks via buffer overflows and overruns. If the system intends to run containers based on RHEL 6 components, then virtual system calls will need enabled so the components function properly. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
Checks: C-61533r925361_chk

Verify the current GRUB 2 configuration disables virtual system calls with the following command: $ sudo grubby --info=ALL | grep args | grep -v 'vsyscall=none' If any output is returned, this is a finding. Check that virtual system calls are disabled by default to persist in kernel updates with the following command: $ sudo grep vsyscall /etc/default/grub GRUB_CMDLINE_LINUX="vsyscall=none" If "vsyscall" is not set to "none", is missing or commented out, and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61457r925362_fix

Document the use of virtual system calls with the ISSO as an operational requirement or disable them with the following command: $ sudo grubby --update-kernel=ALL --args="vsyscall=none" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="vsyscall=none"

b
RHEL 9 must clear the page allocator to prevent use-after-free attacks.
CM-6 - Medium - CCI-000366 - V-257793 - SV-257793r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-212040
Vuln IDs
  • V-257793
Rule IDs
  • SV-257793r991589_rule
Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068
Checks: C-61534r925364_chk

Verify that GRUB 2 is configured to enable page poisoning to mitigate use-after-free vulnerabilities. Check that the current GRUB 2 configuration has page poisoning enabled with the following command: $ sudo grubby --info=ALL | grep args | grep -v 'page_poison=1' If any output is returned, this is a finding. Check that page poisoning is enabled by default to persist in kernel updates with the following command: $ sudo grep page_poison /etc/default/grub GRUB_CMDLINE_LINUX="page_poison=1" If "page_poison" is not set to "1", is missing or commented out, this is a finding.

Fix: F-61458r925365_fix

Configure RHEL 9 to enable page poisoning with the following commands: $ sudo grubby --update-kernel=ALL --args="page_poison=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="page_poison=1"

b
RHEL 9 must clear SLUB/SLAB objects to prevent use-after-free attacks.
SC-3 - Medium - CCI-001084 - V-257794 - SV-257794r958928_rule
RMF Control
SC-3
Severity
Medium
CCI
CCI-001084
Version
RHEL-09-212045
Vuln IDs
  • V-257794
Rule IDs
  • SV-257794r958928_rule
Some adversaries launch attacks with the intent of executing code in nonexecutable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. SLAB objects are blocks of physically contiguous memory. SLUB is the unqueued SLAB allocator. Satisfies: SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068
Checks: C-61535r952163_chk

Verify that GRUB 2 is configured to enable poisoning of SLUB/SLAB objects to mitigate use-after-free vulnerabilities with the following commands: Check that the current GRUB 2 configuration has poisoning of SLUB/SLAB objects enabled: $ sudo grubby --info=ALL | grep args | grep -v 'slub_debug=P' If any output is returned, this is a finding. Check that poisoning of SLUB/SLAB objects is enabled by default to persist in kernel updates: $ sudo grep slub_debug /etc/default/grub GRUB_CMDLINE_LINUX="slub_debug=P" If "slub_debug" does not contain "P", is missing, or is commented out, this is a finding.

Fix: F-61459r925368_fix

Configure RHEL to enable poisoning of SLUB/SLAB objects with the following commands: $ sudo grubby --update-kernel=ALL --args="slub_debug=P" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="slub_debug=P"

a
RHEL 9 must enable mitigations against processor-based vulnerabilities.
CM-7 - Low - CCI-000381 - V-257795 - SV-257795r958928_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-09-212050
Vuln IDs
  • V-257795
Rule IDs
  • SV-257795r958928_rule
Kernel page-table isolation is a kernel feature that mitigates the Meltdown security vulnerability and hardens the kernel against attempts to bypass kernel address space layout randomization (KASLR). Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049
Checks: C-61536r925370_chk

Verify RHEL 9 enables kernel page-table isolation with the following command: $ sudo grubby --info=ALL | grep pti args="ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on If the "pti" entry does not equal "on", or is missing, this is a finding. Check that kernel page-table isolation is enabled by default to persist in kernel updates: $ sudo grep pti /etc/default/grub GRUB_CMDLINE_LINUX="pti=on" If "pti" is not set to "on", is missing or commented out, this is a finding.

Fix: F-61460r925371_fix

Configure RHEL 9 to enable kernel page-table isolation with the following command: $ sudo grubby --update-kernel=ALL --args="pti=on" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="pti=on"

a
RHEL 9 must enable auditing of processes that start prior to the audit daemon.
AU-3 - Low - CCI-000130 - V-257796 - SV-257796r958412_rule
RMF Control
AU-3
Severity
Low
CCI
CCI-000130
Version
RHEL-09-212055
Vuln IDs
  • V-257796
Rule IDs
  • SV-257796r958412_rule
Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. If auditing is enabled late in the startup process, the actions of some startup processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095
Checks: C-61537r925373_chk

Verify that GRUB 2 is configured to enable auditing of processes that start prior to the audit daemon with the following commands: Check that the current GRUB 2 configuration enabled auditing: $ sudo grubby --info=ALL | grep audit args="ro crashkernel=auto resume=/dev/mapper/rhel-swap rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap rhgb quiet fips=1 audit=1 audit_backlog_limit=8192 pti=on If "audit" is not set to "1" or is missing, this is a finding. Check that auditing is enabled by default to persist in kernel updates: $ sudo grep audit /etc/default/grub GRUB_CMDLINE_LINUX="audit=1" If "audit" is not set to "1", is missing, or is commented out, this is a finding.

Fix: F-61461r925374_fix

Enable auditing of processes that start prior to the audit daemon with the following command: $ sudo grubby --update-kernel=ALL --args="audit=1" Add or modify the following line in "/etc/default/grub" to ensure the configuration survives kernel updates: GRUB_CMDLINE_LINUX="audit=1"

b
RHEL 9 must restrict access to the kernel message buffer.
SC-2 - Medium - CCI-001082 - V-257797 - SV-257797r958514_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
RHEL-09-213010
Vuln IDs
  • V-257797
Rule IDs
  • SV-257797r958514_rule
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a nonprivileged user. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
Checks: C-61538r942964_chk

Verify RHEL 9 is configured to restrict access to the kernel message buffer with the following commands: Check the status of the kernel.dmesg_restrict kernel parameter. $ sudo sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.dmesg_restrict | tail -1 kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.

Fix: F-61462r925377_fix

Configure RHEL 9 to restrict access to the kernel message buffer. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.dmesg_restrict = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must prevent kernel profiling by nonprivileged users.
SC-2 - Medium - CCI-001082 - V-257798 - SV-257798r958514_rule
RMF Control
SC-2
Severity
Medium
CCI
CCI-001082
Version
RHEL-09-213015
Vuln IDs
  • V-257798
Rule IDs
  • SV-257798r958514_rule
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies. There may be shared resources with configurable protections (e.g., files in storage) that may be assessed on specific information system components. Setting the kernel.perf_event_paranoid kernel parameter to "2" prevents attackers from gaining additional system information as a nonprivileged user. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069
Checks: C-61539r942966_chk

Verify RHEL 9 is configured to prevent kernel profiling by nonprivileged users with the following commands: Check the status of the kernel.perf_event_paranoid kernel parameter. $ sudo sysctl kernel.perf_event_paranoid kernel.perf_event_paranoid = 2 If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.perf_event_paranoid | tail -1 kernel.perf_event_paranoid = 2 If "kernel.perf_event_paranoid" is not set to "2" or is missing, this is a finding.

Fix: F-61463r925380_fix

Configure RHEL 9 to prevent kernel profiling by nonprivileged users. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.perf_event_paranoid = 2 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must prevent the loading of a new kernel for later execution.
CM-6 - Medium - CCI-000366 - V-257799 - SV-257799r1015074_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213020
Vuln IDs
  • V-257799
Rule IDs
  • SV-257799r1015074_rule
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. Disabling kexec_load prevents an unsigned kernel image (that could be a windows kernel or modified vulnerable kernel) from being loaded. Kexec can be used subvert the entire secureboot process and should be avoided at all costs especially since it can load unsigned kernel images. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153
Checks: C-61540r942968_chk

Verify RHEL 9 is configured to disable kernel image loading. Check the status of the kernel.kexec_load_disabled kernel parameter with the following command: $ sudo sysctl kernel.kexec_load_disabled kernel.kexec_load_disabled = 1 If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter with the following command: $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.kexec_load_disabled | tail -1 kernel.kexec_load_disabled = 1 If "kernel.kexec_load_disabled" is not set to "1" or is missing, this is a finding.

Fix: F-61464r925383_fix

Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.kexec_load_disabled = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must restrict exposed kernel pointer addresses access.
CM-6 - Medium - CCI-000366 - V-257800 - SV-257800r958514_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213025
Vuln IDs
  • V-257800
Rule IDs
  • SV-257800r958514_rule
Exposing kernel pointers (through procfs or "seq_printf()") exposes kernel writeable structures, which may contain functions pointers. If a write vulnerability occurs in the kernel, allowing write access to any of this structure, the kernel can be compromised. This option disallows any program without the CAP_SYSLOG capability to get the addresses of kernel pointers by replacing them with "0". Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227
Checks: C-61541r942970_chk

Verify the runtime status of the kernel.kptr_restrict kernel parameter with the following command: $ sudo sysctl kernel.kptr_restrict kernel.kptr_restrict = 1 Verify the configuration of the kernel.kptr_restrict kernel parameter with the following command: $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.kptr_restrict | tail -1 kernel.kptr_restrict =1 If "kernel.kptr_restrict" is not set to "1" or is missing, this is a finding.

Fix: F-61465r925386_fix

Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.kptr_restrict = 1 Reload settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must enable kernel parameters to enforce discretionary access control on hardlinks.
AC-3 - Medium - CCI-002165 - V-257801 - SV-257801r958702_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
RHEL-09-213030
Vuln IDs
  • V-257801
Rule IDs
  • SV-257801r958702_rule
By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigates vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
Checks: C-61542r925388_chk

Verify RHEL 9 is configured to enable DAC on hardlinks. Check the status of the fs.protected_hardlinks kernel parameter with the following command: $ sudo sysctl fs.protected_hardlinks fs.protected_hardlinks = 1 If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F fs.protected_hardlinks | tail -1 fs.protected_hardlinks = 1 If "fs.protected_hardlinks" is not set to "1" or is missing, this is a finding.

Fix: F-61466r925389_fix

Configure RHEL 9 to enable DAC on hardlinks with the following: Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_hardlinks = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must enable kernel parameters to enforce discretionary access control on symlinks.
AC-3 - Medium - CCI-002165 - V-257802 - SV-257802r958702_rule
RMF Control
AC-3
Severity
Medium
CCI
CCI-002165
Version
RHEL-09-213035
Vuln IDs
  • V-257802
Rule IDs
  • SV-257802r958702_rule
By enabling the fs.protected_symlinks kernel parameter, symbolic links are permitted to be followed only when outside a sticky world-writable directory, or when the user identifier (UID) of the link and follower match, or when the directory owner matches the symlink's owner. Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat(). Satisfies: SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125
Checks: C-61543r925391_chk

Verify RHEL 9 is configured to enable DAC on symlinks. Check the status of the fs.protected_symlinks kernel parameter with the following command: $ sudo sysctl fs.protected_symlinks fs.protected_symlinks = 1 If "fs.protected_symlinks " is not set to "1" or is missing, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F fs.protected_symlinks | tail -1 fs.protected_symlinks = 1 If "fs.protected_symlinks" is not set to "1" or is missing, this is a finding.

Fix: F-61467r925392_fix

Configure RHEL 9 to enable DAC on symlinks with the following: Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: fs.protected_symlinks = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must disable the kernel.core_pattern.
CM-6 - Medium - CCI-000366 - V-257803 - SV-257803r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213040
Vuln IDs
  • V-257803
Rule IDs
  • SV-257803r991589_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Checks: C-61544r942972_chk

Verify RHEL 9 disables storing core dumps with the following commands: $ sudo sysctl kernel.core_pattern kernel.core_pattern = |/bin/false If the returned line does not have a value of "|/bin/false", or a line is not returned and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to disable core dump storage. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.core_pattern | tail -1 kernel.core_pattern = |/bin/false If "kernel.core_pattern" is not set to "|/bin/false" and is not documented with the ISSO as an operational requirement, or is missing, this is a finding.

Fix: F-61468r925395_fix

Configure RHEL 9 to disable storing core dumps. Add or edit the following line in a system configuration file, in the "/etc/sysctl.d/" directory: kernel.core_pattern = |/bin/false The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b
RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.
CM-7 - Medium - CCI-000381 - V-257804 - SV-257804r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-213045
Vuln IDs
  • V-257804
Rule IDs
  • SV-257804r958478_rule
Disabling Asynchronous Transfer Mode (ATM) protects the system against exploitation of any flaws in its implementation.
Checks: C-61545r925397_chk

Verify that RHEL 9 disables the ability to load the ATM kernel module with the following command: $ sudo grep -r atm /etc/modprobe.conf /etc/modprobe.d/* blacklist atm If the command does not return any output, or the line is commented out, and use of ATM is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61469r925398_fix

To configure the system to prevent the atm kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf (or create atm.conf if it does not exist): install atm /bin/false blacklist atm

b
RHEL 9 must be configured to disable the Controller Area Network kernel module.
CM-7 - Medium - CCI-000381 - V-257805 - SV-257805r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-213050
Vuln IDs
  • V-257805
Rule IDs
  • SV-257805r958478_rule
Disabling Controller Area Network (CAN) protects the system against exploitation of any flaws in its implementation.
Checks: C-61546r925400_chk

Verify that RHEL 9 disables the ability to load the CAN kernel module with the following command: $ sudo grep -r can /etc/modprobe.conf /etc/modprobe.d/* blacklist can If the command does not return any output, or the line is commented out, and use of CAN is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61470r925401_fix

To configure the system to prevent the can kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf (or create atm.conf if it does not exist): install can /bin/false blacklist can

b
RHEL 9 must be configured to disable the FireWire kernel module.
CM-7 - Medium - CCI-000381 - V-257806 - SV-257806r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-213055
Vuln IDs
  • V-257806
Rule IDs
  • SV-257806r958478_rule
Disabling firewire protects the system against exploitation of any flaws in its implementation.
Checks: C-61547r925403_chk

Verify that RHEL 9 disables the ability to load the firewire-core kernel module with the following command: $ sudo grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d/* blacklist firewire-core If the command does not return any output, or the line is commented out, and use of firewire-core is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61471r942954_fix

To configure the system to prevent the firewire-core kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf (or create firewire-core.conf if it does not exist): install firewire-core /bin/false blacklist firewire-core

b
RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.
CM-7 - Medium - CCI-000381 - V-257807 - SV-257807r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-213060
Vuln IDs
  • V-257807
Rule IDs
  • SV-257807r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. Disabling SCTP protects the system against exploitation of any flaws in its implementation.
Checks: C-61548r925406_chk

Verify that RHEL 9 disables the ability to load the sctp kernel module with the following command: $ sudo grep -r sctp /etc/modprobe.conf /etc/modprobe.d/* blacklist sctp If the command does not return any output, or the line is commented out, and use of sctp is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61472r952165_fix

To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf (or create sctp.conf if it does not exist): install sctp /bin/false blacklist sctp

b
RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.
CM-7 - Medium - CCI-000381 - V-257808 - SV-257808r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-213065
Vuln IDs
  • V-257808
Rule IDs
  • SV-257808r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Failing to disconnect unused protocols can result in a system compromise. The Transparent Inter Process Communication (TIPC) is a protocol that is specially designed for intra-cluster communication. It can be configured to transmit messages either on UDP or directly across Ethernet. Message delivery is sequence guaranteed, loss free and flow controlled. Disabling TIPC protects the system against exploitation of any flaws in its implementation.
Checks: C-61549r925409_chk

Verify that RHEL 9 disables the ability to load the tipc kernel module with the following command: $ sudo grep -r tipc /etc/modprobe.conf /etc/modprobe.d/* blacklist tipc If the command does not return any output, or the line is commented out, and use of tipc is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61473r925410_fix

To configure the system to prevent the tipc kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf (or create tipc.conf if it does not exist): install tipc /bin/false blacklist tipc

b
RHEL 9 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution.
CM-6 - Medium - CCI-000366 - V-257809 - SV-257809r958928_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213070
Vuln IDs
  • V-257809
Rule IDs
  • SV-257809r958928_rule
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to repurpose it using return oriented programming (ROP) techniques. Satisfies: SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227
Checks: C-61550r942974_chk

Verify RHEL 9 is implementing ASLR with the following command: $ sudo sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 Check that the configuration files are present to enable this kernel parameter. Verify the configuration of the kernel.kptr_restrict kernel parameter with the following command: $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.randomize_va_space | tail -1 kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.

Fix: F-61474r925413_fix

Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.randomize_va_space = 2 Reload settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must disable access to network bpf system call from nonprivileged processes.
CM-6 - Medium - CCI-000366 - V-257810 - SV-257810r958514_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213075
Vuln IDs
  • V-257810
Rule IDs
  • SV-257810r958514_rule
Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state. Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
Checks: C-61551r952167_chk

Verify that RHEL 9 prevents privilege escalation through the kernel by disabling access to the bpf system call with the following commands: $ sudo sysctl kernel.unprivileged_bpf_disabled kernel.unprivileged_bpf_disabled = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.unprivileged_bpf_disabled | tail -1 kernel.unprivileged_bpf_disabled = 1 If the network parameter "kernel.unprivileged_bpf_disabled" is not equal to "1", or nothing is returned, this is a finding.

Fix: F-61475r925416_fix

Configure RHEL 9 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.unprivileged_bpf_disabled = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b
RHEL 9 must restrict usage of ptrace to descendant processes.
CM-6 - Medium - CCI-000366 - V-257811 - SV-257811r958514_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213080
Vuln IDs
  • V-257811
Rule IDs
  • SV-257811r958514_rule
Unrestricted usage of ptrace allows compromised binaries to run ptrace on other processes of the user. Like this, the attacker can steal sensitive information from the target processes (e.g., SSH sessions, web browser, etc.) without any additional assistance from the user (i.e., without resorting to phishing). Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227
Checks: C-61552r942978_chk

Verify RHEL 9 restricts usage of ptrace to descendant processes with the following commands: $ sudo sysctl kernel.yama.ptrace_scope kernel.yama.ptrace_scope = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.yama.ptrace_scope| tail -1 kernel.yama.ptrace_scope = 1 If the network parameter "kernel.yama.ptrace_scope" is not equal to "1", or nothing is returned, this is a finding.

Fix: F-61476r925419_fix

Configure RHEL 9 to restrict usage of ptrace to descendant processes by adding the following line to a file, in the "/etc/sysctl.d" directory: kernel.yama.ptrace_scope = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b
RHEL 9 must disable core dump backtraces.
CM-6 - Medium - CCI-000366 - V-257812 - SV-257812r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213085
Vuln IDs
  • V-257812
Rule IDs
  • SV-257812r991589_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
Checks: C-61553r925421_chk

Verify RHEL 9 disables core dump backtraces by issuing the following command: $ grep -i process /etc/systemd/coredump.conf ProcessSizeMax=0 If the "ProcessSizeMax" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.

Fix: F-61477r925422_fix

Configure the operating system to disable core dump backtraces. Add or modify the following line in /etc/systemd/coredump.conf: ProcessSizeMax=0

b
RHEL 9 must disable storing core dumps.
CM-6 - Medium - CCI-000366 - V-257813 - SV-257813r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213090
Vuln IDs
  • V-257813
Rule IDs
  • SV-257813r991589_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended; however, there may be overriding operational requirements to enable advanced debugging. Permitting temporary enablement of core dumps during such situations must be reviewed through local needs and policy.
Checks: C-61554r925424_chk

Verify RHEL 9 disables storing core dumps for all users by issuing the following command: $ grep -i storage /etc/systemd/coredump.conf Storage=none If the "Storage" item is missing, commented out, or the value is anything other than "none" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.

Fix: F-61478r925425_fix

Configure the operating system to disable storing core dumps for all users. Add or modify the following line in /etc/systemd/coredump.conf: Storage=none

b
RHEL 9 must disable core dumps for all users.
CM-6 - Medium - CCI-000366 - V-257814 - SV-257814r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213095
Vuln IDs
  • V-257814
Rule IDs
  • SV-257814r991589_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Checks: C-61555r925427_chk

Verify RHEL 9 disables core dumps for all users by issuing the following command: $ grep -r -s core /etc/security/limits.conf /etc/security/limits.d/*.conf /etc/security/limits.conf:* hard core 0 This can be set as a global domain (with the * wildcard) but may be set differently for multiple domains. If the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement for all domains that have the "core" item assigned, this is a finding.

Fix: F-61479r925428_fix

Configure the operating system to disable core dumps for all users. Add the following line to the top of the /etc/security/limits.conf or in a single ".conf" file defined in /etc/security/limits.d/: * hard core 0

b
RHEL 9 must disable acquiring, saving, and processing core dumps.
CM-6 - Medium - CCI-000366 - V-257815 - SV-257815r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213100
Vuln IDs
  • V-257815
Rule IDs
  • SV-257815r991589_rule
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.
Checks: C-61556r925430_chk

Verify RHEL 9 is not configured to acquire, save, or process core dumps with the following command: $ sudo systemctl status systemd-coredump.socket systemd-coredump.socket Loaded: masked (Reason: Unit systemd-coredump.socket is masked.) Active: inactive (dead) If the "systemd-coredump.socket" is loaded and not masked and the need for core dumps is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61480r925431_fix

Configure the system to disable the systemd-coredump.socket with the following command: $ sudo systemctl mask --now systemd-coredump.socket Created symlink /etc/systemd/system/systemd-coredump.socket -> /dev/null Reload the daemon for this change to take effect. $ sudo systemctl daemon-reload

b
RHEL 9 must disable the use of user namespaces.
CM-6 - Medium - CCI-000366 - V-257816 - SV-257816r1014825_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213105
Vuln IDs
  • V-257816
Rule IDs
  • SV-257816r1014825_rule
User namespaces are used primarily for Linux containers. The value "0" disallows the use of user namespaces.
Checks: C-61557r1014823_chk

Verify RHEL 9 disables the use of user namespaces with the following commands: $ sudo sysctl user.max_user_namespaces user.max_user_namespaces = 0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F user.max_user_namespaces | tail -1 user.max_user_namespaces = 0 If the network parameter "user.max_user_namespaces" is not equal to "0", or nothing is returned, this is a finding. If the use of namespaces is operationally required and documented with the information system security manager (ISSM), this is not a finding.

Fix: F-61481r1014824_fix

Configure RHEL 9 to disable the use of user namespaces by adding the following line to a file, in the "/etc/sysctl.d" directory: user.max_user_namespaces = 0 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b
RHEL 9 must implement nonexecutable data to protect its memory from unauthorized code execution.
SI-16 - Medium - CCI-002824 - V-257817 - SV-257817r958928_rule
RMF Control
SI-16
Severity
Medium
CCI
CCI-002824
Version
RHEL-09-213110
Vuln IDs
  • V-257817
Rule IDs
  • SV-257817r958928_rule
ExecShield uses the segmentation feature on all x86 systems to prevent execution in memory higher than a certain address. It writes an address as a limit in the code segment descriptor, to control where code can be executed, on a per-process basis. When the kernel places a process's memory regions such as the stack and heap higher than this address, the hardware prevents execution in that address range. This is enabled by default on the latest Red Hat and Fedora systems if supported by the hardware.
Checks: C-61558r925436_chk

Verify ExecShield is enabled on 64-bit RHEL 9 systems with the following command: $ sudo dmesg | grep '[NX|DX]*protection' [ 0.000000] NX (Execute Disable) protection: active If "dmesg" does not show "NX (Execute Disable) protection" active, this is a finding.

Fix: F-61482r925437_fix

Update the GRUB 2 bootloader configuration. Run the following command: $ sudo grubby --update-kernel=ALL --remove-args=noexec

b
The kdump service on RHEL 9 must be disabled.
CM-6 - Medium - CCI-000366 - V-257818 - SV-257818r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-213115
Vuln IDs
  • V-257818
Rule IDs
  • SV-257818r991589_rule
Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.
Checks: C-61559r925439_chk

Verify that the kdump service is disabled in system boot configuration with the following command: $ systemctl is-enabled kdump disabled Verify that the kdump service is not active (i.e., not running) through current runtime configuration with the following command: $ systemctl is-active kdump inactive Verify that the kdump service is masked with the following command: $ sudo systemctl show kdump | grep "LoadState\|UnitFileState" LoadState=masked UnitFileState=masked If the "kdump" service is loaded or active, and is not masked, this is a finding.

Fix: F-61483r925440_fix

Disable and mask the kdump service on RHEL 9. To disable the kdump service run the following command: $ sudo systemctl disable --now kdump To mask the kdump service run the following command: $ sudo systemctl mask --now kdump

b
RHEL 9 must ensure cryptographic verification of vendor software packages.
- Medium - CCI-003992 - V-257819 - SV-257819r1015075_rule
RMF Control
Severity
Medium
CCI
CCI-003992
Version
RHEL-09-214010
Vuln IDs
  • V-257819
Rule IDs
  • SV-257819r1015075_rule
Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Red Hat cryptographically signs all software packages, which includes updates, with a GPG key to verify that they are valid.
Checks: C-61560r925442_chk

Confirm Red Hat package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For RHEL 9 software packages, Red Hat uses GPG keys labeled "release key 2" and "auxiliary key 3". The keys are defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" by default. List Red Hat GPG keys installed on the system: $ sudo rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | grep -i "red hat" Red Hat, Inc. (release key 2) &lt;security@redhat.com&gt; public key Red Hat, Inc. (auxiliary key 3) &lt;security@redhat.com&gt; public key If Red Hat GPG keys "release key 2" and "auxiliary key 3" are not installed, this is a finding. List key fingerprints of installed Red Hat GPG keys: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release If key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" is missing, this is a finding. Example output: pub rsa4096/FD431D51 2009-10-22 [SC] Key fingerprint = 567E 347A D004 4ADE 55BA 8A5F 199E 2F91 FD43 1D51 uid Red Hat, Inc. (release key 2) &lt;security@redhat.com&gt; pub rsa4096/5A6340B3 2022-03-09 [SC] Key fingerprint = 7E46 2425 8C40 6535 D56D 6F13 5054 E4A4 5A63 40B3 uid Red Hat, Inc. (auxiliary key 3) &lt;security@redhat.com&gt; Compare key fingerprints of installed Red Hat GPG keys with fingerprints listed for RHEL 9 on Red Hat "Product Signing Keys" webpage at https://access.redhat.com/security/team/key. If key fingerprints do not match, this is a finding.

Fix: F-61484r925443_fix

Install Red Hat package-signing keys on the system and verify their fingerprints match vendor values. Insert RHEL 9 installation disc or attach RHEL 9 installation image to the system. Mount the disc or image to make the contents accessible inside the system. Assuming the mounted location is "/media/cdrom", use the following command to copy Red Hat GPG key file onto the system: $ sudo cp /media/cdrom/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/ Import Red Hat GPG keys from key file into system keyring: $ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release Using the steps listed in the Check Text, confirm the newly imported keys show as installed on the system and verify their fingerprints match vendor values.

c
RHEL 9 must check the GPG signature of software packages originating from external software repositories before installation.
- High - CCI-003992 - V-257820 - SV-257820r1015076_rule
RMF Control
Severity
High
CCI
CCI-003992
Version
RHEL-09-214015
Vuln IDs
  • V-257820
Rule IDs
  • SV-257820r1015076_rule
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
Checks: C-61561r925445_chk

Verify that dnf always checks the GPG signature of software packages originating from external software repositories before installation: $ grep gpgcheck /etc/dnf/dnf.conf gpgcheck=1 If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the system administrator how the GPG signatures of software packages are being verified. If there is no process to verify GPG signatures that is approved by the organization, this is a finding.

Fix: F-61485r925446_fix

Configure dnf to always check the GPG signature of software packages originating from external software repositories before installation. Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: gpgcheck=1

c
RHEL 9 must check the GPG signature of locally installed software packages before installation.
- High - CCI-003992 - V-257821 - SV-257821r1015077_rule
RMF Control
Severity
High
CCI
CCI-003992
Version
RHEL-09-214020
Vuln IDs
  • V-257821
Rule IDs
  • SV-257821r1015077_rule
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
Checks: C-61562r925448_chk

Verify that dnf always checks the GPG signature of locally installed software packages before installation: $ grep localpkg_gpgcheck /etc/dnf/dnf.conf localpkg_gpgcheck=1 If "localpkg_gpgcheck" is not set to "1", or if the option is missing or commented out, ask the system administrator how the GPG signatures of local software packages are being verified. If there is no process to verify GPG signatures that is approved by the organization, this is a finding.

Fix: F-61486r925449_fix

Configure dnf to always check the GPG signature of local software packages before installation. Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: localpkg_gpgcheck=1

c
RHEL 9 must have GPG signature verification enabled for all software repositories.
- High - CCI-003992 - V-257822 - SV-257822r1015078_rule
RMF Control
Severity
High
CCI
CCI-003992
Version
RHEL-09-214025
Vuln IDs
  • V-257822
Rule IDs
  • SV-257822r1015078_rule
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. All software packages must be signed with a cryptographic key recognized and approved by the organization. Verifying the authenticity of software prior to installation validates the integrity of the software package received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor.
Checks: C-61563r925451_chk

Verify that all software repositories defined in "/etc/yum.repos.d/" have been configured with "gpgcheck" enabled: $ grep gpgcheck /etc/yum.repos.d/*.repo | more gpgcheck = 1 If "gpgcheck" is not set to "1" for all returned lines, this is a finding.

Fix: F-61487r925452_fix

Configure all software repositories defined in "/etc/yum.repos.d/" to have "gpgcheck" enabled: $ sudo sed -i 's/gpgcheck\s*=.*/gpgcheck=1/g' /etc/yum.repos.d/*

b
RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values.
CM-6 - Medium - CCI-000366 - V-257823 - SV-257823r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-214030
Vuln IDs
  • V-257823
Rule IDs
  • SV-257823r991589_rule
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
Checks: C-61564r925454_chk

The following command will list which files on the system have file hashes different from what is expected by the RPM database: $ rpm -Va --noconfig | awk '$1 ~ /..5/ &amp;&amp; $2 != "c"' If there is output, this is a finding.

Fix: F-61488r925455_fix

Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled: $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' S.5....T. /usr/bin/znew $ sudo dnf provides /usr/bin/znew [...] gzip-1.10-8.el9.x86_64 : The GNU data compression program [...] $ sudo dnf reinstall gzip [...] $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' [no output]

a
RHEL 9 must remove all software components after updated versions have been installed.
SI-2 - Low - CCI-002617 - V-257824 - SV-257824r958936_rule
RMF Control
SI-2
Severity
Low
CCI
CCI-002617
Version
RHEL-09-214035
Vuln IDs
  • V-257824
Rule IDs
  • SV-257824r958936_rule
Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by some adversaries.
Checks: C-61565r925457_chk

Verify RHEL 9 removes all software components after updated versions have been installed with the following command: $ grep clean /etc/dnf/dnf.conf clean_requirements_on_remove=1 If "clean_requirements_on_remove" is not set to "1", this is a finding.

Fix: F-61489r925458_fix

Configure RHEL 9 to remove all software components after updated versions have been installed. Edit the file /etc/dnf/dnf.conf by adding or editing the following line: clean_requirements_on_remove=1

b
RHEL 9 subscription-manager package must be installed.
- Medium - CCI-003992 - V-257825 - SV-257825r1015079_rule
RMF Control
Severity
Medium
CCI
CCI-003992
Version
RHEL-09-215010
Vuln IDs
  • V-257825
Rule IDs
  • SV-257825r1015079_rule
The Red Hat Subscription Manager application manages software subscriptions and software repositories for installed software products on the local system. It communicates with backend servers, such as the Red Hat Customer Portal or an on-premise instance of Subscription Asset Manager, to register the local system and grant access to software resources determined by the subscription entitlement.
Checks: C-61566r925460_chk

Verify that RHEL 9 subscription-manager package is installed with the following command: $ sudo dnf list --installed subscription-manager Example output: subscription-manager.x86_64 1.29.26-3.el9_0 If the "subscription-manager" package is not installed, this is a finding.

Fix: F-61490r925461_fix

The subscription-manager package can be installed with the following command: $ sudo dnf install subscription-manager

c
RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.
IA-5 - High - CCI-000197 - V-257826 - SV-257826r987796_rule
RMF Control
IA-5
Severity
High
CCI
CCI-000197
Version
RHEL-09-215015
Vuln IDs
  • V-257826
Rule IDs
  • SV-257826r987796_rule
The FTP service provides an unencrypted remote access that does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to log on using this service, the privileged user password could be compromised. SSH or other encrypted file transfer methods must be used in place of this service. Removing the "vsftpd" package decreases the risk of accidental activation. Satisfies: SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Checks: C-61567r925463_chk

Verify that RHEL 9 does not have a File Transfer Protocol (FTP) server package installed with the following command: $ sudo dnf list --installed | grep ftp If the "ftp" package is installed, this is a finding.

Fix: F-61491r925464_fix

The ftp package can be removed with the following command (using vsftpd as an example): $ sudo dnf remove vsftpd

b
RHEL 9 must not have the sendmail package installed.
CM-6 - Medium - CCI-000366 - V-257827 - SV-257827r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215020
Vuln IDs
  • V-257827
Rule IDs
  • SV-257827r991589_rule
The sendmail software was not developed with security in mind, and its design prevents it from being effectively contained by SELinux. Postfix must be used instead. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049
Checks: C-61568r925466_chk

Verify that the sendmail package is not installed with the following command: $ sudo dnf list --installed sendmail Error: No matching Packages to list If the "sendmail" package is installed, this is a finding.

Fix: F-61492r925467_fix

Remove the sendmail package with the following command: $ sudo dnf remove sendmail

b
RHEL 9 must not have the nfs-utils package installed.
CM-7 - Medium - CCI-000381 - V-257828 - SV-257828r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-215025
Vuln IDs
  • V-257828
Rule IDs
  • SV-257828r958478_rule
"nfs-utils" provides a daemon for the kernel NFS server and related tools. This package also contains the "showmount" program. "showmount" queries the mount daemon on a remote host for information about the Network File System (NFS) server on the remote host. For example, "showmount" can display the clients that are mounted on that host.
Checks: C-61569r925469_chk

Verify that the nfs-utils package is not installed with the following command: $ sudo dnf list --installed nfs-utils Error: No matching Packages to list If the "nfs-utils" package is installed, this is a finding.

Fix: F-61493r925470_fix

Remove the nfs-utils package with the following command: $ sudo dnf remove nfs-utils

b
RHEL 9 must not have the ypserv package installed.
CM-7 - Medium - CCI-000381 - V-257829 - SV-257829r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-215030
Vuln IDs
  • V-257829
Rule IDs
  • SV-257829r958478_rule
The NIS service provides an unencrypted authentication service, which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the "ypserv" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
Checks: C-61570r925472_chk

Verify that the ypserv package is not installed with the following command: $ sudo dnf list --installed ypserv Error: No matching Packages to list If the "ypserv" package is installed, this is a finding.

Fix: F-61494r925473_fix

Remove the ypserv package with the following command: $ sudo dnf remove ypserv

b
RHEL 9 must not have the rsh-server package installed.
CM-7 - Medium - CCI-000381 - V-257830 - SV-257830r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-215035
Vuln IDs
  • V-257830
Rule IDs
  • SV-257830r958478_rule
The "rsh-server" service provides unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session and has very weak authentication. If a privileged user were to login using this service, the privileged user password could be compromised. The "rsh-server" package provides several obsolete and insecure network services. Removing it decreases the risk of accidental (or intentional) activation of those services.
Checks: C-61571r925475_chk

Verify that the rsh-server package is not installed with the following command: $ sudo dnf list --installed rsh-server Error: No matching Packages to list If the "rsh-server" package is installed, this is a finding.

Fix: F-61495r925476_fix

Remove the rsh-server package with the following command: $ sudo dnf remove rsh-server

b
RHEL 9 must not have the telnet-server package installed.
CM-7 - Medium - CCI-000381 - V-257831 - SV-257831r958478_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000381
Version
RHEL-09-215040
Vuln IDs
  • V-257831
Rule IDs
  • SV-257831r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore, may remain unsecure. They increase the risk to the platform by providing additional attack vectors. The telnet service provides an unencrypted remote access service, which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the "telnet-server" package decreases the risk of accidental (or intentional) activation of the telnet service.
Checks: C-61572r925478_chk

Verify that the telnet-server package is not installed with the following command: $ sudo dnf list --installed telnet-server Error: No matching Packages to list If the "telnet-server" package is installed, this is a finding.

Fix: F-61496r925479_fix

Remove the telnet-server package with the following command: $ sudo dnf remove telnet-server

b
RHEL 9 must not have the gssproxy package installed.
CM-6 - Medium - CCI-000366 - V-257832 - SV-257832r958478_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215045
Vuln IDs
  • V-257832
Rule IDs
  • SV-257832r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore, may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations (e.g., key missions, functions). The gssproxy package is a proxy for GSS API credential handling and could expose secrets on some networks. It is not needed for normal function of the OS. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Checks: C-61573r925481_chk

Verify that the gssproxy package is not installed with the following command: $ sudo dnf list --installed gssproxy Error: No matching Packages to list If the "gssproxy" package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61497r925482_fix

Remove the gssproxy package with the following command: $ sudo dnf remove gssproxy

b
RHEL 9 must not have the iprutils package installed.
CM-6 - Medium - CCI-000366 - V-257833 - SV-257833r958478_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215050
Vuln IDs
  • V-257833
Rule IDs
  • SV-257833r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The iprutils package provides a suite of utilities to manage and configure SCSI devices supported by the ipr SCSI storage device driver. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Checks: C-61574r925484_chk

Verify that the iprutils package is not installed with the following command: $ sudo dnf list --installed iprutils Error: No matching Packages to list If the "iprutils" package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61498r925485_fix

Remove the iprutils package with the following command: $ sudo dnf remove iprutils

b
RHEL 9 must not have the tuned package installed.
CM-6 - Medium - CCI-000366 - V-257834 - SV-257834r958478_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215055
Vuln IDs
  • V-257834
Rule IDs
  • SV-257834r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). The tuned package contains a daemon that tunes the system settings dynamically. It does so by monitoring the usage of several system components periodically. Based on that information, components will then be put into lower or higher power savings modes to adapt to the current usage. The tuned package is not needed for normal OS operations. Satisfies: SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227
Checks: C-61575r925487_chk

Verify that the tuned package is not installed with the following command: $ sudo dnf list --installed tuned Error: No matching Packages to list If the "tuned" package is installed and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61499r925488_fix

Remove the tuned package with the following command: $ sudo dnf remove tuned

c
RHEL 9 must not have a Trivial File Transfer Protocol (TFTP) server package installed.
CM-6 - High - CCI-000366 - V-257835 - SV-257835r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-09-215060
Vuln IDs
  • V-257835
Rule IDs
  • SV-257835r991589_rule
Removing the "tftp-server" package decreases the risk of the accidental (or intentional) activation of tftp services. If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the information systems security manager (ISSM), restricted to only authorized personnel, and have access control rules established.
Checks: C-61576r952169_chk

Verify that RHEL 9 does not have a "tftp-server" package installed with the following command: $ sudo dnf list --installed | grep tftp-server If the "tftp-server" package is installed, this is a finding.

Fix: F-61500r952170_fix

The "tftp-server" package can be removed with the following command: $ sudo dnf remove tftp-server

b
RHEL 9 must not have the quagga package installed.
CM-6 - Medium - CCI-000366 - V-257836 - SV-257836r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215065
Vuln IDs
  • V-257836
Rule IDs
  • SV-257836r991589_rule
Quagga is a network routing software suite providing implementations of Open Shortest Path First (OSPF), Routing Information Protocol (RIP), Border Gateway Protocol (BGP) for Unix and Linux platforms. If there is no need to make the router software available, removing it provides a safeguard against its activation.
Checks: C-61577r925493_chk

Verify that the quagga package is not installed with the following command: $ sudo dnf list --installed quagga Error: No matching Packages to list If the "quagga" package is installed, and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61501r925494_fix

Remove the quagga package with the following command: $ sudo dnf remove quagga

b
A graphical display manager must not be installed on RHEL 9 unless approved.
CM-6 - Medium - CCI-000366 - V-257837 - SV-257837r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215070
Vuln IDs
  • V-257837
Rule IDs
  • SV-257837r991589_rule
Unnecessary service packages must not be installed to decrease the attack surface of the system. Graphical display managers have a long history of security vulnerabilities and must not be used, unless approved and documented.
Checks: C-61578r925496_chk

Verify that a graphical user interface is not installed with the following command: $ sudo dnf list --installed "xorg*common" Error: No matching Packages to list If the "x11-server-common" package is installed, and the use of a graphical user interface has not been documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61502r925497_fix

Document the requirement for a graphical user interface with the ISSO or remove all xorg packages with the following command: Warning: If you are accessing the system through the graphical user interface, change to the multi-user.target with the following command: $ sudo systemctl isolate multi-user.target Warning: Removal of the graphical user interface will immediately render it useless. The following commands must not be run from a virtual terminal emulator in the graphical interface. $ sudo dnf remove "xorg*" $ sudo systemctl set-default multi-user.target

b
RHEL 9 must have the openssl-pkcs11 package installed.
IA-2 - Medium - CCI-000765 - V-257838 - SV-257838r1015080_rule
RMF Control
IA-2
Severity
Medium
CCI
CCI-000765
Version
RHEL-09-215075
Vuln IDs
  • V-257838
Rule IDs
  • SV-257838r1015080_rule
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Checks: C-61579r1014826_chk

Verify that RHEL 9 has the openssl-pkcs11 package installed with the following command: $ sudo dnf list --installed openssl-pkcs11 Example output: openssl-pkcs.i686 0.4.11-7.el9 openssl-pkcs.x86_64 0.4.11-7.el9 If the "openssl-pkcs11" package is not installed, this is a finding. Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

Fix: F-61503r925500_fix

The openssl-pkcs11 package can be installed with the following command: $ sudo dnf install openssl-pkcs11

b
RHEL 9 must have the gnutls-utils package installed.
CM-6 - Medium - CCI-000366 - V-257839 - SV-257839r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215080
Vuln IDs
  • V-257839
Rule IDs
  • SV-257839r991589_rule
GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them. It provides a simple C language application programming interface (API) to access the secure communications protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and other required structures. This package contains command line TLS client and server and certificate manipulation tools.
Checks: C-61580r925502_chk

Verify that RHEL 9 has the gnutls-utils package installed with the following command: $ dnf list --installed gnutls-utils Example output: gnutls-utils.x86_64 3.7.3-9.el9 If the "gnutls-utils" package is not installed, this is a finding.

Fix: F-61504r925503_fix

The gnutls-utils package can be installed with the following command: $ sudo dnf install gnutls-utils

b
RHEL 9 must have the nss-tools package installed.
CM-6 - Medium - CCI-000366 - V-257840 - SV-257840r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215085
Vuln IDs
  • V-257840
Rule IDs
  • SV-257840r991589_rule
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Install the "nss-tools" package to install command-line tools to manipulate the NSS certificate and key database.
Checks: C-61581r925505_chk

Verify that RHEL 9 has the nss-tools package installed with the following command: $ dnf list --installed nss-tools Example output: nss-tools.x86_64 3.71.0-7.el9 If the "nss-tools" package is not installed, this is a finding.

Fix: F-61505r925506_fix

The nss-tools package can be installed with the following command: $ sudo dnf install nss-tools

b
RHEL 9 must have the rng-tools package installed.
CM-6 - Medium - CCI-000366 - V-257841 - SV-257841r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-215090
Vuln IDs
  • V-257841
Rule IDs
  • SV-257841r991589_rule
"rng-tools" provides hardware random number generator tools, such as those used in the formation of x509/PKI certificates.
Checks: C-61582r925508_chk

Verify that RHEL 9 has the rng-tools package installed with the following command: $ sudo dnf list --installed rng-tools Example output: rng-tools.x86_64 6.14-2.git.b2b7934e.el9 If the "rng-tools" package is not installed, this is a finding.

Fix: F-61506r925509_fix

The rng-tools package can be installed with the following command: $ sudo dnf install rng-tools

b
RHEL 9 must have the s-nail package installed.
CM-3 - Medium - CCI-001744 - V-257842 - SV-257842r958794_rule
RMF Control
CM-3
Severity
Medium
CCI
CCI-001744
Version
RHEL-09-215095
Vuln IDs
  • V-257842
Rule IDs
  • SV-257842r958794_rule
The "s-nail" package provides the mail command required to allow sending email notifications of unauthorized configuration changes to designated personnel.
Checks: C-61583r942958_chk

Verify that RHEL 9 is configured to allow sending email notifications. Note: The "s-nail" package provides the "mail" command that is used to send email messages. Verify that the "s-nail" package is installed on the system: $ sudo dnf list --installed s-nail s-nail.x86_64 14.9.22-6.el9 If "s-nail" package is not installed, this is a finding.

Fix: F-61507r925512_fix

The s-nail package can be installed with the following command: $ sudo dnf install s-nail

b
A separate RHEL 9 file system must be used for user home directories (such as /home or an equivalent).
CM-6 - Medium - CCI-000366 - V-257843 - SV-257843r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231010
Vuln IDs
  • V-257843
Rule IDs
  • SV-257843r991589_rule
Ensuring that "/home" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
Checks: C-61584r925514_chk

Verify that a separate file system/partition has been created for "/home" with the following command: $ mount | grep /home UUID=fba5000f-2ffa-4417-90eb-8c54ae74a32f on /home type ext4 (rw,nodev,nosuid,noexec,seclabel) If a separate entry for "/home" is not in use, this is a finding.

Fix: F-61508r925515_fix

Migrate the "/home" directory onto a separate file system/partition.

b
RHEL 9 must use a separate file system for /tmp.
CM-6 - Medium - CCI-000366 - V-257844 - SV-257844r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231015
Vuln IDs
  • V-257844
Rule IDs
  • SV-257844r991589_rule
The "/tmp" partition is used as temporary storage by many programs. Placing "/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
Checks: C-61585r925517_chk

Verify that a separate file system/partition has been created for "/tmp" with the following command: $ mount | grep /tmp tmpfs /tmp tmpfs noatime,mode=1777 0 0 If a separate entry for "/tmp" is not in use, this is a finding.

Fix: F-61509r925518_fix

Migrate the "/tmp" path onto a separate file system.

a
RHEL 9 must use a separate file system for /var.
CM-6 - Low - CCI-000366 - V-257845 - SV-257845r991589_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-09-231020
Vuln IDs
  • V-257845
Rule IDs
  • SV-257845r991589_rule
Ensuring that "/var" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the "/var" directory to contain world-writable directories installed by other software packages.
Checks: C-61586r925520_chk

Verify that a separate file system/partition has been created for "/var" with the following command: $ mount | grep /var UUID=c274f65f-c5b5-4481-b007-bee96feb8b05 /var xfs noatime 1 2 If a separate entry for "/var" is not in use, this is a finding.

Fix: F-61510r925521_fix

Migrate the "/var" path onto a separate file system.

a
RHEL 9 must use a separate file system for /var/log.
CM-6 - Low - CCI-000366 - V-257846 - SV-257846r991589_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-09-231025
Vuln IDs
  • V-257846
Rule IDs
  • SV-257846r991589_rule
Placing "/var/log" in its own partition enables better separation between log files and other files in "/var/".
Checks: C-61587r925523_chk

Verify that a separate file system/partition has been created for "/var/log" with the following command: $ mount | grep /var/log UUID=c274f65f-c5b5-4486-b021-bee96feb8b21 /var/log xfs noatime 1 2 If a separate entry for "/var/log" is not in use, this is a finding.

Fix: F-61511r925524_fix

Migrate the "/var/log" path onto a separate file system.

a
RHEL 9 must use a separate file system for the system audit data path.
CM-6 - Low - CCI-000366 - V-257847 - SV-257847r958752_rule
RMF Control
CM-6
Severity
Low
CCI
CCI-000366
Version
RHEL-09-231030
Vuln IDs
  • V-257847
Rule IDs
  • SV-257847r958752_rule
Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out of space. Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227
Checks: C-61588r925526_chk

Verify that a separate file system/partition has been created for the system audit data path with the following command: Note: /var/log/audit is used as the example as it is a common location. $ mount | grep /var/log/audit UUID=2efb2979-45ac-82d7-0ae632d11f51 on /var/log/home type xfs (rw,realtime,seclabel,attr2,inode64) If no line is returned, this is a finding.

Fix: F-61512r925527_fix

Migrate the system audit data path onto a separate file system.

b
RHEL 9 must use a separate file system for /var/tmp.
CM-6 - Medium - CCI-000366 - V-257848 - SV-257848r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231035
Vuln IDs
  • V-257848
Rule IDs
  • SV-257848r991589_rule
The "/var/tmp" partition is used as temporary storage by many programs. Placing "/var/tmp" in its own partition enables the setting of more restrictive mount options, which can help protect programs that use it.
Checks: C-61589r925529_chk

Verify that a separate file system/partition has been created for "/var/tmp" with the following command: $ mount | grep /var/tmp UUID=c274f65f-c5b5-4379-b017-bee96feb7a34 /var/log xfs noatime 1 2 If a separate entry for "/var/tmp" is not in use, this is a finding.

Fix: F-61513r925530_fix

Migrate the "/var/tmp" path onto a separate file system.

b
RHEL 9 file system automount function must be disabled unless required.
CM-6 - Medium - CCI-000366 - V-257849 - SV-257849r1014829_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231040
Vuln IDs
  • V-257849
Rule IDs
  • SV-257849r1014829_rule
An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Satisfies: SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227
Checks: C-61590r1014828_chk

Note: If the autofs service is not installed, this requirement is not applicable. Verify that RHEL 9 file system automount function has been disabled with the following command: $ sudo systemctl is-enabled autofs masked If the returned value is not "masked", "disabled", or "Failed to get unit file state for autofs.service for autofs", and is not documented as operational requirement with the information system security officer ISSO, this is a finding.

Fix: F-61514r925533_fix

Configure RHEL 9 to disable the ability to automount devices. The autofs service can be disabled with the following command: $ sudo systemctl mask --now autofs.service

b
RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
CM-7 - Medium - CCI-001764 - V-257850 - SV-257850r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231045
Vuln IDs
  • V-257850
Rule IDs
  • SV-257850r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61591r925535_chk

Verify "/home" is mounted with the "nodev" option with the following command: Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding, as the "nodev" option cannot be used on the "/" system. $ mount | grep /home tmpfs on /home type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the "/home" file system is mounted without the "nodev" option, this is a finding.

Fix: F-61515r925536_fix

Modify "/etc/fstab" to use the "nodev" option on the "/home" directory.

b
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
CM-6 - Medium - CCI-000366 - V-257851 - SV-257851r958804_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231050
Vuln IDs
  • V-257851
Rule IDs
  • SV-257851r958804_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
Checks: C-61592r925538_chk

Verify "/home" is mounted with the "nosuid" option with the following command: Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding, as the "nosuid" option cannot be used on the "/" system. $ mount | grep /home tmpfs on /home type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the "/home" file system is mounted without the "nosuid" option, this is a finding.

Fix: F-61516r925539_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/home" directory.

b
RHEL 9 must prevent code from being executed on file systems that contain user home directories.
CM-6 - Medium - CCI-000366 - V-257852 - SV-257852r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231055
Vuln IDs
  • V-257852
Rule IDs
  • SV-257852r991589_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61593r925541_chk

Verify "/home" is mounted with the "noexec" option with the following command: Note: If a separate file system has not been created for the user home directories (user home directories are mounted under "/"), this is automatically a finding, as the "noexec" option cannot be used on the "/" system. $ mount | grep /home tmpfs on /home type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/home" file system is mounted without the "noexec" option, this is a finding.

Fix: F-61517r925542_fix

Modify "/etc/fstab" to use the "noexec" option on the "/home" directory.

b
RHEL 9 must prevent special devices on file systems that are imported via Network File System (NFS).
CM-6 - Medium - CCI-000366 - V-257854 - SV-257854r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231065
Vuln IDs
  • V-257854
Rule IDs
  • SV-257854r991589_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61595r925547_chk

Verify RHEL 9 has the "nodev" option configured for all NFS mounts with the following command: $ cat /etc/fstab | grep nfs 192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5:krb5i:krb5p Note: If no NFS mounts are configured, this requirement is Not Applicable. If the system is mounting file systems via NFS and the "nodev" option is missing, this is a finding.

Fix: F-61519r925548_fix

Update each NFS mounted file system to use the "nodev" option on file systems that are being imported via NFS.

b
RHEL 9 must prevent code from being executed on file systems that are imported via Network File System (NFS).
CM-6 - Medium - CCI-000366 - V-257855 - SV-257855r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231070
Vuln IDs
  • V-257855
Rule IDs
  • SV-257855r991589_rule
The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61596r925550_chk

Verify RHEL 9 has the "noexec" option configured for all NFS mounts with the following command: $ cat /etc/fstab | grep nfs 192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5:krb5i:krb5p If no NFS mounts are configured, this requirement is Not Applicable. If the system is mounting file systems via NFS and the "noexec" option is missing, this is a finding.

Fix: F-61520r925551_fix

Update each NFS mounted file system to use the "noexec" option on file systems that are being imported via NFS.

b
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS).
CM-6 - Medium - CCI-000366 - V-257856 - SV-257856r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231075
Vuln IDs
  • V-257856
Rule IDs
  • SV-257856r991589_rule
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61597r925553_chk

Verify RHEL 9 has the "nosuid" option configured for all NFS mounts with the following command: Note: If no NFS mounts are configured, this requirement is Not Applicable. $ cat /etc/fstab | grep nfs 192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5:krb5i:krb5p If the system is mounting file systems via NFS and the "nosuid" option is missing, this is a finding.

Fix: F-61521r925554_fix

Update each NFS mounted file system to use the "nosuid" option on file systems that are being imported via NFS.

b
RHEL 9 must prevent code from being executed on file systems that are used with removable media.
CM-6 - Medium - CCI-000366 - V-257857 - SV-257857r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231080
Vuln IDs
  • V-257857
Rule IDs
  • SV-257857r991589_rule
The "noexec" mount option causes the system not to execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61598r925556_chk

Verify file systems that are used for removable media are mounted with the "noexec" option with the following command: $ more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "noexec" option set, this is a finding.

Fix: F-61522r925557_fix

Configure the "/etc/fstab" to use the "noexec" option on file systems that are associated with removable media.

b
RHEL 9 must prevent special devices on file systems that are used with removable media.
CM-6 - Medium - CCI-000366 - V-257858 - SV-257858r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231085
Vuln IDs
  • V-257858
Rule IDs
  • SV-257858r991589_rule
The "nodev" mount option causes the system not to interpret character or block special devices. Executing character or blocking special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61599r925559_chk

Verify file systems that are used for removable media are mounted with the "nodev" option with the following command: $ more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set, this is a finding.

Fix: F-61523r925560_fix

Configure the "/etc/fstab" to use the "nodev" option on file systems that are associated with removable media.

b
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media.
CM-6 - Medium - CCI-000366 - V-257859 - SV-257859r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231090
Vuln IDs
  • V-257859
Rule IDs
  • SV-257859r991589_rule
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61600r925562_chk

Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command: $ more /etc/fstab UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0 If a file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set, this is a finding.

Fix: F-61524r925563_fix

Configure the "/etc/fstab" to use the "nosuid" option on file systems that are associated with removable media.

b
RHEL 9 must mount /boot with the nodev option.
CM-7 - Medium - CCI-001764 - V-257860 - SV-257860r1014832_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231095
Vuln IDs
  • V-257860
Rule IDs
  • SV-257860r1014832_rule
The only legitimate location for device files is the "/dev" directory located on the root partition. The only exception to this is chroot jails.
Checks: C-61601r1014831_chk

Verify that the "/boot" mount point has the "nodev" option is with the following command: $ sudo mount | grep '\s/boot\s' /dev/sda1 on /boot type xfs (rw,nodev,relatime,seclabel,attr2) If the "/boot" file system does not have the "nodev" option set, this is a finding.

Fix: F-61525r925566_fix

Modify "/etc/fstab" to use the "nodev" option on the "/boot" directory.

b
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
CM-6 - Medium - CCI-000366 - V-257861 - SV-257861r1014834_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231100
Vuln IDs
  • V-257861
Rule IDs
  • SV-257861r1014834_rule
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
Checks: C-61602r1014833_chk

Verify the /boot directory is mounted with the "nosuid" option with the following command: $ mount | grep '\s/boot\s' /dev/sda1 on /boot type xfs (rw,nosuid,relatime,seclabe,attr2,inode64,noquota) If the /boot file system does not have the "nosuid" option set, this is a finding.

Fix: F-61526r925569_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/boot" directory.

b
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
CM-6 - Medium - CCI-000366 - V-257862 - SV-257862r958804_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231105
Vuln IDs
  • V-257862
Rule IDs
  • SV-257862r958804_rule
The "nosuid" mount option causes the system not to execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. Satisfies: SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227
Checks: C-61603r925571_chk

Note: For systems that use BIOS, this requirement is Not Applicable. Verify the /boot/efi directory is mounted with the "nosuid" option with the following command: $ mount | grep '\s/boot/efi\s' /dev/sda1 on /boot/efi type vfat (rw,nosuid,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=winnt,errors=remount-ro) If the /boot/efi file system does not have the "nosuid" option set, this is a finding.

Fix: F-61527r925572_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/boot/efi" directory.

b
RHEL 9 must mount /dev/shm with the nodev option.
CM-7 - Medium - CCI-001764 - V-257863 - SV-257863r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231110
Vuln IDs
  • V-257863
Rule IDs
  • SV-257863r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61604r925574_chk

Verify "/dev/shm" is mounted with the "nodev" option with the following command: $ mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the /dev/shm file system is mounted without the "nodev" option, this is a finding.

Fix: F-61528r925575_fix

Modify "/etc/fstab" to use the "nodev" option on the "/dev/shm" file system.

b
RHEL 9 must mount /dev/shm with the noexec option.
CM-7 - Medium - CCI-001764 - V-257864 - SV-257864r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231115
Vuln IDs
  • V-257864
Rule IDs
  • SV-257864r958804_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61605r925577_chk

Verify "/dev/shm" is mounted with the "noexec" option with the following command: $ mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the /dev/shm file system is mounted without the "noexec" option, this is a finding.

Fix: F-61529r925578_fix

Modify "/etc/fstab" to use the "noexec" option on the "/dev/shm" file system.

b
RHEL 9 must mount /dev/shm with the nosuid option.
CM-7 - Medium - CCI-001764 - V-257865 - SV-257865r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231120
Vuln IDs
  • V-257865
Rule IDs
  • SV-257865r958804_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61606r925580_chk

Verify "/dev/shm" is mounted with the "nosuid" option with the following command: $ mount | grep /dev/shm tmpfs on /dev/shm type tmpfs (rw,nodev,nosuid,noexec,seclabel) If the /dev/shm file system is mounted without the "noexec" option, this is a finding.

Fix: F-61530r925581_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/dev/shm" file system.

b
RHEL 9 must mount /tmp with the nodev option.
CM-7 - Medium - CCI-001764 - V-257866 - SV-257866r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231125
Vuln IDs
  • V-257866
Rule IDs
  • SV-257866r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61607r925583_chk

Verify "/tmp" is mounted with the "nodev" option: $ mount | grep /tmp /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/tmp" file system is mounted without the "nodev" option, this is a finding.

Fix: F-61531r925584_fix

Modify "/etc/fstab" to use the "nodev" option on the "/tmp" directory.

b
RHEL 9 must mount /tmp with the noexec option.
CM-7 - Medium - CCI-001764 - V-257867 - SV-257867r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231130
Vuln IDs
  • V-257867
Rule IDs
  • SV-257867r958804_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61608r925586_chk

Verify "/tmp" is mounted with the "noexec" option: $ mount | grep /tmp /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/tmp" file system is mounted without the "noexec" option, this is a finding.

Fix: F-61532r925587_fix

Modify "/etc/fstab" to use the "noexec" option on the "/tmp" directory.

b
RHEL 9 must mount /tmp with the nosuid option.
CM-7 - Medium - CCI-001764 - V-257868 - SV-257868r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231135
Vuln IDs
  • V-257868
Rule IDs
  • SV-257868r958804_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61609r925589_chk

Verify "/tmp" is mounted with the "nosuid" option: $ mount | grep /tmp /dev/mapper/rhel-tmp on /tmp type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/tmp" file system is mounted without the "nosuid" option, this is a finding.

Fix: F-61533r925590_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/tmp" directory.

b
RHEL 9 must mount /var with the nodev option.
CM-7 - Medium - CCI-001764 - V-257869 - SV-257869r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231140
Vuln IDs
  • V-257869
Rule IDs
  • SV-257869r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61610r925592_chk

Verify "/var" is mounted with the "nodev" option: $ mount | grep /var /dev/mapper/rhel-var on /var type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var" file system is mounted without the "nodev" option, this is a finding.

Fix: F-61534r925593_fix

Modify "/etc/fstab" to use the "nodev" option on the "/var" directory.

b
RHEL 9 must mount /var/log with the nodev option.
CM-7 - Medium - CCI-001764 - V-257870 - SV-257870r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231145
Vuln IDs
  • V-257870
Rule IDs
  • SV-257870r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61611r925595_chk

Verify "/var/log" is mounted with the "nodev" option: $ mount | grep /var/log /dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/log" file system is mounted without the "nodev" option, this is a finding.

Fix: F-61535r925596_fix

Modify "/etc/fstab" to use the "nodev" option on the "/var/log" directory.

b
RHEL 9 must mount /var/log with the noexec option.
CM-7 - Medium - CCI-001764 - V-257871 - SV-257871r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231150
Vuln IDs
  • V-257871
Rule IDs
  • SV-257871r958804_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61612r925598_chk

Verify "/var/log" is mounted with the "noexec" option: $ mount | grep /var/log /dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/log" file system is mounted without the "noexec" option, this is a finding.

Fix: F-61536r925599_fix

Modify "/etc/fstab" to use the "noexec" option on the "/var/log" directory.

b
RHEL 9 must mount /var/log with the nosuid option.
CM-7 - Medium - CCI-001764 - V-257872 - SV-257872r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231155
Vuln IDs
  • V-257872
Rule IDs
  • SV-257872r958804_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61613r925601_chk

Verify "/var/log" is mounted with the "nosuid" option: $ mount | grep /var/log /dev/mapper/rhel-var-log on /var/log type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/log" file system is mounted without the "nosuid" option, this is a finding.

Fix: F-61537r925602_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/var/log" directory.

b
RHEL 9 must mount /var/log/audit with the nodev option.
CM-7 - Medium - CCI-001764 - V-257873 - SV-257873r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231160
Vuln IDs
  • V-257873
Rule IDs
  • SV-257873r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61614r925604_chk

Verify "/var/log/audit" is mounted with the "nodev" option: $ mount | grep /var/log/audit /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/log/audit" file system is mounted without the "nodev" option, this is a finding.

Fix: F-61538r925605_fix

Modify "/etc/fstab" to use the "nodev" option on the "/var/log/audit" directory.

b
RHEL 9 must mount /var/log/audit with the noexec option.
CM-7 - Medium - CCI-001764 - V-257874 - SV-257874r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231165
Vuln IDs
  • V-257874
Rule IDs
  • SV-257874r958804_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61615r925607_chk

Verify "/var/log/audit" is mounted with the "noexec" option: $ mount | grep /var/log/audit /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/log/audit" file system is mounted without the "noexec" option, this is a finding.

Fix: F-61539r925608_fix

Modify "/etc/fstab" to use the "noexec" option on the "/var/log/audit" directory.

b
RHEL 9 must mount /var/log/audit with the nosuid option.
CM-7 - Medium - CCI-001764 - V-257875 - SV-257875r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231170
Vuln IDs
  • V-257875
Rule IDs
  • SV-257875r958804_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61616r925610_chk

Verify "/var/log/audit" is mounted with the "nosuid" option: $ mount | grep /var/log/audit /dev/mapper/rhel-var-log-audit on /var/log/audit type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/log/audit" file system is mounted without the "nosuid" option, this is a finding.

Fix: F-61540r925611_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/var/log/audit" directory.

b
RHEL 9 must mount /var/tmp with the nodev option.
CM-7 - Medium - CCI-001764 - V-257876 - SV-257876r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231175
Vuln IDs
  • V-257876
Rule IDs
  • SV-257876r958804_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61617r925613_chk

Verify "/var/tmp" is mounted with the "nodev" option: $ mount | grep /var/tmp /dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/tmp" file system is mounted without the "nodev" option, this is a finding.

Fix: F-61541r925614_fix

Modify "/etc/fstab" to use the "nodev" option on the "/var/tmp" directory.

b
RHEL 9 must mount /var/tmp with the noexec option.
CM-7 - Medium - CCI-001764 - V-257877 - SV-257877r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231180
Vuln IDs
  • V-257877
Rule IDs
  • SV-257877r958804_rule
The "noexec" mount option causes the system to not execute binary files. This option must be used for mounting any file system not containing approved binary files, as they may be incompatible. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61618r925616_chk

Verify "/var/tmp" is mounted with the "noexec" option: $ mount | grep /var/tmp /dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/tmp" file system is mounted without the "noexec" option, this is a finding.

Fix: F-61542r925617_fix

Modify "/etc/fstab" to use the "noexec" option on the "/var/tmp" directory.

b
RHEL 9 must mount /var/tmp with the nosuid option.
CM-7 - Medium - CCI-001764 - V-257878 - SV-257878r958804_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-001764
Version
RHEL-09-231185
Vuln IDs
  • V-257878
Rule IDs
  • SV-257878r958804_rule
The "nosuid" mount option causes the system to not execute "setuid" and "setgid" files with owner privileges. This option must be used for mounting any file system not containing approved "setuid" and "setguid" files. Executing files from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access.
Checks: C-61619r925619_chk

Verify "/var/tmp" is mounted with the "nosuid" option: $ mount | grep /var/tmp /dev/mapper/rhel-var-tmp on /var/tmp type xfs (rw,nodev,nosuid,noexec,seclabel) If the "/var/tmp" file system is mounted without the "nosuid" option, this is a finding.

Fix: F-61543r925620_fix

Modify "/etc/fstab" to use the "nosuid" option on the "/var/tmp" directory.

c
RHEL 9 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection.
SC-28 - High - CCI-001199 - V-257879 - SV-257879r1014836_rule
RMF Control
SC-28
Severity
High
CCI
CCI-001199
Version
RHEL-09-231190
Vuln IDs
  • V-257879
Rule IDs
  • SV-257879r1014836_rule
RHEL 9 systems handling data requiring "data at rest" protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. Selection of a cryptographic mechanism is based on the need to protect the integrity of organizational information. The strength of the mechanism is commensurate with the security category and/or classification of the information. Organizations have the flexibility to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields). Satisfies: SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183
Checks: C-61620r1014835_chk

Note: If there is a documented and approved reason for not having data-at-rest encryption at the operating system level, such as encryption provided by a hypervisor or a disk storage array in a virtualized environment, this requirement is not applicable. Verify RHEL 9 prevents unauthorized disclosure or modification of all information requiring at-rest protection by using disk encryption. Note: If there is a documented and approved reason for not having data-at-rest encryption, this requirement is Not Applicable. Verify all system partitions are encrypted with the following command: $ blkid /dev/map per/rhel-root: UUID="67b7d7fe-de60-6fd0-befb-e6748cf97743" TYPE="crypto_LUKS" Every persistent disk partition present must be of type "crypto_LUKS". If any partitions other than the boot partition or pseudo file systems (such as /proc or /sys) or temporary file systems (that are tmpfs) are not type "crypto_LUKS", ask the administrator to indicate how the partitions are encrypted. If there is no evidence that these partitions are encrypted, this is a finding.

Fix: F-61544r925623_fix

Configure RHEL 9 to prevent unauthorized modification of all information at rest by using disk encryption. Encrypting a partition in an already installed system is more difficult, because existing partitions will need to be resized and changed. To encrypt an entire partition, dedicate a partition for encryption in the partition layout.

a
RHEL 9 must disable mounting of cramfs.
CM-7 - Low - CCI-000381 - V-257880 - SV-257880r958478_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-09-231195
Vuln IDs
  • V-257880
Rule IDs
  • SV-257880r958478_rule
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Removing support for unneeded filesystem types reduces the local attack surface of the server. Compressed ROM/RAM file system (or cramfs) is a read-only file system designed for simplicity and space-efficiency. It is mainly used in embedded and small-footprint systems.
Checks: C-61621r925625_chk

Verify that RHEL 9 disables the ability to load the cramfs kernel module with the following command: $ sudo grep -r cramfs /etc/modprobe.conf /etc/modprobe.d/* blacklist cramfs If the command does not return any output, or the line is commented out, and use of cramfs is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix: F-61545r942956_fix

To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/blacklist.conf (or create blacklist.conf if it does not exist): install cramfs /bin/false blacklist cramfs

b
RHEL 9 must prevent special devices on non-root local partitions.
CM-6 - Medium - CCI-000366 - V-257881 - SV-257881r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-231200
Vuln IDs
  • V-257881
Rule IDs
  • SV-257881r991589_rule
The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for nonprivileged users to attain unauthorized administrative access. The only legitimate location for device files is the "/dev" directory located on the root partition, with the exception of chroot jails if implemented.
Checks: C-61622r925628_chk

Verify all non-root local partitions are mounted with the "nodev" option with the following command: $ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' If any output is produced, this is a finding.

Fix: F-61546r925629_fix

Configure the "/etc/fstab" to use the "nodev" option on all non-root local partitions.

b
RHEL 9 system commands must have mode 755 or less permissive.
CM-5 - Medium - CCI-001499 - V-257882 - SV-257882r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232010
Vuln IDs
  • V-257882
Rule IDs
  • SV-257882r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61623r925631_chk

Verify the system commands contained in the following directories have mode "755" or less permissive with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \; If any system commands are found to be group-writable or world-writable, this is a finding.

Fix: F-61547r925632_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command with a mode more permissive than "755". $ sudo chmod 755 [FILE]

b
RHEL 9 library directories must have mode 755 or less permissive.
CM-5 - Medium - CCI-001499 - V-257883 - SV-257883r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232015
Vuln IDs
  • V-257883
Rule IDs
  • SV-257883r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61624r925634_chk

Verify the system-wide shared library directories have mode "755" or less permissive with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d -exec ls -l {} \; If any system-wide shared library file is found to be group-writable or world-writable, this is a finding.

Fix: F-61548r925635_fix

Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory with a mode more permissive than 755. $ sudo chmod 755 [DIRECTORY]

b
RHEL 9 library files must have mode 755 or less permissive.
CM-5 - Medium - CCI-001499 - V-257884 - SV-257884r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232020
Vuln IDs
  • V-257884
Rule IDs
  • SV-257884r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61625r925637_chk

Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \; If any system-wide shared library file is found to be group-writable or world-writable, this is a finding.

Fix: F-61549r925638_fix

Configure the library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file with a mode more permissive than 755. $ sudo chmod 755 [FILE]

b
RHEL 9 /var/log directory must have mode 0755 or less permissive.
SI-11 - Medium - CCI-001314 - V-257885 - SV-257885r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-09-232025
Vuln IDs
  • V-257885
Rule IDs
  • SV-257885r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-61626r925640_chk

Verify that the "/var/log" directory has a mode of "0755" or less permissive with the following command: $ ls -ld /var/log drwxr-xr-x. 16 root root 4096 July 11 11:34 /var/log If "/var/log" does not have a mode of "0755" or less permissive, this is a finding.

Fix: F-61550r925641_fix

Configure the "/var/log" directory to a mode of "0755" by running the following command: $ sudo chmod 0755 /var/log

b
RHEL 9 /var/log/messages file must have mode 0640 or less permissive.
SI-11 - Medium - CCI-001314 - V-257886 - SV-257886r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-09-232030
Vuln IDs
  • V-257886
Rule IDs
  • SV-257886r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-61627r925643_chk

Verify the "/var/log/messages" file has a mode of "0640" or less permissive with the following command: $ ls -la /var/log/messages rw-------. 1 root root 564223 July 11 11:34 /var/log/messages If "/var/log/messages" does not have a mode of "0640" or less permissive, this is a finding.

Fix: F-61551r925644_fix

Configure the "/var/log/messages" file to have a mode of "0640" by running the following command: $ sudo chmod 0640 /var/log/messages

b
RHEL 9 audit tools must have a mode of 0755 or less permissive.
AU-9 - Medium - CCI-001493 - V-257887 - SV-257887r991557_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
RHEL-09-232035
Vuln IDs
  • V-257887
Rule IDs
  • SV-257887r991557_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-61628r925646_chk

Verify the audit tools have a mode of "0755" or less with the following command: $ stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules 755 /sbin/auditctl 755 /sbin/aureport 755 /sbin/ausearch 750 /sbin/autrace 755 /sbin/auditd 755 /sbin/rsyslogd 755 /sbin/augenrules If any of the audit tool files have a mode more permissive than "0755", this is a finding.

Fix: F-61552r925647_fix

Configure the audit tools to have a mode of "0755" by running the following command: $ sudo chmod 0755 [audit_tool] Replace "[audit_tool]" with each audit tool that has a more permissive mode than 0755.

b
RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
CM-6 - Medium - CCI-000366 - V-257888 - SV-257888r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232040
Vuln IDs
  • V-257888
Rule IDs
  • SV-257888r991589_rule
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
Checks: C-61629r925649_chk

Verify the permissions of the cron directories with the following command: $ find /etc/cron* -type d | xargs stat -c "%a %n" 700 /etc/cron.d 700 /etc/cron.daily 700 /etc/cron.hourly 700 /etc/cron.monthly 700 /etc/cron.weekly If any cron configuration directory is more permissive than "700", this is a finding.

Fix: F-61553r925650_fix

Configure any RHEL 9 cron configuration directory with a mode more permissive than "0700" as follows: chmod 0700 [cron configuration directory]

b
All RHEL 9 local initialization files must have mode 0740 or less permissive.
CM-6 - Medium - CCI-000366 - V-257889 - SV-257889r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232045
Vuln IDs
  • V-257889
Rule IDs
  • SV-257889r991589_rule
Local initialization files are used to configure the user's shell environment upon logon. Malicious modification of these files could compromise accounts upon logon.
Checks: C-61630r925652_chk

Verify that all local initialization files have a mode of "0740" or less permissive with the following command: Note: The example will be for the "wadea" user, who has a home directory of "/home/wadea". $ sudo ls -al /home/wadea/.[^.]* | more -rwxr-xr-x 1 wadea users 896 Mar 10 2011 .profile -rwxr-xr-x 1 wadea users 497 Jan 6 2007 .login -rwxr-xr-x 1 wadea users 886 Jan 6 2007 .something If any local initialization files have a mode more permissive than "0740", this is a finding.

Fix: F-61554r925653_fix

Set the mode of the local initialization files to "0740" with the following command: Note: The example will be for the wadea user, who has a home directory of "/home/wadea". $ sudo chmod 0740 /home/wadea/.<INIT_FILE>

b
All RHEL 9 local interactive user home directories must have mode 0750 or less permissive.
CM-6 - Medium - CCI-000366 - V-257890 - SV-257890r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232050
Vuln IDs
  • V-257890
Rule IDs
  • SV-257890r991589_rule
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
Checks: C-61631r925655_chk

Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command: Note: This may miss interactive users that have been assigned a privileged user identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. $ sudo ls -ld $(awk -F: '($3&gt;=1000)&amp;&amp;($7 !~ /nologin/){print $6}' /etc/passwd) drwxr-x--- 2 wadea admin 4096 Jun 5 12:41 wadea If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding.

Fix: F-61555r925656_fix

Change the mode of interactive user's home directories to "0750". To change the mode of a local interactive user's home directory, use the following command: Note: The example will be for the user "wadea". $ sudo chmod 0750 /home/wadea

b
RHEL 9 /etc/group file must have mode 0644 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257891 - SV-257891r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232055
Vuln IDs
  • V-257891
Rule IDs
  • SV-257891r991589_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-61632r925658_chk

Verify that the "/etc/group" file has mode "0644" or less permissive with the following command: $ sudo stat -c "%a %n" /etc/group 644 /etc/group If a value of "0644" or less permissive is not returned, this is a finding.

Fix: F-61556r925659_fix

Change the mode of the file "/etc/group" to "0644" by running the following command: $ sudo chmod 0644 /etc/group

b
RHEL 9 /etc/group- file must have mode 0644 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257892 - SV-257892r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232060
Vuln IDs
  • V-257892
Rule IDs
  • SV-257892r991589_rule
The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-61633r925661_chk

Verify that the "/etc/group-" file has mode "0644" or less permissive with the following command: $ sudo stat -c "%a %n" /etc/group- 644 /etc/group- If a value of "0644" or less permissive is not returned, this is a finding.

Fix: F-61557r925662_fix

Change the mode of the file "/etc/group-" to "0644" by running the following command: $ sudo chmod 0644 /etc/group-

b
RHEL 9 /etc/gshadow file must have mode 0000 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257893 - SV-257893r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232065
Vuln IDs
  • V-257893
Rule IDs
  • SV-257893r991589_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-61634r925664_chk

Verify that the "/etc/gshadow" file has mode "0000" with the following command: $ sudo stat -c "%a %n" /etc/gshadow 0 /etc/gshadow If a value of "0" is not returned, this is a finding.

Fix: F-61558r925665_fix

Change the mode of the file "/etc/gshadow" to "0000" by running the following command: $ sudo chmod 0000 /etc/gshadow

b
RHEL 9 /etc/gshadow- file must have mode 0000 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257894 - SV-257894r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232070
Vuln IDs
  • V-257894
Rule IDs
  • SV-257894r991589_rule
The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
Checks: C-61635r925667_chk

Verify that the "/etc/gshadow-" file has mode "0000" with the following command: $ sudo stat -c "%a %n" /etc/gshadow- 0 /etc/gshadow- If a value of "0" is not returned, this is a finding.

Fix: F-61559r925668_fix

Change the mode of the file "/etc/gshadow-" to "0000" by running the following command: $ sudo chmod 0000 /etc/gshadow-

b
RHEL 9 /etc/passwd file must have mode 0644 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257895 - SV-257895r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232075
Vuln IDs
  • V-257895
Rule IDs
  • SV-257895r991589_rule
If the "/etc/passwd" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
Checks: C-61636r925670_chk

Verify that the "/etc/passwd" file has mode "0644" or less permissive with the following command: $ sudo stat -c "%a %n" /etc/passwd 644 /etc/passwd If a value of "0644" or less permissive is not returned, this is a finding.

Fix: F-61560r925671_fix

Change the mode of the file "/etc/passwd" to "0644" by running the following command: $ sudo chmod 0644 /etc/passwd

b
RHEL 9 /etc/passwd- file must have mode 0644 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257896 - SV-257896r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232080
Vuln IDs
  • V-257896
Rule IDs
  • SV-257896r991589_rule
The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-61637r925673_chk

Verify that the "/etc/passwd-" file has mode "0644" or less permissive with the following command: $ sudo stat -c "%a %n" /etc/passwd- 644 /etc/passwd- If a value of "0644" or less permissive is not returned, this is a finding.

Fix: F-61561r925674_fix

Change the mode of the file "/etc/passwd-" to "0644" by running the following command: $ sudo chmod 0644 /etc/passwd-

b
RHEL 9 /etc/shadow- file must have mode 0000 or less permissive to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257897 - SV-257897r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232085
Vuln IDs
  • V-257897
Rule IDs
  • SV-257897r991589_rule
The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
Checks: C-61638r925676_chk

Verify that the "/etc/shadow-" file has mode "0000" with the following command: $ sudo stat -c "%a %n" /etc/shadow- 0 /etc/shadow- If a value of "0" is not returned, this is a finding.

Fix: F-61562r925677_fix

Change the mode of the file "/etc/shadow-" to "0000" by running the following command: $ sudo chmod 0000 /etc/shadow-

b
RHEL 9 /etc/group file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257898 - SV-257898r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232090
Vuln IDs
  • V-257898
Rule IDs
  • SV-257898r991589_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-61639r925679_chk

Verify the ownership of the "/etc/group" file with the following command: $ sudo stat -c "%U %n" /etc/group root /etc/group If "/etc/group" file does not have an owner of "root", this is a finding.

Fix: F-61563r925680_fix

Change the owner of the file /etc/group to root by running the following command: $ sudo chown root /etc/group

b
RHEL 9 /etc/group file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257899 - SV-257899r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232095
Vuln IDs
  • V-257899
Rule IDs
  • SV-257899r991589_rule
The "/etc/group" file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-61640r925682_chk

Verify the group ownership of the "/etc/group" file with the following command: $ sudo stat -c "%G %n" /etc/group root /etc/group If "/etc/group" file does not have a group owner of "root", this is a finding.

Fix: F-61564r925683_fix

Change the group of the file /etc/group to root by running the following command: $ sudo chgrp root /etc/group

b
RHEL 9 /etc/group- file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257900 - SV-257900r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232100
Vuln IDs
  • V-257900
Rule IDs
  • SV-257900r991589_rule
The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-61641r925685_chk

Verify the ownership of the "/etc/group-" file with the following command: $ sudo stat -c "%U %n" /etc/group- root /etc/group- If "/etc/group-" file does not have an owner of "root", this is a finding.

Fix: F-61565r925686_fix

Change the owner of the file /etc/group- to root by running the following command: $ sudo chown root /etc/group-

b
RHEL 9 /etc/group- file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257901 - SV-257901r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232105
Vuln IDs
  • V-257901
Rule IDs
  • SV-257901r991589_rule
The "/etc/group-" file is a backup file of "/etc/group", and as such, contains information regarding groups that are configured on the system. Protection of this file is important for system security.
Checks: C-61642r925688_chk

Verify the group ownership of the "/etc/group-" file with the following command: $ sudo stat -c "%G %n" /etc/group- root /etc/group- If "/etc/group-" file does not have a group owner of "root", this is a finding.

Fix: F-61566r925689_fix

Change the group of the file /etc/group- to root by running the following command: $ sudo chgrp root /etc/group-

b
RHEL 9 /etc/gshadow file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257902 - SV-257902r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232110
Vuln IDs
  • V-257902
Rule IDs
  • SV-257902r991589_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-61643r925691_chk

Verify the ownership of the "/etc/gshadow" file with the following command: $ sudo stat -c "%U %n" /etc/gshadow root /etc/gshadow If "/etc/gshadow" file does not have an owner of "root", this is a finding.

Fix: F-61567r925692_fix

Change the owner of the file /etc/gshadow to root by running the following command: $ sudo chown root /etc/gshadow

b
RHEL 9 /etc/gshadow file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257903 - SV-257903r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232115
Vuln IDs
  • V-257903
Rule IDs
  • SV-257903r991589_rule
The "/etc/gshadow" file contains group password hashes. Protection of this file is critical for system security.
Checks: C-61644r925694_chk

Verify the group ownership of the "/etc/gshadow" file with the following command: $ sudo stat -c "%G %n" /etc/gshadow root /etc/gshadow If "/etc/gshadow" file does not have a group owner of "root", this is a finding.

Fix: F-61568r925695_fix

Change the group of the file /etc/gshadow to root by running the following command: $ sudo chgrp root /etc/gshadow

b
RHEL 9 /etc/gshadow- file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257904 - SV-257904r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232120
Vuln IDs
  • V-257904
Rule IDs
  • SV-257904r991589_rule
The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
Checks: C-61645r925697_chk

Verify the ownership of the "/etc/gshadow-" file with the following command: $ sudo stat -c "%U %n" /etc/gshadow- root /etc/gshadow- If "/etc/gshadow-" file does not have an owner of "root", this is a finding.

Fix: F-61569r925698_fix

Change the owner of the file /etc/gshadow- to root by running the following command: $ sudo chown root /etc/gshadow-

b
RHEL 9 /etc/gshadow- file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257905 - SV-257905r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232125
Vuln IDs
  • V-257905
Rule IDs
  • SV-257905r991589_rule
The "/etc/gshadow-" file is a backup of "/etc/gshadow", and as such, contains group password hashes. Protection of this file is critical for system security.
Checks: C-61646r925700_chk

Verify the group ownership of the "/etc/gshadow-" file with the following command: $ sudo stat -c "%G %n" /etc/gshadow- root /etc/gshadow- If "/etc/gshadow-" file does not have a group owner of "root", this is a finding.

Fix: F-61570r925701_fix

Change the group of the file /etc/gshadow- to root by running the following command: $ sudo chgrp root /etc/gshadow-

b
RHEL 9 /etc/passwd file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257906 - SV-257906r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232130
Vuln IDs
  • V-257906
Rule IDs
  • SV-257906r991589_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-61647r925703_chk

Verify the ownership of the "/etc/passwd" file with the following command: $ sudo stat -c "%U %n" /etc/passwd root /etc/passwd If "/etc/passwd" file does not have an owner of "root", this is a finding.

Fix: F-61571r925704_fix

Change the owner of the file /etc/passwd to root by running the following command: $ sudo chown root /etc/passwd

b
RHEL 9 /etc/passwd file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257907 - SV-257907r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232135
Vuln IDs
  • V-257907
Rule IDs
  • SV-257907r991589_rule
The "/etc/passwd" file contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-61648r925706_chk

Verify the group ownership of the "/etc/passwd" file with the following command: $ sudo stat -c "%G %n" /etc/passwd root /etc/passwd If "/etc/passwd" file does not have a group owner of "root", this is a finding.

Fix: F-61572r925707_fix

Change the group of the file /etc/passwd to root by running the following command: $ sudo chgrp root /etc/passwd

b
RHEL 9 /etc/passwd- file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257908 - SV-257908r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232140
Vuln IDs
  • V-257908
Rule IDs
  • SV-257908r991589_rule
The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-61649r925709_chk

Verify the ownership of the "/etc/passwd-" file with the following command: $ sudo stat -c "%U %n" /etc/passwd- root /etc/passwd- If "/etc/passwd-" file does not have an owner of "root", this is a finding.

Fix: F-61573r925710_fix

Change the owner of the file /etc/passwd- to root by running the following command: $ sudo chown root /etc/passwd-

b
RHEL 9 /etc/passwd- file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257909 - SV-257909r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232145
Vuln IDs
  • V-257909
Rule IDs
  • SV-257909r991589_rule
The "/etc/passwd-" file is a backup file of "/etc/passwd", and as such, contains information about the users that are configured on the system. Protection of this file is critical for system security.
Checks: C-61650r925712_chk

Verify the group ownership of the "/etc/passwd-" file with the following command: $ sudo stat -c "%G %n" /etc/passwd- root /etc/passwd- If "/etc/passwd-" file does not have a group owner of "root", this is a finding.

Fix: F-61574r925713_fix

Change the group of the file /etc/passwd- to root by running the following command: $ sudo chgrp root /etc/passwd-

b
RHEL 9 /etc/shadow file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257910 - SV-257910r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232150
Vuln IDs
  • V-257910
Rule IDs
  • SV-257910r991589_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
Checks: C-61651r925715_chk

Verify the ownership of the "/etc/shadow" file with the following command: $ sudo stat -c "%U %n" /etc/shadow root /etc/shadow If "/etc/shadow" file does not have an owner of "root", this is a finding.

Fix: F-61575r925716_fix

Change the owner of the file /etc/shadow to root by running the following command: $ sudo chown root /etc/shadow

b
RHEL 9 /etc/shadow file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257911 - SV-257911r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232155
Vuln IDs
  • V-257911
Rule IDs
  • SV-257911r991589_rule
The "/etc/shadow" file stores password hashes. Protection of this file is critical for system security.
Checks: C-61652r925718_chk

Verify the group ownership of the "/etc/shadow" file with the following command: $ sudo stat -c "%G %n" /etc/shadow root /etc/shadow If "/etc/shadow" file does not have a group owner of "root", this is a finding.

Fix: F-61576r925719_fix

Change the group of the file /etc/shadow to root by running the following command: $ sudo chgrp root /etc/shadow

b
RHEL 9 /etc/shadow- file must be owned by root.
CM-6 - Medium - CCI-000366 - V-257912 - SV-257912r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232160
Vuln IDs
  • V-257912
Rule IDs
  • SV-257912r991589_rule
The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
Checks: C-61653r925721_chk

Verify the ownership of the "/etc/shadow-" file with the following command: $ sudo stat -c "%U %n" /etc/shadow- root /etc/shadow- If "/etc/shadow-" file does not have an owner of "root", this is a finding.

Fix: F-61577r925722_fix

Change the owner of the file /etc/shadow- to root by running the following command: $ sudo chown root /etc/shadow-

b
RHEL 9 /etc/shadow- file must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257913 - SV-257913r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232165
Vuln IDs
  • V-257913
Rule IDs
  • SV-257913r991589_rule
The "/etc/shadow-" file is a backup file of "/etc/shadow", and as such, contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
Checks: C-61654r925724_chk

Verify the group ownership of the "/etc/shadow-" file with the following command: $ sudo stat -c "%G %n" /etc/shadow- root /etc/shadow- If "/etc/shadow-" file does not have a group owner of "root", this is a finding.

Fix: F-61578r925725_fix

Change the group of the file /etc/shadow- to root by running the following command: $ sudo chgrp root /etc/shadow-

b
RHEL 9 /var/log directory must be owned by root.
SI-11 - Medium - CCI-001314 - V-257914 - SV-257914r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-09-232170
Vuln IDs
  • V-257914
Rule IDs
  • SV-257914r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-61655r925727_chk

Verify the "/var/log" directory is owned by root with the following command: $ ls -ld /var/log drwxr-xr-x. 16 root root 4096 July 11 11:34 /var/log If "/var/log" does not have an owner of "root", this is a finding.

Fix: F-61579r925728_fix

Configure the owner of the directory "/var/log" to "root" by running the following command: $ sudo chown root /var/log

b
RHEL 9 /var/log directory must be group-owned by root.
SI-11 - Medium - CCI-001314 - V-257915 - SV-257915r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-09-232175
Vuln IDs
  • V-257915
Rule IDs
  • SV-257915r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-61656r925730_chk

Verify the "/var/log" directory is group-owned by root with the following command: $ ls -ld /var/log drwxr-xr-x. 16 root root 4096 July 11 11:34 /var/log If "/var/log" does not have a group owner of "root", this is a finding.

Fix: F-61580r925731_fix

Configure the group owner of the directory "/var/log" to "root" by running the following command: $ sudo chgrp root /var/log

b
RHEL 9 /var/log/messages file must be owned by root.
SI-11 - Medium - CCI-001314 - V-257916 - SV-257916r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-09-232180
Vuln IDs
  • V-257916
Rule IDs
  • SV-257916r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-61657r925733_chk

Verify the "/var/log/messages" file is owned by root with the following command: $ ls -la /var/log/messages rw-------. 1 root root 564223 July 11 11:34 /var/log/messages If "/var/log/messages" does not have an owner of "root", this is a finding.

Fix: F-61581r925734_fix

Change the owner of the "/var/log/messages" file to "root" by running the following command: $ sudo chown root /var/log/messages

b
RHEL 9 /var/log/messages file must be group-owned by root.
SI-11 - Medium - CCI-001314 - V-257917 - SV-257917r958566_rule
RMF Control
SI-11
Severity
Medium
CCI
CCI-001314
Version
RHEL-09-232185
Vuln IDs
  • V-257917
Rule IDs
  • SV-257917r958566_rule
Only authorized personnel should be aware of errors and the details of the errors. Error messages are an indicator of an organization's operational state or can identify the RHEL 9 system or platform. Additionally, personally identifiable information (PII) and operational information must not be revealed through error messages to unauthorized personnel or their designated representatives. The structure and content of error messages must be carefully considered by the organization and development team. The extent to which the information system is able to identify and handle error conditions is guided by organizational policy and operational requirements.
Checks: C-61658r925736_chk

Verify the "/var/log/messages" file is group-owned by root with the following command: $ ls -la /var/log/messages rw-------. 1 root root 564223 July 11 11:34 /var/log/messages If "/var/log/messages" does not have a group owner of "root", this is a finding.

Fix: F-61582r925737_fix

Change the group owner of the "/var/log/messages" file to "root" by running the following command: $ sudo chgrp root /var/log/messages

b
RHEL 9 system commands must be owned by root.
CM-5 - Medium - CCI-001499 - V-257918 - SV-257918r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232190
Vuln IDs
  • V-257918
Rule IDs
  • SV-257918r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61659r925739_chk

Verify the system commands contained in the following directories are owned by "root" with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \; If any system commands are found to not be owned by root, this is a finding.

Fix: F-61583r925740_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not owned by "root". $ sudo chown root [FILE]

b
RHEL 9 system commands must be group-owned by root or a system account.
CM-5 - Medium - CCI-001499 - V-257919 - SV-257919r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232195
Vuln IDs
  • V-257919
Rule IDs
  • SV-257919r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61660r925742_chk

Verify the system commands contained in the following directories are group-owned by "root", or a required system account, with the following command: $ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin ! -group root -exec ls -l {} \; If any system commands are returned and is not group-owned by a required system account, this is a finding.

Fix: F-61584r925743_fix

Configure the system commands to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any system command file not group-owned by "root" or a required system account. $ sudo chgrp root [FILE]

b
RHEL 9 library files must be owned by root.
CM-5 - Medium - CCI-001499 - V-257920 - SV-257920r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232200
Vuln IDs
  • V-257920
Rule IDs
  • SV-257920r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61661r925745_chk

Verify the system-wide shared library files are owned by "root" with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \; If any system-wide shared library file is not owned by root, this is a finding.

Fix: F-61585r925746_fix

Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not owned by "root". $ sudo chown root [FILE]

b
RHEL 9 library files must be group-owned by root or a system account.
CM-5 - Medium - CCI-001499 - V-257921 - SV-257921r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232205
Vuln IDs
  • V-257921
Rule IDs
  • SV-257921r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61662r925748_chk

Verify the system-wide shared library files are group-owned by "root" with the following command: $ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \; If any system-wide shared library file is returned and is not group-owned by a required system account, this is a finding.

Fix: F-61586r925749_fix

Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file not group-owned by "root". $ sudo chgrp root [FILE]

b
RHEL 9 library directories must be owned by root.
CM-5 - Medium - CCI-001499 - V-257922 - SV-257922r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232210
Vuln IDs
  • V-257922
Rule IDs
  • SV-257922r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61663r925751_chk

Verify the system-wide shared library directories are owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \; If any system-wide shared library directory is not owned by root, this is a finding.

Fix: F-61587r925752_fix

Configure the system-wide shared library directories within (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not owned by "root". $ sudo chown root [DIRECTORY]

b
RHEL 9 library directories must be group-owned by root or a system account.
CM-5 - Medium - CCI-001499 - V-257923 - SV-257923r991560_rule
RMF Control
CM-5
Severity
Medium
CCI
CCI-001499
Version
RHEL-09-232215
Vuln IDs
  • V-257923
Rule IDs
  • SV-257923r991560_rule
If RHEL 9 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to RHEL 9 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
Checks: C-61664r925754_chk

Verify the system-wide shared library directories are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any system-wide shared library directory is returned and is not group-owned by a required system account, this is a finding.

Fix: F-61588r925755_fix

Configure the system-wide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". $ sudo chgrp root [DIRECTORY]

b
RHEL 9 audit tools must be owned by root.
AU-9 - Medium - CCI-001493 - V-257924 - SV-257924r991557_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
RHEL-09-232220
Vuln IDs
  • V-257924
Rule IDs
  • SV-257924r991557_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-61665r925757_chk

Verify the audit tools are owned by "root" with the following command: $ sudo stat -c "%U %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules root /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules If any audit tools do not have an owner of "root", this is a finding.

Fix: F-61589r925758_fix

Configure the audit tools to be owned by "root" by running the following command: $ sudo chown root [audit_tool] Replace "[audit_tool]" with each audit tool not owned by "root".

b
RHEL 9 audit tools must be group-owned by root.
AU-9 - Medium - CCI-001493 - V-257925 - SV-257925r991557_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001493
Version
RHEL-09-232225
Vuln IDs
  • V-257925
Rule IDs
  • SV-257925r991557_rule
Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data; therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Checks: C-61666r925760_chk

Verify the audit tools are group owned by "root" with the following command: $ sudo stat -c "%G %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/rsyslogd /sbin/augenrules root /sbin/auditctl root /sbin/aureport root /sbin/ausearch root /sbin/autrace root /sbin/auditd root /sbin/rsyslogd root /sbin/augenrules If any audit tools do not have a group owner of "root", this is a finding.

Fix: F-61590r925761_fix

Configure the audit tools to be group-owned by "root" by running the following command: $ sudo chgrp root [audit_tool] Replace "[audit_tool]" with each audit tool not group-owned by "root".

b
RHEL 9 cron configuration files directory must be owned by root.
CM-6 - Medium - CCI-000366 - V-257926 - SV-257926r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232230
Vuln IDs
  • V-257926
Rule IDs
  • SV-257926r991589_rule
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must be owned by the correct group to prevent unauthorized changes.
Checks: C-61667r925763_chk

Verify the ownership of all cron configuration files with the command: $ stat -c "%U %n" /etc/cron* root /etc/cron.d root /etc/cron.daily root /etc/cron.deny root /etc/cron.hourly root /etc/cron.monthly root /etc/crontab root /etc/cron.weekly If any crontab is not owned by root, this is a finding.

Fix: F-61591r925764_fix

Configure any cron configuration not owned by root with the following command: $ sudo chown root [cron config file]

b
RHEL 9 cron configuration files directory must be group-owned by root.
CM-6 - Medium - CCI-000366 - V-257927 - SV-257927r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232235
Vuln IDs
  • V-257927
Rule IDs
  • SV-257927r991589_rule
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
Checks: C-61668r925766_chk

Verify the group ownership of all cron configuration files with the following command: $ stat -c "%G %n" /etc/cron* root /etc/cron.d root /etc/cron.daily root /etc/cron.deny root /etc/cron.hourly root /etc/cron.monthly root /etc/crontab root /etc/cron.weekly If any crontab is not group owned by root, this is a finding.

Fix: F-61592r925767_fix

Configure any cron configuration not group-owned by root with the following command: $ sudo chgrp root [cron config file]

b
All RHEL 9 world-writable directories must be owned by root, sys, bin, or an application user.
CM-6 - Medium - CCI-000366 - V-257928 - SV-257928r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232240
Vuln IDs
  • V-257928
Rule IDs
  • SV-257928r991589_rule
If a world-writable directory is not owned by root, sys, bin, or an application user identifier (UID), unauthorized users may be able to modify files created by others. The only authorized public directories are those temporary directories supplied with the system or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system and by users for temporary file storage, (e.g., /tmp), and for directories requiring global read/write access. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000138-GPOS-00069
Checks: C-61669r925769_chk

Verify that world writable directories are owned by root, a system account, or an application account with the following command. It will discover and print world-writable directories that are not owned by root. Run it once for each local partition [PART]: $ sudo find PART -xdev -type d -perm -0002 -uid +0 -print If there is output, this is a finding.

Fix: F-61593r925770_fix

Configure all public directories to be owned by root or a system account to prevent unauthorized and unintended information transferred via shared system resources. Set the owner of all public directories as root or a system account using the command, replace "[Public Directory]" with any directory path not owned by root or a system account: $ sudo chown root [Public Directory]

b
A sticky bit must be set on all RHEL 9 public directories.
SC-4 - Medium - CCI-001090 - V-257929 - SV-257929r958524_rule
RMF Control
SC-4
Severity
Medium
CCI
CCI-001090
Version
RHEL-09-232245
Vuln IDs
  • V-257929
Rule IDs
  • SV-257929r958524_rule
Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This requirement generally applies to the design of an information technology product, but it can also apply to the configuration of particular information system components that are, or use, such products. This can be verified by acceptance/validation processes in DOD or other government agencies.
Checks: C-61670r925772_chk

Verify that all world-writable directories have the sticky bit set. Determine if all world-writable directories have the sticky bit set by running the following command: $ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2&gt;/dev/null drwxrwxrwt 7 root root 4096 Jul 26 11:19 /tmp If any of the returned directories are world-writable and do not have the sticky bit set, this is a finding.

Fix: F-61594r925773_fix

Configure all world-writable directories to have the sticky bit set to prevent unauthorized and unintended information transferred via shared system resources. Set the sticky bit on all world-writable directories using the command, replace "[World-Writable Directory]" with any directory path missing the sticky bit: $ chmod a+t [World-Writable Directory]

b
All RHEL 9 local files and directories must have a valid group owner.
CM-6 - Medium - CCI-000366 - V-257930 - SV-257930r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232250
Vuln IDs
  • V-257930
Rule IDs
  • SV-257930r991589_rule
Files without a valid group owner may be unintentionally inherited if a group is assigned the same Group Identifier (GID) as the GID of the files without a valid group owner.
Checks: C-61671r925775_chk

Verify all local files and directories on RHEL 9 have a valid group with the following command: $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nogroup If any files on the system do not have an assigned group, this is a finding.

Fix: F-61595r925776_fix

Either remove all files and directories from RHEL 9 that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command: $ sudo chgrp <group> <file>

b
All RHEL 9 local files and directories must have a valid owner.
CM-6 - Medium - CCI-000366 - V-257931 - SV-257931r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232255
Vuln IDs
  • V-257931
Rule IDs
  • SV-257931r991589_rule
Unowned files and directories may be unintentionally inherited if a user is assigned the same user identifier "UID" as the UID of the unowned files.
Checks: C-61672r925778_chk

Verify all local files and directories on RHEL 9 have a valid owner with the following command: $ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser If any files on the system do not have an assigned owner, this is a finding.

Fix: F-61596r925779_fix

Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on RHEL 9 with the "chown" command: $ sudo chown <user> <file>

b
RHEL 9 must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
CM-6 - Medium - CCI-000366 - V-257932 - SV-257932r1014838_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232260
Vuln IDs
  • V-257932
Rule IDs
  • SV-257932r1014838_rule
If an unauthorized or modified device is allowed to exist on the system, there is the possibility the system may perform unintended or unauthorized operations.
Checks: C-61673r925781_chk

Verify that all system device files are correctly labeled to prevent unauthorized modification. List all device files on the system that are incorrectly labeled with the following commands: Note: Device files are normally found under "/dev", but applications may place device files in other directories and may necessitate a search of the entire system. # find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n" # find /dev -context *:unlabeled_t:* \( -type c -o -type b \) -printf "%p %Z\n" Note: There are device files, such as "/dev/vmci", that are used when the operating system is a host virtual machine. They will not be owned by a user on the system and require the "device_t" label to operate. These device files are not a finding. If there is output from either of these commands, other than already noted, this is a finding.

Fix: F-61597r1014837_fix

Restore the SELinux policy for the affected device file from the system policy database using the following command: $ sudo restorecon -v <device_path> Substitute "<device_path>" with the path to the affected device file (from the output of the previous commands). An example device file path would be "/dev/ttyUSB0". If the output of the above command does not indicate that the device was relabeled to a more specific SELinux type label, then the SELinux policy of the system must be updated with more specific policy for the device class specified. If a package was used to install support for a device class, that package could be reinstalled using the following command: $ sudo dnf reinstall <package_name> If a package was not used to install the SELinux policy for a given device class, then it must be generated manually and provide specific type labels.

b
RHEL 9 /etc/crontab file must have mode 0600.
CM-6 - Medium - CCI-000366 - V-257933 - SV-257933r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232265
Vuln IDs
  • V-257933
Rule IDs
  • SV-257933r991589_rule
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations; therefore, service configuration files must have the correct access rights to prevent unauthorized changes.
Checks: C-61674r925784_chk

Verify the permissions of /etc/crontab with the following command: $ stat -c "%a %n" /etc/crontab 0600 If /etc/crontab does not have a mode of "0600", this is a finding.

Fix: F-61598r925785_fix

Configure the RHEL 9 file /etc/crontab with mode 600. $ sudo chmod 0600 /etc/crontab

b
RHEL 9 /etc/shadow file must have mode 0000 to prevent unauthorized access.
CM-6 - Medium - CCI-000366 - V-257934 - SV-257934r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-232270
Vuln IDs
  • V-257934
Rule IDs
  • SV-257934r991589_rule
The "/etc/shadow" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.
Checks: C-61675r925787_chk

Verify that the "/etc/shadow" file has mode "0000" with the following command: $ sudo stat -c "%a %n" /etc/shadow 0 /etc/shadow If a value of "0" is not returned, this is a finding.

Fix: F-61599r925788_fix

Change the mode of the file "/etc/shadow" to "0000" by running the following command: $ sudo chmod 0000 /etc/shadow

b
RHEL 9 must have the firewalld package installed.
CM-6 - Medium - CCI-000366 - V-257935 - SV-257935r958480_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-251010
Vuln IDs
  • V-257935
Rule IDs
  • SV-257935r958480_rule
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, nonorganization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. RHEL 9 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232
Checks: C-61676r925790_chk

Run the following command to determine if the firewalld package is installed with the following command: $ sudo dnf list --installed firewalld Example output: firewalld.noarch 1.0.0-4.el9 If the "firewall" package is not installed, this is a finding.

Fix: F-61600r925791_fix

To install the "firewalld" package run the following command: $ sudo dnf install firewalld

b
The firewalld service on RHEL 9 must be active.
CM-6 - Medium - CCI-000366 - V-257936 - SV-257936r958480_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-251015
Vuln IDs
  • V-257936
Rule IDs
  • SV-257936r958480_rule
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DOD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. RHEL 9 functionality (e.g., RDP) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets). Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232
Checks: C-61677r925793_chk

Verify that "firewalld" is active with the following command: $ systemctl is-active firewalld active If the firewalld service is not active, this is a finding.

Fix: F-61601r925794_fix

To enable the firewalld service run the following command: $ sudo systemctl enable --now firewalld

b
A RHEL 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.
CM-6 - Medium - CCI-000366 - V-257937 - SV-257937r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-251020
Vuln IDs
  • V-257937
Rule IDs
  • SV-257937r991589_rule
Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems. It also permits outbound connections that may facilitate exfiltration of DOD data. RHEL 9 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones. Zones can be utilized to a deny-all, allow-by-exception approach. The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection.
Checks: C-61678r925796_chk

Verify the RHEL 9 "firewalld" is configured to employ a deny-all, allow-by-exception policy for allowing connections to other systems with the following commands: $ sudo firewall-cmd --state running $ sudo firewall-cmd --get-active-zones public interfaces: ens33 $ sudo firewall-cmd --info-zone=public | grep target target: DROP $ sudo firewall-cmd --permanent --info-zone=public | grep target target: DROP If no zones are active on the RHEL 9 interfaces or if runtime and permanent targets are set to a different option other than "DROP", this is a finding.

Fix: F-61602r925797_fix

Configure the "firewalld" daemon to employ a deny-all, allow-by-exception with the following commands: Start by adding the exceptions that are required for mission functionality to the "drop" zone. If SSH access on port 22 is needed, for example, run the following: "sudo firewall-cmd --permanent --add-service=ssh --zone=drop" Reload the firewall rules to update the runtime configuration from the "--permanent" changes made above: $ sudo firewall-cmd --reload Set the default zone to the drop zone: $ sudo firewall-cmd --set-default-zone=drop Note: This is a runtime and permanent change. Add any interfaces to the newly modified "drop" zone: $ sudo firewall-cmd --permanent --zone=drop --change-interface=ens33 Reload the firewall rules for changes to take effect: $ sudo firewall-cmd --reload

b
RHEL 9 must protect against or limit the effects of denial-of-service (DoS) attacks by ensuring rate-limiting measures on impacted network interfaces are implemented.
SC-5 - Medium - CCI-002385 - V-257939 - SV-257939r958902_rule
RMF Control
SC-5
Severity
Medium
CCI
CCI-002385
Version
RHEL-09-251030
Vuln IDs
  • V-257939
Rule IDs
  • SV-257939r958902_rule
DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. This requirement addresses the configuration of RHEL 9 to mitigate the impact of DoS attacks that have occurred or are ongoing on system availability. For each system, known and potential DoS attacks must be identified and solutions for each type implemented. A variety of technologies exists to limit or, in some cases, eliminate the effects of DoS attacks (e.g., limiting processes or establishing memory partitions). Employing increased capacity and bandwidth, combined with service redundancy, may reduce the susceptibility to some DoS attacks.
Checks: C-61680r925802_chk

Verify "nftables" is configured to allow rate limits on any connection to the system with the following command: $ sudo grep -i firewallbackend /etc/firewalld/firewalld.conf # FirewallBackend FirewallBackend=nftables If the "nftables" is not set as the "FirewallBackend" default, this is a finding.

Fix: F-61604r925803_fix

Configure "nftables" to be the default "firewallbackend" for "firewalld" by adding or editing the following line in "etc/firewalld/firewalld.conf": FirewallBackend=nftables Establish rate-limiting rules based on organization-defined types of DoS attacks on impacted network interfaces.

b
RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.
CM-7 - Medium - CCI-000382 - V-257940 - SV-257940r958480_rule
RMF Control
CM-7
Severity
Medium
CCI
CCI-000382
Version
RHEL-09-251035
Vuln IDs
  • V-257940
Rule IDs
  • SV-257940r958480_rule
To prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary ports, protocols, and services on information systems.
Checks: C-61681r925805_chk

Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. Check which services are currently active with the following command: $ sudo firewall-cmd --list-all-zones custom (active) target: DROP icmp-block-inversion: no interfaces: ens33 sources: services: dhcpv6-client dns http https ldaps rpc-bind ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: Ask the system administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding.

Fix: F-61605r925806_fix

Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL. Then run the following command to load the newly created rule(s): $ sudo firewall-cmd --reload

b
RHEL 9 network interfaces must not be in promiscuous mode.
CM-6 - Medium - CCI-000366 - V-257941 - SV-257941r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-251040
Vuln IDs
  • V-257941
Rule IDs
  • SV-257941r991589_rule
Network interfaces in promiscuous mode allow for the capture of all network traffic visible to the system. If unauthorized individuals can access these applications, it may allow them to collect information such as logon IDs, passwords, and key exchanges between systems. If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the information systems security officer (ISSO) and restricted to only authorized personnel.
Checks: C-61682r925808_chk

Verify network interfaces are not in promiscuous mode with the following command: $ ip link | grep -i promisc If network interfaces are found on the system in promiscuous mode and their use has not been approved by the ISSO and documented, this is a finding.

Fix: F-61606r925809_fix

Configure network interfaces to turn off promiscuous mode unless approved by the ISSO and documented. Set the promiscuous mode of an interface to off with the following command: $ sudo ip link set dev <devicename> multicast off promisc off

b
RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
CM-6 - Medium - CCI-000366 - V-257942 - SV-257942r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-251045
Vuln IDs
  • V-257942
Rule IDs
  • SV-257942r991589_rule
When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".
Checks: C-61683r925811_chk

Verify RHEL 9 enables hardening for the BPF JIT with the following commands: $ sudo sysctl net.core.bpf_jit_harden net.core.bpf_jit_harden = 2 If the returned line does not have a value of "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.core.bpf_jit_harden | tail -1 net.core.bpf_jit_harden = 2 If the network parameter "net.core.bpf_jit_harden" is not equal to "2" or nothing is returned, this is a finding.

Fix: F-61607r925812_fix

Configure RHEL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: net.core.bpf_jit_harden = 2 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b
RHEL 9 must have the chrony package installed.
- Medium - CCI-004923 - V-257943 - SV-257943r1015081_rule
RMF Control
Severity
Medium
CCI
CCI-004923
Version
RHEL-09-252010
Vuln IDs
  • V-257943
Rule IDs
  • SV-257943r1015081_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Checks: C-61684r925814_chk

Verify that RHEL 9 has the chrony package installed with the following command: $ sudo dnf list --installed chrony Example output: chrony.x86_64 4.1-3.el9 If the "chrony" package is not installed, this is a finding.

Fix: F-61608r925815_fix

The chrony package can be installed with the following command: $ sudo dnf install chrony

b
RHEL 9 chronyd service must be enabled.
- Medium - CCI-004923 - V-257944 - SV-257944r1015082_rule
RMF Control
Severity
Medium
CCI
CCI-004923
Version
RHEL-09-252015
Vuln IDs
  • V-257944
Rule IDs
  • SV-257944r1015082_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Checks: C-61685r925817_chk

Verify the chronyd service is active with the following command: $ systemctl is-active chronyd active If the chronyd service is not active, this is a finding.

Fix: F-61609r925818_fix

To enable the chronyd service run the following command: $ sudo systemctl enable --now chronyd

b
RHEL 9 must securely compare internal information system clocks at least every 24 hours.
AU-8 - Medium - CCI-001890 - V-257945 - SV-257945r1015083_rule
RMF Control
AU-8
Severity
Medium
CCI
CCI-001890
Version
RHEL-09-252020
Vuln IDs
  • V-257945
Rule IDs
  • SV-257945r1015083_rule
Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate. Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network. Depending on the infrastructure being used the "pool" directive may not be supported. Authoritative time sources include the United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DOD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). Satisfies: SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146
Checks: C-61686r925820_chk

Verify RHEL 9 is securely comparing internal information system clocks at least every 24 hours with an NTP server with the following commands: $ sudo grep maxpoll /etc/chrony.conf server 0.us.pool.ntp.mil iburst maxpoll 16 If the "maxpoll" option is set to a number greater than 16 or the line is commented out, this is a finding. Verify the "chrony.conf" file is configured to an authoritative DOD time source by running the following command: $ sudo grep -i server /etc/chrony.conf server 0.us.pool.ntp.mil If the parameter "server" is not set or is not set to an authoritative DOD time source, this is a finding.

Fix: F-61610r925821_fix

Configure RHEL 9 to securely compare internal information system clocks at least every 24 hours with an NTP server by adding/modifying the following line in the /etc/chrony.conf file. server [ntp.server.name] iburst maxpoll 16

a
RHEL 9 must disable the chrony daemon from acting as a server.
CM-7 - Low - CCI-000381 - V-257946 - SV-257946r958480_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-09-252025
Vuln IDs
  • V-257946
Rule IDs
  • SV-257946r958480_rule
Minimizing the exposure of the server functionality of the chrony daemon diminishes the attack surface. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
Checks: C-61687r925823_chk

Verify RHEL 9 disables the chrony daemon from acting as a server with the following command: $ grep -w port /etc/chrony.conf port 0 If the "port" option is not set to "0", is commented out, or is missing, this is a finding.

Fix: F-61611r925824_fix

Configure RHEL 9 to disable the chrony daemon from acting as a server by adding/modifying the following line in the /etc/chrony.conf file: port 0

a
RHEL 9 must disable network management of the chrony daemon.
CM-7 - Low - CCI-000381 - V-257947 - SV-257947r958480_rule
RMF Control
CM-7
Severity
Low
CCI
CCI-000381
Version
RHEL-09-252030
Vuln IDs
  • V-257947
Rule IDs
  • SV-257947r958480_rule
Not exposing the management interface of the chrony daemon on the network diminishes the attack space. Satisfies: SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049
Checks: C-61688r925826_chk

Verify RHEL 9 disables network management of the chrony daemon with the following command: $ grep -w cmdport /etc/chrony.conf cmdport 0 If the "cmdport" option is not set to "0", is commented out, or is missing, this is a finding.

Fix: F-61612r925827_fix

Configure RHEL 9 to disable network management of the chrony daemon by adding/modifying the following line in the /etc/chrony.conf file: cmdport 0

b
RHEL 9 systems using Domain Name Servers (DNS) resolution must have at least two name servers configured.
CM-6 - Medium - CCI-000366 - V-257948 - SV-257948r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-252035
Vuln IDs
  • V-257948
Rule IDs
  • SV-257948r991589_rule
To provide availability for name resolution services, multiple redundant name servers are mandated. A failure in name resolution could lead to the failure of security functions requiring name resolution, which may include time synchronization, centralized authentication, and remote system logging.
Checks: C-61689r925829_chk

Verify the name servers used by the system with the following command: $ grep nameserver /etc/resolv.conf nameserver 192.168.1.2 nameserver 192.168.1.3 If less than two lines are returned that are not commented out, this is a finding.

Fix: F-61613r925830_fix

Configure the operating system to use two or more name servers for DNS resolution based on the DNS mode of the system. If the NetworkManager DNS mode is set to "none", then add the following lines to "/etc/resolv.conf": nameserver [name server 1] nameserver [name server 2] Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. If the NetworkManager DNS mode is set to "default" then add two DNS servers to a NetworkManager connection. Using the following commands: $ sudo nmcli connection modify [connection name] ipv4.dns [name server 1] $ sudo nmcli connection modify [connection name] ipv4.dns [name server 2] Replace [name server 1] and [name server 2] with the IPs of two different DNS resolvers. Replace [connection name] with a valid NetworkManager connection name on the system. Replace ipv4 with ipv6 if IPv6 DNS servers are used.

b
RHEL 9 must configure a DNS processing mode in Network Manager.
CM-6 - Medium - CCI-000366 - V-257949 - SV-257949r1014841_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-252040
Vuln IDs
  • V-257949
Rule IDs
  • SV-257949r1014841_rule
In order to ensure that DNS resolver settings are respected, a DNS mode in Network Manager must be configured.
Checks: C-61690r1014840_chk

Verify that RHEL 9 has a DNS mode configured in Network Manager. $ NetworkManager --print-config [main] dns=none If the dns key under main does not exist or is not set to "none" or "default", this is a finding. Note: If RHEL 9 is configured to use a DNS resolver other than Network Manager, the configuration must be documented and approved by the information system security officer (ISSO).

Fix: F-61614r925833_fix

Configure NetworkManager in RHEL 9 to use a DNS mode. In "/etc/NetworkManager/NetworkManager.conf" add the following line in the "[main]" section: dns = none NetworkManager must be reloaded for the change to take effect. $ sudo systemctl reload NetworkManager

b
RHEL 9 must not have unauthorized IP tunnels configured.
CM-6 - Medium - CCI-000366 - V-257950 - SV-257950r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-252045
Vuln IDs
  • V-257950
Rule IDs
  • SV-257950r991589_rule
IP tunneling mechanisms can be used to bypass network filtering. If tunneling is required, it must be documented with the information system security officer (ISSO).
Checks: C-61691r925835_chk

Verify that RHEL 9 does not have unauthorized IP tunnels configured. Determine if the "IPsec" service is active with the following command: $ systemctl status ipsec ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled) Active: inactive (dead) If the "IPsec" service is active, check for configured IPsec connections ("conn"), with the following command: $ grep -rni conn /etc/ipsec.conf /etc/ipsec.d/ Verify any returned results are documented with the ISSO. If the IPsec tunnels are active and not approved, this is a finding.

Fix: F-61615r925836_fix

Remove all unapproved tunnels from the system, or document them with the ISSO.

b
RHEL 9 must be configured to prevent unrestricted mail relaying.
CM-6 - Medium - CCI-000366 - V-257951 - SV-257951r1014843_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-252050
Vuln IDs
  • V-257951
Rule IDs
  • SV-257951r1014843_rule
If unrestricted mail relaying is permitted, unauthorized senders could use this host as a mail relay for the purpose of sending spam or other unauthorized activity.
Checks: C-61692r1014842_chk

If postfix is not installed, this is Not Applicable. Verify RHEL 9 is configured to prevent unrestricted mail relaying with the following command: $ postconf -n smtpd_client_restrictions smtpd_client_restrictions = permit_mynetworks,reject If the "smtpd_client_restrictions" parameter contains any entries other than "permit_mynetworks" and "reject", and the additional entries have not been documented with the information system security officer (ISSO), this is a finding.

Fix: F-61616r925839_fix

Modify the postfix configuration file to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'

b
RHEL 9 must forward mail from postmaster to the root account using a postfix alias.
AU-5 - Medium - CCI-000139 - V-257953 - SV-257953r958424_rule
RMF Control
AU-5
Severity
Medium
CCI
CCI-000139
Version
RHEL-09-252060
Vuln IDs
  • V-257953
Rule IDs
  • SV-257953r958424_rule
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded.
Checks: C-61694r925844_chk

Verify that the administrators are notified in the event of an audit processing failure. Check that the "/etc/aliases" file has a defined value for "root". $ sudo grep "postmaster:\s*root$" /etc/aliases If the command does not return a line, or the line is commented out, ask the system administrator to indicate how they and the information systems security officer (ISSO) are notified of an audit process failure. If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding.

Fix: F-61618r925845_fix

Configure a valid email address as an alias for the root account. Append the following line to "/etc/aliases": postmaster: root Then, run the following command: $ sudo newaliases

b
RHEL 9 libreswan package must be installed.
CM-6 - Medium - CCI-000366 - V-257954 - SV-257954r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-252065
Vuln IDs
  • V-257954
Rule IDs
  • SV-257954r991589_rule
Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061
Checks: C-61695r925847_chk

Verify that RHEL 9 libreswan service package is installed. Check that the libreswan service package is installed with the following command: $ sudo dnf list --installed libreswan Example output: libreswan.x86_64 4.6-3.el9 If the "libreswan" package is not installed, this is a finding.

Fix: F-61619r925848_fix

Install the libreswan service (if it is not already installed) with the following command: $ sudo dnf install libreswan

c
There must be no shosts.equiv files on RHEL 9.
CM-6 - High - CCI-000366 - V-257955 - SV-257955r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-09-252070
Vuln IDs
  • V-257955
Rule IDs
  • SV-257955r991589_rule
The shosts.equiv files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Checks: C-61696r925850_chk

Verify there are no "shosts.equiv" files on RHEL 9 with the following command: $ sudo find / -name shosts.equiv If a "shosts.equiv" file is found, this is a finding.

Fix: F-61620r925851_fix

Remove any found "shosts.equiv" files from the system. $ sudo rm /[path]/[to]/[file]/shosts.equiv

c
There must be no .shosts files on RHEL 9.
CM-6 - High - CCI-000366 - V-257956 - SV-257956r991589_rule
RMF Control
CM-6
Severity
High
CCI
CCI-000366
Version
RHEL-09-252075
Vuln IDs
  • V-257956
Rule IDs
  • SV-257956r991589_rule
The .shosts files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
Checks: C-61697r925853_chk

Verify there are no ".shosts" files on RHEL 9 with the following command: $ sudo find / -name .shosts If a ".shosts" file is found, this is a finding.

Fix: F-61621r925854_fix

Remove any found ".shosts" files from the system. $ sudo rm /[path]/[to]/[file]/.shosts

b
RHEL 9 must be configured to use TCP syncookies.
CM-6 - Medium - CCI-000366 - V-257957 - SV-257957r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253010
Vuln IDs
  • V-257957
Rule IDs
  • SV-257957r991589_rule
Denial of service (DoS) is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or must operate at degraded capacity. Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Employing increased capacity and service redundancy may reduce the susceptibility to some DoS attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning. Satisfies: SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071
Checks: C-61698r942982_chk

Verify RHEL 9 is configured to use IPv4 TCP syncookies. Determine if syncookies are used with the following command: Check the status of the kernel.perf_event_paranoid kernel parameter. $ sudo sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1 Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.tcp_syncookies | tail -1 net.ipv4.tcp_syncookies = 1 If the network parameter "ipv4.tcp_syncookies" is not equal to "1" or nothing is returned, this is a finding.

Fix: F-61622r925857_fix

Configure RHEL 9 to use TCP syncookies. Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: net.ipv4.tcp_syncookies = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.
CM-6 - Medium - CCI-000366 - V-257958 - SV-257958r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253015
Vuln IDs
  • V-257958
Rule IDs
  • SV-257958r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
Checks: C-61699r942984_chk

Verify RHEL 9 will not accept IPv4 ICMP redirect messages. Check the value of the all "accept_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.all.accept_redirects | tail -1 net.ipv4.conf.all.accept_redirects = 0 If "net.ipv4.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding.

Fix: F-61623r925860_fix

Configure RHEL 9 to ignore IPv4 ICMP redirect messages. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.accept_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not forward Internet Protocol version 4 (IPv4) source-routed packets.
CM-6 - Medium - CCI-000366 - V-257959 - SV-257959r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253020
Vuln IDs
  • V-257959
Rule IDs
  • SV-257959r991589_rule
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required.
Checks: C-61700r942986_chk

Verify RHEL 9 will not accept IPv4 source-routed packets. Check the value of the all "accept_source_route" variables with the following command: $ sudo sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.all.accept_source_route | tail -1 net.ipv4.conf.all.accept_source_route = 0 If "net.ipv4.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding.

Fix: F-61624r925863_fix

Configure RHEL 9 to ignore IPv4 source-routed packets. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.accept_source_route = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must log IPv4 packets with impossible addresses.
CM-6 - Medium - CCI-000366 - V-257960 - SV-257960r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253025
Vuln IDs
  • V-257960
Rule IDs
  • SV-257960r991589_rule
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Checks: C-61701r925865_chk

Verify RHEL 9 logs IPv4 martian packets. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv4.conf.all.log_martians net.ipv4.conf.all.log_martians = 1 If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.all.log_martians | tail -1 net.ipv4.conf.all.log_martians = 1 If "net.ipv4.conf.all.log_martians" is not set to "1" or is missing, this is a finding.

Fix: F-61625r925866_fix

Configure RHEL 9 to log martian packets on IPv4 interfaces. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.log_martians=1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must log IPv4 packets with impossible addresses by default.
CM-6 - Medium - CCI-000366 - V-257961 - SV-257961r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253030
Vuln IDs
  • V-257961
Rule IDs
  • SV-257961r991589_rule
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
Checks: C-61702r925868_chk

Verify RHEL 9 logs IPv4 martian packets by default. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv4.conf.default.log_martians net.ipv4.conf.default.log_martians = 1 If the returned line does not have a value of "1", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.log_martians | tail -1 net.ipv4.conf.default.log_martians = 1 If "net.ipv4.conf.default.log_martians" is not set to "1" or is missing, this is a finding.

Fix: F-61626r925869_fix

Configure RHEL 9 to log martian packets on IPv4 interfaces by default. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.log_martians=1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must use reverse path filtering on all IPv4 interfaces.
CM-6 - Medium - CCI-000366 - V-257962 - SV-257962r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253035
Vuln IDs
  • V-257962
Rule IDs
  • SV-257962r991589_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Checks: C-61703r942988_chk

Verify RHEL 9 uses reverse path filtering on all IPv4 interfaces with the following commands: $ sudo sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.all.rp_filter | tail -1 net.ipv4.conf.all.rp_filter = 1 If "net.ipv4.conf.all.rp_filter" is not set to "1" or is missing, this is a finding.

Fix: F-61627r925872_fix

Configure RHEL 9 to use reverse path filtering on all IPv4 interfaces. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.rp_filter = 1 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

b
RHEL 9 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
CM-6 - Medium - CCI-000366 - V-257963 - SV-257963r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253040
Vuln IDs
  • V-257963
Rule IDs
  • SV-257963r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack. This feature of the IPv4 protocol has few legitimate uses. It must be disabled unless absolutely required.
Checks: C-61704r942990_chk

Verify RHEL 9 will not accept IPv4 ICMP redirect messages. Check the value of the default "accept_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.accept_redirects | tail -1 net.ipv4.conf.default.accept_redirects = 0 If "net.ipv4.conf.default.accept_redirects" is not set to "0" or is missing, this is a finding.

Fix: F-61628r925875_fix

Configure RHEL 9 to prevent IPv4 ICMP redirect messages from being accepted. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.accept_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not forward IPv4 source-routed packets by default.
CM-6 - Medium - CCI-000366 - V-257964 - SV-257964r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253045
Vuln IDs
  • V-257964
Rule IDs
  • SV-257964r991589_rule
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It must be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
Checks: C-61705r942992_chk

Verify RHEL 9 does not accept IPv4 source-routed packets by default. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.accept_source_route | tail -1 net.ipv4.conf.default.accept_source_route = 0 If "net.ipv4.conf.default.accept_source_route" is not set to "0" or is missing, this is a finding.

Fix: F-61629r925878_fix

Configure RHEL 9 to not forward IPv4 source-routed packets by default. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.accept_source_route = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must use a reverse-path filter for IPv4 network traffic when possible by default.
CM-6 - Medium - CCI-000366 - V-257965 - SV-257965r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253050
Vuln IDs
  • V-257965
Rule IDs
  • SV-257965r991589_rule
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface on which they were received. It must not be used on systems that are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
Checks: C-61706r925880_chk

Verify RHEL 9 uses reverse path filtering on IPv4 interfaces with the following commands: $ sudo sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.default.rp_filter = 1 If the returned line does not have a value of "1", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.rp_filter | tail -1 net.ipv4.conf.default.rp_filter = 1 If "net.ipv4.conf.default.rp_filter" is not set to "1" or is missing, this is a finding.

Fix: F-61630r925881_fix

Configure RHEL 9 to use reverse path filtering on IPv4 interfaces by default. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.rp_filter = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address.
CM-6 - Medium - CCI-000366 - V-257966 - SV-257966r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253055
Vuln IDs
  • V-257966
Rule IDs
  • SV-257966r991589_rule
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks. Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
Checks: C-61707r942994_chk

Verify RHEL 9 does not respond to ICMP echoes sent to a broadcast address. Check the value of the "icmp_echo_ignore_broadcasts" variable with the following command: $ sudo sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1 If the returned line does not have a value of "1", a line is not returned, or the retuned line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|$)' | grep -F net.ipv4.icmp_echo_ignore_broadcasts | tail -1 net.ipv4.icmp_echo_ignore_broadcasts = 1 If "net.ipv4.icmp_echo_ignore_broadcasts" is not set to "1" or is missing, this is a finding.

Fix: F-61631r925884_fix

Configure RHEL 9 to not respond to IPv4 ICMP echoes sent to a broadcast address. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.icmp_echo_ignore_broadcasts = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must limit the number of bogus Internet Control Message Protocol (ICMP) response errors logs.
CM-6 - Medium - CCI-000366 - V-257967 - SV-257967r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253060
Vuln IDs
  • V-257967
Rule IDs
  • SV-257967r991589_rule
Some routers will send responses to broadcast frames that violate RFC-1122, which fills up a log file system with many useless error messages. An attacker may take advantage of this and attempt to flood the logs with bogus error logs. Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
Checks: C-61708r925886_chk

The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried by running the following command: $ sudo sysctl net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses = 1 If "net.ipv4.icmp_ignore_bogus_error_responses" is not set to "1", this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.icmp_ignore_bogus_error_response | tail -1 net.ipv4.icmp_ignore_bogus_error_response = 1 If "net.ipv4.icmp_ignore_bogus_error_response" is not set to "1" or is missing, this is a finding.

Fix: F-61632r925887_fix

Configure RHEL 9 to not log bogus ICMP errors: Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.icmp_ignore_bogus_error_responses = 1 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not send Internet Control Message Protocol (ICMP) redirects.
CM-6 - Medium - CCI-000366 - V-257968 - SV-257968r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253065
Vuln IDs
  • V-257968
Rule IDs
  • SV-257968r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Checks: C-61709r942996_chk

Verify RHEL 9 does not IPv4 ICMP redirect messages. Check the value of the "all send_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.all.send_redirects | tail -1 net.ipv4.conf.all.send_redirects = 0 If "net.ipv4.conf.all.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.

Fix: F-61633r925890_fix

Configure RHEL 9 to not allow interfaces to perform IPv4 ICMP redirects. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.send_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default.
CM-6 - Medium - CCI-000366 - V-257969 - SV-257969r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253070
Vuln IDs
  • V-257969
Rule IDs
  • SV-257969r991589_rule
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology. The ability to send ICMP redirects is only appropriate for systems acting as routers.
Checks: C-61710r942998_chk

Verify RHEL 9 does not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. Check the value of the "default send_redirects" variables with the following command: $ sudo sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects=0 If the returned line does not have a value of "0", or a line is not returned, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv4.conf.default.send_redirects | tail -1 net.ipv4.conf.default.send_redirects = 0 If "net.ipv4.conf.default.send_redirects" is not set to "0" and is not documented with the information system security officer (ISSO) as an operational requirement or is missing, this is a finding.

Fix: F-61634r925893_fix

Configure RHEL 9 to not allow interfaces to perform Internet Protocol version 4 (IPv4) ICMP redirects by default. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.default.send_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not enable IPv4 packet forwarding unless the system is a router.
CM-6 - Medium - CCI-000366 - V-257970 - SV-257970r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-253075
Vuln IDs
  • V-257970
Rule IDs
  • SV-257970r991589_rule
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
Checks: C-61711r943000_chk

Verify RHEL 9 is not performing IPv4 packet forwarding, unless the system is a router. Check that IPv4 forwarding is disabled using the following command: $ sudo sysctl net.ipv4.conf.all.forwarding net.ipv4.conf.all.forwarding = 0 If the IPv4 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo (/usr/lib/systemd/systemd-sysctl --cat-config; cat /etc/sysctl.conf) | egrep -v '^(#|$)' | grep net.ipv4.conf.all.forwarding | tail -1 net.ipv4.conf.all.forwarding = 0 If "net.ipv4.conf.all.forwarding" is not set to "0" and is not documented with the ISSO as an operational requirement or is missing, this is a finding.

Fix: F-61635r925896_fix

Configure RHEL 9 to not allow IPv4 packet forwarding, unless the system is a router. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv4.conf.all.forwarding = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not accept router advertisements on all IPv6 interfaces.
CM-6 - Medium - CCI-000366 - V-257971 - SV-257971r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-254010
Vuln IDs
  • V-257971
Rule IDs
  • SV-257971r991589_rule
An illicit router advertisement message could result in a man-in-the-middle attack.
Checks: C-61712r925898_chk

Verify RHEL 9 does not accept router advertisements on all IPv6 interfaces, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Determine if router advertisements are not accepted by using the following command: $ sudo sysctl net.ipv6.conf.all.accept_ra net.ipv6.conf.all.accept_ra = 0 If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.accept_ra | tail -1 net.ipv6.conf.all.accept_ra = 0 If "net.ipv6.conf.all.accept_ra" is not set to "0" or is missing, this is a finding.

Fix: F-61636r925899_fix

Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces unless the system is a router. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_ra = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages.
CM-6 - Medium - CCI-000366 - V-257972 - SV-257972r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-254015
Vuln IDs
  • V-257972
Rule IDs
  • SV-257972r991589_rule
An illicit ICMP redirect message could result in a man-in-the-middle attack.
Checks: C-61713r925901_chk

Verify RHEL 9 ignores IPv6 ICMP redirect messages. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the "accept_redirects" variables with the following command: $ sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirects = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.accept_redirects | tail -1 net.ipv6.conf.all.accept_redirects = 0 If "net.ipv6.conf.all.accept_redirects" is not set to "0" or is missing, this is a finding.

Fix: F-61637r925902_fix

Configure RHEL 9 to ignore IPv6 ICMP redirect messages. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_redirects = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not forward IPv6 source-routed packets.
CM-6 - Medium - CCI-000366 - V-257973 - SV-257973r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-254020
Vuln IDs
  • V-257973
Rule IDs
  • SV-257973r991589_rule
Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router.
Checks: C-61714r943002_chk

Verify RHEL 9 does not accept IPv6 source-routed packets. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check the value of the accept source route variable with the following command: $ sudo sysctl net.ipv6.conf.all.accept_source_route net.ipv6.conf.all.accept_source_route = 0 If the returned line does not have a value of "0", a line is not returned, or the line is commented out, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.accept_source_route | tail -1 net.ipv6.conf.all.accept_source_route = 0 If "net.ipv6.conf.all.accept_source_route" is not set to "0" or is missing, this is a finding.

Fix: F-61638r925905_fix

Configure RHEL 9 to not forward IPv6 source-routed packets. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.accept_source_route = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not enable IPv6 packet forwarding unless the system is a router.
CM-6 - Medium - CCI-000366 - V-257974 - SV-257974r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-254025
Vuln IDs
  • V-257974
Rule IDs
  • SV-257974r991589_rule
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
Checks: C-61715r943004_chk

Verify RHEL 9 is not performing IPv6 packet forwarding, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Check that IPv6 forwarding is disabled using the following commands: $ sudo sysctl net.ipv6.conf.all.forwarding net.ipv6.conf.all.forwarding = 0 If the IPv6 forwarding value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.all.forwarding | tail -1 net.ipv6.conf.all.forwarding = 0 If "net.ipv6.conf.all.forwarding" is not set to "0" or is missing, this is a finding.

Fix: F-61639r925908_fix

Configure RHEL 9 to not allow IPv6 packet forwarding, unless the system is a router. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.all.forwarding = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must not accept router advertisements on all IPv6 interfaces by default.
CM-6 - Medium - CCI-000366 - V-257975 - SV-257975r991589_rule
RMF Control
CM-6
Severity
Medium
CCI
CCI-000366
Version
RHEL-09-254030
Vuln IDs
  • V-257975
Rule IDs
  • SV-257975r991589_rule
An illicit router advertisement message could result in a man-in-the-middle attack.
Checks: C-61716r943006_chk

Verify RHEL 9 does not accept router advertisements on all IPv6 interfaces by default, unless the system is a router. Note: If IPv6 is disabled on the system, this requirement is Not Applicable. Determine if router advertisements are not accepted by default by using the following command: $ sudo sysctl net.ipv6.conf.default.accept_ra net.ipv6.conf.default.accept_ra = 0 If the "accept_ra" value is not "0" and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding. Check that the configuration files are present to enable this network parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.ipv6.conf.default.accept_ra | tail -1 net.ipv6.conf.default.accept_ra = 0 If "net.ipv6.conf.default.accept_ra" is not set to "0" or is missing, this is a finding.

Fix: F-61640r925911_fix

Configure RHEL 9 to not accept router advertisements on all IPv6 interfaces by default unless the system is a router. Add or edit the following line in a single system configuration file, in the "/etc/sysctl.d/" directory: net.ipv6.conf.default.accept_ra = 0 Load settings from all system configuration files with the following command: $ sudo sysctl --system

b
RHEL 9 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted.
CM-6 - Medium -