| f | 1 | Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. | f | 1 | Configure the file integrity tool to run automatically on the system at least weekly and to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel with the use of the cron system. |
| 2 | 2 | ||||
| t | 3 | The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis | t | 3 | The following example output is generic. It will set cron to run AIDE daily and to send email at the completion of the analysis. |
| 4 | 4 | ||||
| 5 | $ sudo more /etc/cron.daily/aide | 5 | $ sudo more /etc/cron.daily/aide | ||
| 6 | 6 | ||||
| 7 | #!/bin/bash | 7 | #!/bin/bash | ||
| 8 | /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil | 8 | /usr/sbin/aide --check | /bin/mail -s "$HOSTNAME - Daily aide integrity check run" root@sysname.mil |
| f | 1 | Configure the RHEL 9 SSH daemon to use system-wide crypto policies by running the following commands: | f | 1 | Configure the RHEL 9 SSH daemon to use system-wide crypto policies by running the following commands: |
| 2 | 2 | ||||
| 3 | $ sudo dnf reinstall openssh-server | 3 | $ sudo dnf reinstall openssh-server | ||
| t | t | 4 | A reboot is required for the changes to take effect. |
| f | 1 | Reinstall the crypto-policies package to remove any modifications. | f | 1 | Reinstall the crypto-policies package to remove any modifications. |
| 2 | 2 | ||||
| 3 | $ sudo dnf reinstall crypto-policies | 3 | $ sudo dnf reinstall crypto-policies | ||
| 4 | 4 | ||||
| 5 | Then ensure that FIPS mode is setup with the following command: | 5 | Then ensure that FIPS mode is setup with the following command: | ||
| 6 | 6 | ||||
| 7 | $ sudo fips-mode-setup --enable | 7 | $ sudo fips-mode-setup --enable | ||
| 8 | 8 | ||||
| 9 | The system must be rebooted for the changes to take effect. | 9 | The system must be rebooted for the changes to take effect. | ||
| t | t | 10 | A reboot is required for the changes to take effect. |
| f | 1 | Verify that the RHEL 9 cryptography policy has been configured correctly with the following commands: | f | 1 | Verify that the RHEL 9 cryptography policy has been configured correctly with the following commands: |
| 2 | 2 | ||||
| 3 | $ sudo update-crypto-policies --show | 3 | $ sudo update-crypto-policies --show | ||
| 4 | 4 | ||||
| 5 | FIPS | 5 | FIPS | ||
| 6 | 6 | ||||
| 7 | If the cryptography is not set to "FIPS" and is not applied, this is a finding. | 7 | If the cryptography is not set to "FIPS" and is not applied, this is a finding. | ||
| 8 | 8 | ||||
| 9 | $ sudo update-crypto-policies --check | 9 | $ sudo update-crypto-policies --check | ||
| 10 | 10 | ||||
| 11 | The configured policy is applied. | 11 | The configured policy is applied. | ||
| 12 | 12 | ||||
| 13 | If the command does not return "The configured policy is applied.", this is a finding. | 13 | If the command does not return "The configured policy is applied.", this is a finding. | ||
| t | 14 | t | |||
| 15 |
| f | 1 | Configure the RHEL 9 OpenSSL library to use the system cryptograhpic policy. | f | 1 | Configure the RHEL 9 OpenSSL library to use the system cryptograhpic policy. |
| 2 | 2 | ||||
| 3 | Edit the "/etc/pki/tls/openssl.cnf" and add or modify the following line: | 3 | Edit the "/etc/pki/tls/openssl.cnf" and add or modify the following line: | ||
| 4 | .include = /etc/crypto-policies/back-ends/opensslcnf.config | 4 | .include = /etc/crypto-policies/back-ends/opensslcnf.config | ||
| 5 | 5 | ||||
| 6 | 6 | ||||
| t | t | 7 | A reboot is required for the changes to take effect. |
| t | 1 | RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | t | 1 | RHEL 9 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. |
| n | 1 | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. | n | 1 | Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor. |
| 2 | 2 | ||||
| n | 3 | A trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC. | n | 3 | Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. |
| 4 | 4 | ||||
| t | 5 | When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor; it can be, for example, a Certification Authority (CA). A certification path starts with the subject certificate and proceeds through a number of intermediate certificates up to a trusted root certificate, typically issued by a trusted CA. | t | 5 | Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This verifies the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. The operating system should not have to verify the software again. This requirement does not mandate DoD certificates for this purpose; however, the certificate used to verify the software must be from an approved CA. |
| 6 | |||||
| 7 | This requirement verifies that a certification path to an accepted trust anchor is used for certificate validation and that the path includes status information. Path validation is necessary for a relying party to make an informed trust decision when presented with any certificate not already explicitly trusted. Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Validation of the certificate status information is out of scope for this requirement. |
| n | 1 | Verify RHEL 9 for PKI-based authentication has valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | n | 1 | Verify that dnf verifies the signature of packages from a repository prior to install with the following command: |
| 2 | 2 | ||||
| n | 3 | Check that the system has a valid DoD root CA installed with the following command: | n | 3 | $ grep gpgcheck /etc/dnf/dnf.conf |
| 4 | 4 | ||||
| n | 5 | $ sudo openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem | n | 5 | gpgcheck=1 |
| 6 | 6 | ||||
| n | 7 | Certificate: | n | 7 | If "gpgcheck" is not set to "1", or if the option is missing or commented out, ask the System Administrator how the certificates for patches and other operating system components are verified. |
| 8 | Data: | ||||
| 9 | Version: 3 (0x2) | ||||
| 10 | Serial Number: 1 (0x1) | ||||
| 11 | Signature Algorithm: sha256WithRSAEncryption | ||||
| 12 | Issuer: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 | ||||
| 13 | Validity | ||||
| 14 | Not Before: Mar 20 18:46:41 2012 GMT | ||||
| 15 | Not After: Dec 30 18:46:41 2029 GMT | ||||
| 16 | Subject: C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 3 | ||||
| 17 | Subject Public Key Info: | ||||
| 18 | Public Key Algorithm: rsaEncryption | ||||
| 19 | 8 | ||||
| t | 20 | If the root CA file is not a DoD-issued certificate with a valid date and installed in the "/etc/sssd/pki/sssd_auth_ca_db.pem" location, this is a finding. | t | 9 | If there is no process to validate certificates that is approved by the organization, this is a finding. |
| n | 1 | Configure RHEL 9, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | n | 1 | Configure RHEL 9 to always check package signatures before installation. |
| 2 | 2 | ||||
| t | 3 | Obtain a valid copy of the DoD root CA file from the PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into the following file: | t | 3 | Add or update the following line in the [main] section of the /etc/dnf/dnf.conf file: |
| 4 | /etc/sssd/pki/sssd_auth_ca_db.pem | 4 | |||
| 5 | gpgcheck=1 |
| t | 1 | RHEL9 must have gpgcheck enabled for all repositories. | t | 1 | RHEL 9 must have gpgcheck enabled for all repositories. |
| t | 1 | Verify that "/etc/sudoers" has no occurrences of "!authenticate" with the following command: | t | 1 | Verify that "/etc/sudoers" has no occurrences of "!authenticate" with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/* | 3 | $ sudo grep -i !authenticate /etc/sudoers /etc/sudoers.d/* | ||
| 4 | 4 | ||||
| 5 | If any occurrences of "!authenticate" are returned, this is a finding. | 5 | If any occurrences of "!authenticate" are returned, this is a finding. |
| n | 1 | By limiting the number of failed logon attempts the risk of unauthorized system | n | 1 | by limiting the number of failed logon attempts the risk of unauthorized system |
| 2 | access via user password guessing, otherwise known as brute-forcing, is reduced. | 2 | access via user password guessing, otherwise known as brute-forcing, is reduced. | ||
| t | 3 | Limits are imposed by locking the account. | t | 3 | limits are imposed by locking the account. |
| n | 1 | Verify RHEL 9 is configured to lock an account until released by an administrator after three unsuccessful logon attempts with the command: | n | 1 | verify RHEL 9 is configured to lock an account until released by an administrator after three unsuccessful logon attempts with the command: |
| 2 | 2 | ||||
| 3 | $ grep 'unlock_time =' /etc/security/faillock.conf | 3 | $ grep 'unlock_time =' /etc/security/faillock.conf | ||
| 4 | 4 | ||||
| 5 | unlock_time = 0 | 5 | unlock_time = 0 | ||
| 6 | 6 | ||||
| t | 7 | If the "unlock_time" option is not set to "0", the line is missing, or commented out, this is a finding. | t | 7 | if the "unlock_time" option is not set to "0", the line is missing, or commented out, this is a finding. |
| n | 1 | Configure RHEL 9 to lock an account until released by an administrator after three unsuccessful logon attempts with the command: | n | 1 | configure RHEL 9 to lock an account until released by an administrator after three unsuccessful logon attempts with the command: |
| 2 | 2 | ||||
| 3 | $ authselect enable-feature with-faillock | 3 | $ authselect enable-feature with-faillock | ||
| 4 | 4 | ||||
| t | 5 | Then edit the "/etc/security/faillock.conf" file as follows: | t | 5 | then edit the "/etc/security/faillock.conf" file as follows: |
| 6 | 6 | ||||
| 7 | unlock_time = 0 | 7 | unlock_time = 0 |
| f | 1 | Configure RHEL 9 to lock out the "root" account after a number of incorrect login | f | 1 | Configure RHEL 9 to lock out the "root" account after a number of incorrect login |
| 2 | attempts using "pam_faillock.so", first enable the feature using the following command: | 2 | attempts using "pam_faillock.so", first enable the feature using the following command: | ||
| 3 | 3 | ||||
| 4 | $ sudo authselect enable-feature with-faillock | 4 | $ sudo authselect enable-feature with-faillock | ||
| 5 | 5 | ||||
| 6 | Then edit the "/etc/security/faillock.conf" file as follows: | 6 | Then edit the "/etc/security/faillock.conf" file as follows: | ||
| 7 | 7 | ||||
| 8 | add or uncomment the following line: | 8 | add or uncomment the following line: | ||
| 9 | even_deny_root | 9 | even_deny_root | ||
| t | 10 | t |
| f | 1 | Configure RHEL 9 so that all non-interactive accounts on the system do not have an interactive shell assigned to them. | f | 1 | Configure RHEL 9 so that all non-interactive accounts on the system do not have an interactive shell assigned to them. |
| 2 | 2 | ||||
| 3 | If the system account needs a shell assigned for mission operations, doucment the need with the Information System Security Officer (ISSO). | 3 | If the system account needs a shell assigned for mission operations, doucment the need with the Information System Security Officer (ISSO). | ||
| 4 | 4 | ||||
| 5 | Run the following command to disable the interactive shell for a specific non-interactive user account: | 5 | Run the following command to disable the interactive shell for a specific non-interactive user account: | ||
| 6 | 6 | ||||
| n | 7 | Replace <user> with the user that has a login shell. | n | 7 | Replace <user> with the user that has a login shell. |
| 8 | 8 | ||||
| t | 9 | $ sudo usermod --shell /sbin/nologin <user> | t | 9 | $ sudo usermod --shell /sbin/nologin <user> |
| 10 | 10 | ||||
| 11 | Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible. | 11 | Do not perform the steps in this section on the root account. Doing so will cause the system to become inaccessible. |
| t | 1 | Verify that RHEL9 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: | t | 1 | Verify that RHEL 9 account identifiers (individuals, groups, roles, and devices) are disabled after 35 days of inactivity with the following command: |
| 2 | 2 | ||||
| 3 | Check the account inactivity value by performing the following command: | 3 | Check the account inactivity value by performing the following command: | ||
| 4 | 4 | ||||
| 5 | $ sudo grep -i inactive /etc/default/useradd | 5 | $ sudo grep -i inactive /etc/default/useradd | ||
| 6 | 6 | ||||
| 7 | INACTIVE=35 | 7 | INACTIVE=35 | ||
| 8 | 8 | ||||
| 9 | If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding. | 9 | If "INACTIVE" is set to "-1", a value greater than "35", or is commented out, this is a finding. |
| n | 1 | Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command: | n | 1 | Verify the assigned home directory of all local interactive users has a mode of "0750" or less permissive with the following command: |
| 2 | 2 | ||||
| 3 | Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. | 3 | Note: This may miss interactive users that have been assigned a privileged User Identifier (UID). Evidence of interactive use may be obtained from a number of log files containing system logon information. | ||
| 4 | 4 | ||||
| t | 5 | $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) | t | 5 | $ sudo ls -ld $(awk -F: '($3>=1000)&&($7 !~ /nologin/){print $6}' /etc/passwd) |
| 6 | 6 | ||||
| 7 | drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj | 7 | drwxr-x--- 2 smithj admin 4096 Jun 5 12:41 smithj | ||
| 8 | 8 | ||||
| 9 | If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding. | 9 | If home directories referenced in "/etc/passwd" do not have a mode of "0750" or less permissive, this is a finding. |
| f | 1 | Configure RHEL 9 to generate audit records for local events by adding or updating the following line in "/etc/audit/auditd.conf": | f | 1 | Configure RHEL 9 to generate audit records for local events by adding or updating the following line in "/etc/audit/auditd.conf": |
| 2 | 2 | ||||
| 3 | local_events = yes | 3 | local_events = yes | ||
| 4 | 4 | ||||
| t | t | 5 | |||
| 5 | The audit daemon must be restarted for the changes to take effect. | 6 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Configure RHEL 9 to shutdown when auditing failures occur. | f | 1 | Configure RHEL 9 to shutdown when auditing failures occur. |
| 2 | 2 | ||||
| 3 | Add the following line to the bottom of the /etc/audit/audit.rules file: | 3 | Add the following line to the bottom of the /etc/audit/audit.rules file: | ||
| 4 | 4 | ||||
| 5 | -f 2 | 5 | -f 2 | ||
| t | t | 6 | -f 2 |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/opasswd. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/security/opasswd -p wa -k identity | 3 | -w /etc/security/opasswd -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/passwd -p wa -k identity | 3 | -w /etc/passwd -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/group -p wa -k identity | 3 | -w /etc/group -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/gshadow -p wa -k identity | 3 | -w /etc/gshadow -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/shadow -p wa -k identity | 3 | -w /etc/shadow -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Verify that RHEL 9 is configured to audit the execution of the "setsebool" command with the following command: | f | 1 | Verify that RHEL 9 is configured to audit the execution of the "setsebool" command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep setsebool | 3 | $ sudo auditctl -l | grep setsebool | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged | t | 5 | -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| f | 1 | Configure RHEL 9 to generate an audit event for any successful/unsuccessful use of the "setsebool " command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: | f | 1 | Configure RHEL 9 to generate an audit event for any successful/unsuccessful use of the "setsebool " command by adding or updating the following rules in the "/etc/audit/rules.d/audit.rules" file: |
| 2 | 2 | ||||
| t | 3 | -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged | t | 3 | -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| 4 | 4 | ||||
| 5 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Verify that RHEL 9 is configured to audit the execution of the "umount"command with the following command: | f | 1 | Verify that RHEL 9 is configured to audit the execution of the "umount"command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep umount | 3 | $ sudo auditctl -l | grep umount | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount | t | 5 | -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount |
| 6 | 6 | ||||
| 7 | If the command does not return an audit rule for "umount" or any of the lines returned are commented out, this is a finding. | 7 | If the command does not return an audit rule for "umount" or any of the lines returned are commented out, this is a finding. |
| f | 1 | Configure RHEL 9 to generate audit records upon successful/unsuccessful attempts to use the "umount" command by adding or updating the following rules in "/etc/audit/rules.d/audit.rules": | f | 1 | Configure RHEL 9 to generate audit records upon successful/unsuccessful attempts to use the "umount" command by adding or updating the following rules in "/etc/audit/rules.d/audit.rules": |
| 2 | 2 | ||||
| t | 3 | -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount | t | 3 | -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount |
| 4 | |||||
| 4 | 5 | ||||
| 5 | The audit daemon must be restarted for the changes to take effect. | 6 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: | f | 1 | Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | egrep '(/usr/bin/passwd)' | 3 | $ sudo auditctl -l | egrep '(/usr/bin/passwd)' | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd | t | 5 | -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog. |
| f | 1 | Verify that RHEL 9 is configured to audit successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls with the following command: | f | 1 | Verify that RHEL 9 is configured to audit successful/unsuccessful attempts to use the "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" system calls with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep'open\|truncate\|creat' | 3 | $ sudo auditctl -l | grep'open\|truncate\|creat' | ||
| 4 | 4 | ||||
| n | 5 | -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access | n | 5 | -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access |
| 6 | -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access | 6 | -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access | ||
| 7 | 7 | ||||
| t | 8 | -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access | t | 8 | -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access |
| 9 | -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access | 9 | -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access | ||
| 10 | 10 | ||||
| 11 | If the output does not produce rules containing "-F exit=-EPERM", this is a finding. | 11 | If the output does not produce rules containing "-F exit=-EPERM", this is a finding. | ||
| 12 | If the output does not produce rules containing "-F exit=-EACCES", this is a finding. | 12 | If the output does not produce rules containing "-F exit=-EACCES", this is a finding. | ||
| 13 | If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding. | 13 | If the command does not return an audit rule for "truncate", "ftruncate", "creat", "open", "openat", and "open_by_handle_at" or any of the lines returned are commented out, this is a finding. |
| t | 1 | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat syscalls. | t | 1 | RHEL 9 must audit all uses of the chmod, fchmod, and fchmodat syscalls. |
| f | 1 | Configure RHEL 9 to require a grub bootloader password for the grub superuser account. | f | 1 | Configure RHEL 9 to require a grub bootloader password for the grub superuser account. |
| 2 | 2 | ||||
| 3 | Generate an encrypted grub2 password for the grub superuser account with the following command: | 3 | Generate an encrypted grub2 password for the grub superuser account with the following command: | ||
| 4 | 4 | ||||
| 5 | $ sudo grub2-setpassword | 5 | $ sudo grub2-setpassword | ||
| 6 | Enter password: | 6 | Enter password: | ||
| 7 | Confirm password: | 7 | Confirm password: | ||
| 8 | 8 | ||||
| 9 | 9 | ||||
| t | t | 10 | export superusers |
| f | 1 | Change the owner of the file /etc/gshadow to root by running the following command: | f | 1 | Change the owner of the file /etc/gshadow to root by running the following command: |
| t | t | 2 | |||
| 2 | $ sudo chown root /etc/gshadow | 3 | $ sudo chown root /etc/gshadow |
| f | 1 | Change the owner of the file /etc/passwd to root by running the following command: | f | 1 | Change the owner of the file /etc/passwd to root by running the following command: |
| t | t | 2 | |||
| 2 | $ sudo chown root /etc/passwd | 3 | $ sudo chown root /etc/passwd |
| f | 1 | Change the group of the file /etc/group to root by running the following command: | f | 1 | Change the group of the file /etc/group to root by running the following command: |
| 2 | 2 | ||||
| 3 | $ sudo chgrp root /etc/group | 3 | $ sudo chgrp root /etc/group | ||
| t | 4 | t | |||
| 5 |
| f | 1 | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal | f | 1 | Unrestricted usage of ptrace allows compromised binaries to run ptrace on another processes of the user. Like this, the attacker can steal |
| 2 | sensitive information from the target processes (e.g. SSH sessions, web browser, etc) without any additional assistance from the user (i.e. without resorting to phishing). | 2 | sensitive information from the target processes (e.g. SSH sessions, web browser, etc) without any additional assistance from the user (i.e. without resorting to phishing). | ||
| t | 3 | t |
| n | n | 1 | Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Security safeguards employed to protect memory include, for example, data execution prevention and address space layout randomization. Data execution prevention safeguards can be either hardware-enforced or software-enforced with hardware providing the greater strength of mechanism. | ||
| 1 | 2 | ||||
| t | t | 3 | Poisoning writes an arbitrary value to freed pages, so any modification or reference to that page after being freed or before being initialized will be detected and prevented. This prevents many types of use-after-free vulnerabilities at little performance cost. Also prevents leak of data and detection of corrupted memory. | ||
| 4 | |||||
| 5 | SLAB objects are blocks of physically-contiguous memory. SLUB is the unqueued SLAB allocator. |
| t | 1 | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. | t | 1 | RHEL 9 must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation. |
| f | 1 | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. | f | 1 | Source-routed packets allow the source of the packet to suggest that routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routed traffic, such as when forwarding is enabled and the system is functioning as a router. |
| t | 2 | t |
| f | 1 | Configure the RHEL 9 file /etc/crontab with mode 600. | f | 1 | Configure the RHEL 9 file /etc/crontab with mode 600. |
| 2 | 2 | ||||
| 3 | $ sudo chmod 0600 /etc/crontab | 3 | $ sudo chmod 0600 /etc/crontab | ||
| t | t | 4 | chmod 0600 /etc/crontab |
| f | 1 | To ensure that the GPG key is installed, run: | f | 1 | To ensure that the GPG key is installed, run: |
| 2 | $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | 2 | $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey | ||
| 3 | The command should return the string below: | 3 | The command should return the string below: | ||
| t | 4 | gpg(Red Hat, Inc. (release key 2) <security@redhat.com> | t | 4 | gpg(Red Hat, Inc. (release key 2) <security@redhat.com> |
| 5 | 5 | ||||
| 6 | If the Red Hat GPG Key is not installed, this is a finding. | 6 | If the Red Hat GPG Key is not installed, this is a finding. |
| t | 1 | Verify RHEL9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. | t | 1 | Verify RHEL 9 security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by organizational policy. |
| 2 | 2 | ||||
| 3 | Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. | 3 | Obtain the list of available package security updates from Red Hat. The URL for updates is https://access.redhat.com/errata-search/. It is important to note that updates provided by Red Hat may not be present on the system if the underlying packages are not installed. | ||
| 4 | 4 | ||||
| 5 | Check that the available package security updates have been installed on the system with the following command: | 5 | Check that the available package security updates have been installed on the system with the following command: | ||
| 6 | 6 | ||||
| 7 | $ dnf history list | more | 7 | $ dnf history list | more | ||
| 8 | 8 | ||||
| 9 | ID | Command line | Date and time | Action(s) | Altered | 9 | ID | Command line | Date and time | Action(s) | Altered | ||
| 10 | ------------------------------------------------------------------------------- | 10 | ------------------------------------------------------------------------------- | ||
| 11 | 70 | install aide | 2020-03-05 10:58 | Install | 1 | 11 | 70 | install aide | 2020-03-05 10:58 | Install | 1 | ||
| 12 | 69 | update -y | 2020-03-04 14:34 | Update | 18 EE | 12 | 69 | update -y | 2020-03-04 14:34 | Update | 18 EE | ||
| 13 | 68 | install vlc | 2020-02-21 17:12 | Install | 21 | 13 | 68 | install vlc | 2020-02-21 17:12 | Install | 21 | ||
| 14 | 67 | update -y | 2020-02-21 17:04 | Update | 7 EE | 14 | 67 | update -y | 2020-02-21 17:04 | Update | 7 EE | ||
| 15 | 15 | ||||
| 16 | Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. | 16 | Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM. | ||
| 17 | 17 | ||||
| 18 | If the system is in non-compliance with the organizational patching policy, this is a finding. | 18 | If the system is in non-compliance with the organizational patching policy, this is a finding. |
| t | 1 | Install RHEL9 security patches and updates at the organizationally-defined frequency. If system updates are installed via a centralized repository that is configured on the system, you can install all updates with the following command: | t | 1 | Install RHEL 9 security patches and updates at the organizationally-defined frequency. If system updates are installed via a centralized repository that is configured on the system, you can install all updates with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo dnf update | 3 | $ sudo dnf update |
| t | 1 | Alan May | t | 1 | Verify that RHEL 9 usbguard package is installed with the following command: |
| 2 | |||||
| 3 | $ sudo dnf list --installed usbguard | ||||
| 4 | |||||
| 5 | usbguard.x86_64 1.0.0-10.el9 | ||||
| 6 | |||||
| 7 | If the usbguard package is not installed, this is a finding. |
| t | 1 | RHEL 8 must enable Linux audit logging for the USBGuard daemon. | t | 1 | RHEL 9 must enable Linux audit logging for the USBGuard daemon. |
| f | 1 | Disable and mask the kdump service on RHEL 9. | f | 1 | Disable and mask the kdump service on RHEL 9. |
| 2 | 2 | ||||
| 3 | To disable the kdump service run the following command: | 3 | To disable the kdump service run the following command: | ||
| 4 | 4 | ||||
| 5 | $ sudo systemctl disable --now kdump | 5 | $ sudo systemctl disable --now kdump | ||
| 6 | 6 | ||||
| 7 | To mask the kdump service run the following command: | 7 | To mask the kdump service run the following command: | ||
| 8 | 8 | ||||
| 9 | $ sudo systemctl mask --now kdump | 9 | $ sudo systemctl mask --now kdump | ||
| t | t | 10 | $ sudo systemctl mask --now kdump |
| f | 1 | Verify that RHEL 9 is configured to audit the execution of the "init" command with the following command: | f | 1 | Verify that RHEL 9 is configured to audit the execution of the "init" command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep init | 3 | $ sudo auditctl -l | grep init | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init | t | 5 | -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| f | 1 | Verify that RHEL 9 is configured to audit the execution of the "poweroff" command with the following command: | f | 1 | Verify that RHEL 9 is configured to audit the execution of the "poweroff" command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep poweroff | 3 | $ sudo auditctl -l | grep poweroff | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff | t | 5 | -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| f | 1 | Verify that RHEL 9 is configured to audit the execution of the "reboot" command with the following command: | f | 1 | Verify that RHEL 9 is configured to audit the execution of the "reboot" command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep reboot | 3 | $ sudo auditctl -l | grep reboot | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot | t | 5 | -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| f | 1 | Verify that RHEL 9 is configured to audit the execution of the "shutdown" command with the following command: | f | 1 | Verify that RHEL 9 is configured to audit the execution of the "shutdown" command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep shutdown | 3 | $ sudo auditctl -l | grep shutdown | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown | t | 5 | -a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. | f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. |
| 2 | 2 | ||||
| t | 3 | RHEL9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. | t | 3 | RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. |
| 4 | 4 | ||||
| 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. | 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
| f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. | f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. |
| 2 | 2 | ||||
| t | 3 | RHEL9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. | t | 3 | RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. |
| 4 | 4 | ||||
| 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. | 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
| f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. | f | 1 | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data. Therefore, protecting audit tools is necessary to prevent unauthorized operation on audit information. |
| 2 | 2 | ||||
| t | 3 | RHEL9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. | t | 3 | RHEL 9 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools. |
| 4 | 4 | ||||
| 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. | 5 | Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators. |
| f | 1 | Configure RHEL 9 to audit the execution of the "execve" system call. | f | 1 | Configure RHEL 9 to audit the execution of the "execve" system call. |
| 2 | 2 | ||||
| 3 | Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": | 3 | Add or update the following file system rules to "/etc/audit/rules.d/audit.rules": | ||
| 4 | 4 | ||||
| 5 | -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv | 5 | -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv | ||
| 6 | -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv | 6 | -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv | ||
| 7 | -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv | 7 | -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv | ||
| 8 | -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv | 8 | -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv | ||
| 9 | 9 | ||||
| t | t | 10 | |||
| 10 | The audit daemon must be restarted for the changes to take effect. | 11 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Reinstall the crypto-policies package to remove any modifications. | f | 1 | Reinstall the crypto-policies package to remove any modifications. |
| 2 | 2 | ||||
| 3 | $ sudo dnf reinstall crypto-policies | 3 | $ sudo dnf reinstall crypto-policies | ||
| 4 | 4 | ||||
| 5 | Then ensure that FIPS mode is setup with the following command: | 5 | Then ensure that FIPS mode is setup with the following command: | ||
| 6 | 6 | ||||
| 7 | $ sudo fips-mode-setup --enable | 7 | $ sudo fips-mode-setup --enable | ||
| 8 | 8 | ||||
| 9 | The system must be rebooted for the changes to take effect. | 9 | The system must be rebooted for the changes to take effect. | ||
| t | t | 10 | A reboot is required for the changes to take effect. |
| f | 1 | Verify the boot loader superuser account has been set with the following command: | f | 1 | Verify the boot loader superuser account has been set with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo grep -A1 "superusers" /etc/grub2.cfg | 3 | $ sudo grep -A1 "superusers" /etc/grub2.cfg | ||
| 4 | 4 | ||||
| n | 5 | set superusers="<superusers-account>" | n | 5 | set superusers="<superusers-account>" |
| 6 | export superusers | 6 | export superusers | ||
| 7 | 7 | ||||
| t | 8 | The <superusers-account> is the actual account name different from common names like root, | t | 8 | The <superusers-account> is the actual account name different from common names like root, |
| 9 | admin, or administrator. | 9 | admin, or administrator. | ||
| 10 | 10 | ||||
| 11 | If superusers contains easily guessable usernames, this is a finding. | 11 | If superusers contains easily guessable usernames, this is a finding. |
| f | 1 | Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. | f | 1 | Add or update the following lines to "/etc/aide.conf", to protect the integrity of the audit tools. |
| 2 | 2 | ||||
| 3 | /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 | 3 | /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| 4 | /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 | 4 | /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| 5 | /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 | 5 | /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| 6 | /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 | 6 | /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| 7 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | 7 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| 8 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | 8 | /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| 9 | /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 | 9 | /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 | ||
| t | 10 | t | |||
| 11 | |||||
| 12 |
| n | 1 | Remove unauthorized local interactive user accounts with the following command where <unauthorized_user> is the unauthorized account: | n | 1 | Remove unauthorized local interactive user accounts with the following command where <unauthorized_user> is the unauthorized account: |
| 2 | 2 | ||||
| t | 3 | $ sudo userdel <unauthorized_user> | t | 3 | $ sudo userdel <unauthorized_user> |
| t | 1 | The RHEL 9 audit system must take appropriate action when the audit files have reached maximum size. | t | 1 | The RHEL 9 audit system must take appropriate action when the audit files have reached maximum size. |
| f | 1 | Verify that interactive users on the system have a home directory assigned with the following command: | f | 1 | Verify that interactive users on the system have a home directory assigned with the following command: |
| 2 | 2 | ||||
| t | 3 | $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd | t | 3 | $ sudo awk -F: '($3>=1000)&&($7 !~ /nologin/){print $1, $3, $6}' /etc/passwd |
| 4 | 4 | ||||
| 5 | smithk:x:1000:1000:smithk:/home/smithk:/bin/bash | 5 | smithk:x:1000:1000:smithk:/home/smithk:/bin/bash | ||
| 6 | throckw:x:1001:1001:throckw:/home/throckw:/bin/bash | 6 | throckw:x:1001:1001:throckw:/home/throckw:/bin/bash | ||
| 7 | 7 | ||||
| 8 | Inspect the output and verify that all interactive users (normally users with a UID greater that 1000) have a home directory defined. | 8 | Inspect the output and verify that all interactive users (normally users with a UID greater that 1000) have a home directory defined. | ||
| 9 | 9 | ||||
| 10 | If users home directory is not defined, this is a finding. | 10 | If users home directory is not defined, this is a finding. |
| f | 1 | Create and assign home directories to all local interactive users on RHEL 9 that currently do not have a home directory assigned. | f | 1 | Create and assign home directories to all local interactive users on RHEL 9 that currently do not have a home directory assigned. |
| t | t | 2 | Assign home directories to all local interactive users on RHEL 9 that currently do not have a home directory assigned. |
| f | 1 | Verify that the administrators are notified in the event of an audit processing failure. | f | 1 | Verify that the administrators are notified in the event of an audit processing failure. |
| 2 | 2 | ||||
| 3 | Check that the "/etc/aliases" file has a defined value for "root". | 3 | Check that the "/etc/aliases" file has a defined value for "root". | ||
| 4 | 4 | ||||
| 5 | $ sudo grep "postmaster:\s*root$" /etc/aliases | 5 | $ sudo grep "postmaster:\s*root$" /etc/aliases | ||
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. | 7 | If the command does not return a line, or the line is commented out, ask the system administrator to indicate how they and the ISSO are notified of an audit process failure. | ||
| 8 | If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding. | 8 | If there is no evidence of the proper personnel being notified of an audit processing failure, this is a finding. | ||
| t | 9 | t |
| t | 1 | Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. | t | 1 | Inspect the firewall configuration and running services to verify it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. |
| 2 | 2 | ||||
| 3 | Check which services are currently active with the following command: | 3 | Check which services are currently active with the following command: | ||
| 4 | 4 | ||||
| 5 | $ sudo firewall-cmd --list-all-zones | 5 | $ sudo firewall-cmd --list-all-zones | ||
| 6 | 6 | ||||
| 7 | custom (active) | 7 | custom (active) | ||
| 8 | target: DROP | 8 | target: DROP | ||
| 9 | icmp-block-inversion: no | 9 | icmp-block-inversion: no | ||
| 10 | interfaces: ens33 | 10 | interfaces: ens33 | ||
| 11 | sources: | 11 | sources: | ||
| 12 | services: dhcpv6-client dns http https ldaps rpc-bind ssh | 12 | services: dhcpv6-client dns http https ldaps rpc-bind ssh | ||
| 13 | ports: | 13 | ports: | ||
| 14 | masquerade: no | 14 | masquerade: no | ||
| 15 | forward-ports: | 15 | forward-ports: | ||
| 16 | icmp-blocks: | 16 | icmp-blocks: | ||
| 17 | rich rules: | 17 | rich rules: | ||
| 18 | 18 | ||||
| 19 | Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. | 19 | Ask the System Administrator for the site or program Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA). Verify the services allowed by the firewall match the PPSM CLSA. | ||
| 20 | 20 | ||||
| 21 | If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding. | 21 | If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers.d/". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/sudoers.d/ -p wa -k identity | 3 | -w /etc/sudoers.d/ -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Verify RHEL 9 generates audit records for the execution of the "mount" command with the following command: | f | 1 | Verify RHEL 9 generates audit records for the execution of the "mount" command with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo auditctl -l | grep /usr/bin/mount | 3 | $ sudo auditctl -l | grep /usr/bin/mount | ||
| 4 | 4 | ||||
| t | 5 | -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount | t | 5 | -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount |
| 6 | 6 | ||||
| 7 | If the command does not return a line, or the line is commented out, this is a finding. | 7 | If the command does not return a line, or the line is commented out, this is a finding. |
| f | 1 | Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: | f | 1 | Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command: |
| 2 | 2 | ||||
| 3 | $ sudo cat /etc/sssd/sssd.conf | 3 | $ sudo cat /etc/sssd/sssd.conf | ||
| 4 | 4 | ||||
| 5 | [certmap/testing.test/rule_name] | 5 | [certmap/testing.test/rule_name] | ||
| t | 6 | matchrule =<SAN>.*EDIPI@mil | t | 6 | matchrule =<SAN>.*EDIPI@mil |
| 7 | maprule = (userCertificate;binary={cert!bin}) | 7 | maprule = (userCertificate;binary={cert!bin}) | ||
| 8 | domains = testing.test | 8 | domains = testing.test | ||
| 9 | 9 | ||||
| 10 | If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding. | 10 | If the certmap section does not exist, ask the System Administrator to indicate how certificates are mapped to accounts. If there is no evidence of certificate mapping, this is a finding. |
| f | 1 | Verify that system-wide crypto policies are in effect: | f | 1 | Verify that system-wide crypto policies are in effect: |
| 2 | 2 | ||||
| 3 | $ sudo grep Include /etc/ssh/ssh_config /etc/ssh/ssh_config.d/* | 3 | $ sudo grep Include /etc/ssh/ssh_config /etc/ssh/ssh_config.d/* | ||
| 4 | /etc/ssh/ssh_config:Include /etc/ssh/ssh_config.d/*.conf | 4 | /etc/ssh/ssh_config:Include /etc/ssh/ssh_config.d/*.conf | ||
| 5 | /etc/ssh/ssh_config.d/50-redhat.conf: Include /etc/crypto-policies/back-ends/openssh.config | 5 | /etc/ssh/ssh_config.d/50-redhat.conf: Include /etc/crypto-policies/back-ends/openssh.config | ||
| 6 | 6 | ||||
| 7 | If "Include /etc/crypto-policies/back-ends/openssh.config" or "Include /etc/ssh/ssh_config.d/*.conf" are not included in the system ssh client config or the file "/etc/ssh/ssh_config.d/50-redhat.conf" is missing, this is a finding. | 7 | If "Include /etc/crypto-policies/back-ends/openssh.config" or "Include /etc/ssh/ssh_config.d/*.conf" are not included in the system ssh client config or the file "/etc/ssh/ssh_config.d/50-redhat.conf" is missing, this is a finding. | ||
| t | 8 | t |
| f | 1 | Configure the RHEL 9 SSH daemon to use system-wide crypto policies by running the following commands: | f | 1 | Configure the RHEL 9 SSH daemon to use system-wide crypto policies by running the following commands: |
| 2 | 2 | ||||
| 3 | $ sudo dnf reinstall openssh-clients | 3 | $ sudo dnf reinstall openssh-clients | ||
| t | t | 4 | |||
| 5 | A reboot is required for the changes to take effect. |
| t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. | t | 1 | RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers. |
| f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". | f | 1 | Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/sudoers". |
| 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | 2 | Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": | ||
| 3 | -w /etc/sudoers -p wa -k identity | 3 | -w /etc/sudoers -p wa -k identity | ||
| t | t | 4 | |||
| 4 | The audit daemon must be restarted for the changes to take effect. | 5 | The audit daemon must be restarted for the changes to take effect. |
| f | 1 | Verify that the default umask for all local interactive users is "077". | f | 1 | Verify that the default umask for all local interactive users is "077". |
| 2 | 2 | ||||
| 3 | Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. | 3 | Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file. | ||
| 4 | 4 | ||||
| 5 | Check all local interactive user initialization files for interactive users with the following command: | 5 | Check all local interactive user initialization files for interactive users with the following command: | ||
| 6 | 6 | ||||
| 7 | Note: The example is for a system that is configured to create users home directories in the "/home" directory. | 7 | Note: The example is for a system that is configured to create users home directories in the "/home" directory. | ||
| 8 | 8 | ||||
| t | 9 | # grep -ri umask /home/ | t | 9 | $ sudo grep -ir ^umask --exclude=.bash_history /home |
| 10 | 10 | ||||
| 11 | /home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile | 11 | /home/smithj/.bash_history:grep -i umask /etc/bashrc /etc/csh.cshrc /etc/profile | ||
| 12 | /home/smithj/.bash_history:grep -i umask /etc/login.defs | 12 | /home/smithj/.bash_history:grep -i umask /etc/login.defs | ||
| 13 | 13 | ||||
| 14 | If any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077", this is a finding. | 14 | If any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077", this is a finding. |
| f | 1 | Passwords need to be protected at all times, and encryption is the standard | f | 1 | Passwords need to be protected at all times, and encryption is the standard |
| 2 | method for protecting passwords. If passwords are not encrypted, they can | 2 | method for protecting passwords. If passwords are not encrypted, they can | ||
| 3 | be plainly read (i.e., clear text) and easily compromised. Passwords that | 3 | be plainly read (i.e., clear text) and easily compromised. Passwords that | ||
| 4 | are encrypted with a weak algorithm are no more protected than if they are | 4 | are encrypted with a weak algorithm are no more protected than if they are | ||
| 5 | kepy in plain text. | 5 | kepy in plain text. | ||
| 6 | 6 | ||||
| 7 | 7 | ||||
| 8 | 8 | ||||
| 9 | This setting ensures user and group account administration utilities are | 9 | This setting ensures user and group account administration utilities are | ||
| 10 | configured to store only encrypted representations of passwords. | 10 | configured to store only encrypted representations of passwords. | ||
| 11 | Additionally, the "crypt_style" configuration option ensures the use | 11 | Additionally, the "crypt_style" configuration option ensures the use | ||
| 12 | of a strong hashing algorithm that makes password cracking attacks more | 12 | of a strong hashing algorithm that makes password cracking attacks more | ||
| 13 | difficult. | 13 | difficult. | ||
| t | 14 | t |
| t | 1 | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. | t | 1 | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. |
| 2 | 2 | ||||
| 3 | Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. | 3 | Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. | ||
| 4 | 4 | ||||
| 5 | This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. | 5 | This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. |
| t | 1 | The RHEL9 audit service must be enabled. | t | 1 | The RHEL 9 audit service must be enabled. |
| t | 1 | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. | t | 1 | The "nodev" mount option causes the system to not interpret character or block special devices. Executing character or block special devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. |
| f | 1 | Verify that RHEL 9 has the aide package installed with the following command: | f | 1 | Verify that RHEL 9 has the aide package installed with the following command: |
| 2 | 2 | ||||
| t | 3 | $sudo dnf list --installed aide | t | 3 | $ sudo dnf list --installed aide |
| 4 | 4 | ||||
| 5 | aide.x86_64 0.16.100.el9 | 5 | aide.x86_64 0.16.100.el9 | ||
| 6 | 6 | ||||
| 7 | If the "aide" package is not installed, this is a finding. | 7 | If the "aide" package is not installed, this is a finding. |